Merge branch 'cesanta:main' into mtls

Author: devon-mar

.github/workflows/codeql-analysis.yml

@@ -23,20 +23,20 @@ jobs:
         language: [ 'go' ]
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v4
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
+      uses: github/codeql-action/init@v3
       with:
         languages: ${{ matrix.language }}
 
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
+      uses: github/codeql-action/autobuild@v3
 
     #- run: |
     #   make bootstrap
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
+      uses: github/codeql-action/analyze@v3

.github/workflows/docker.yml

@@ -16,12 +16,12 @@ jobs:
 
     steps:
       - name: Install Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v5
         with:
-          go-version: "1.19.x"
+          go-version: "1.24.x"
 
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
       - name: Get Build Data
         id: info
@@ -33,7 +33,7 @@ jobs:
 
       - name: Docker meta
         id: docker_meta
-        uses: crazy-max/ghaction-docker-meta@v1
+        uses: crazy-max/ghaction-docker-meta@v5
         with:
           images: cesanta/docker_auth
           tag-edge: true
@@ -43,28 +43,28 @@ jobs:
             {{major}}.{{minor}}
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v3
         with:
           platforms: all
 
       - name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v3
         with:
           install: true
           version: latest
           # TODO: Remove driver-opts once fix is released docker/buildx#386
           driver-opts: image=moby/buildkit:master
 
       - name: Login to DockerHub
-        uses: docker/login-action@v1
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
         if: github.event_name == 'push'
 
       - name: Build and Push
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v6
         with:
           context: auth_server
           file: auth_server/Dockerfile

.github/workflows/go_test.yml

@@ -4,16 +4,16 @@ jobs:
   test:
     strategy:
       matrix:
-        go-version: [1.17.x, 1.18.x, 1.19.x, 1.20.x, 1.21.x]
+        go-version: [1.23.x,1.24.x]
         os: [ubuntu-latest]
     runs-on: ${{ matrix.os }}
     steps:
     - name: Install Go
-      uses: actions/setup-go@v2
+      uses: actions/setup-go@v5
       with:
         go-version: ${{ matrix.go-version }}
     - name: Checkout code
-      uses: actions/checkout@v2
+      uses: actions/checkout@v4
     - name: Test
       run: |
         cd auth_server

auth_server/Dockerfile

@@ -1,9 +1,9 @@
-FROM golang:1.21-alpine3.19 as build
+FROM golang:1.24-alpine3.22 AS build
 
 ARG VERSION
-ENV VERSION "${VERSION}"
+ENV VERSION="${VERSION}"
 ARG BUILD_ID
-ENV BUILD_ID "${BUILD_ID}"
+ENV BUILD_ID="${BUILD_ID}"
 ARG CGO_EXTRA_CFLAGS
 
 RUN apk add -U --no-cache ca-certificates make git gcc musl-dev binutils-gold
@@ -12,7 +12,7 @@ COPY . /build
 WORKDIR /build
 RUN make build
 
-FROM alpine:3.19
+FROM alpine:3.22
 COPY --from=build /build/auth_server /docker_auth/
 COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
 ENTRYPOINT ["/docker_auth/auth_server"]

auth_server/authn/data/gitlab_auth_result.tmpl

@@ -43,9 +43,11 @@
 <body>
   <p class="message">
     You are successfully authenticated to the Docker Registry.
-    Use the following username and password to login into the registry:
+    Log into the registry using one of these commands:
   </p>
   <hr>
   <pre class="command"><span>$ </span>docker login -u {{.Username}} -p {{.Password}} {{if .RegistryUrl}}{{.RegistryUrl}}{{else}}docker.example.com{{end}}</pre>
+  <pre class="command"><span>$ </span>podman login -u {{.Username}} -p {{.Password}} {{if .RegistryUrl}}{{.RegistryUrl}}{{else}}docker.example.com{{end}}</pre>
+  <pre class="command"><span>$ </span>nerdctl login -u {{.Username}} -p {{.Password}} {{if .RegistryUrl}}{{.RegistryUrl}}{{else}}docker.example.com{{end}}</pre>
 </body>
 </html>

auth_server/authn/data/oidc_auth_result.tmpl

@@ -9,9 +9,11 @@
 <body>
   <p class="message">
     You are successfully authenticated for the Docker Registry.
-    Use the following username and password to login into the registry:
+    Log into the registry using one of these commands:
   </p>
   <hr>
   <pre class="command"><span>$ </span>docker login -u {{.Username}} -p {{.Password}} {{if .RegistryUrl}}{{.RegistryUrl}}{{else}}docker.example.com{{end}}</pre>
+  <pre class="command"><span>$ </span>podman login -u {{.Username}} -p {{.Password}} {{if .RegistryUrl}}{{.RegistryUrl}}{{else}}docker.example.com{{end}}</pre>
+  <pre class="command"><span>$ </span>nerdctl login -u {{.Username}} -p {{.Password}} {{if .RegistryUrl}}{{.RegistryUrl}}{{else}}docker.example.com{{end}}</pre>
 </body>
 </html>

auth_server/authn/github_auth.go

@@ -22,7 +22,7 @@ import (
 	"errors"
 	"fmt"
 	"html/template"
-	"io/ioutil"
+	"io"
 	"net/http"
 	"net/url"
 	"strings"
@@ -117,7 +117,6 @@ func execGHExperimentalApiRequest(url string, token string) (*http.Response, err
 }
 
 // removeSubstringsFromString removes all occurences of stringsToStrip from sourceStr
-//
 func removeSubstringsFromString(sourceStr string, stringsToStrip []string) string {
 	theNewString := sourceStr
 	for _, i := range stringsToStrip {
@@ -129,7 +128,6 @@ func removeSubstringsFromString(sourceStr string, stringsToStrip []string) strin
 // parseLinkHeader parses the HTTP headers from the Github API response
 //
 // https://developer.github.com/v3/guides/traversing-with-pagination/
-//
 func parseLinkHeader(linkLines []string) (linkHeader, error) {
 	var lH linkHeader
 	// URL in link is enclosed in < >
@@ -255,7 +253,7 @@ func (gha *GitHubAuth) doGitHubAuthCreateToken(rw http.ResponseWriter, code stri
 		http.Error(rw, fmt.Sprintf("Error talking to GitHub auth backend: %s", err), http.StatusServiceUnavailable)
 		return
 	}
-	codeResp, _ := ioutil.ReadAll(resp.Body)
+	codeResp, _ := io.ReadAll(resp.Body)
 	resp.Body.Close()
 	glog.V(2).Infof("Code to token resp: %s", strings.Replace(string(codeResp), "\n", " ", -1))
 
@@ -317,7 +315,7 @@ func (gha *GitHubAuth) validateAccessToken(token string) (user string, err error
 		err = fmt.Errorf("could not verify token %s: %s", token, err)
 		return
 	}
-	body, _ := ioutil.ReadAll(resp.Body)
+	body, _ := io.ReadAll(resp.Body)
 	resp.Body.Close()
 
 	var ti GitHubTokenUser
@@ -386,7 +384,7 @@ func (gha *GitHubAuth) fetchTeams(token string) ([]string, error) {
 		}
 
 		respHeaders := resp.Header
-		body, _ := ioutil.ReadAll(resp.Body)
+		body, _ := io.ReadAll(resp.Body)
 		resp.Body.Close()
 
 		err = json.Unmarshal(body, &pagedTeams)

auth_server/authn/gitlab_auth.go

@@ -22,7 +22,7 @@ import (
 	"errors"
 	"fmt"
 	"html/template"
-	"io/ioutil"
+	"io"
 	"net/http"
 	"net/url"
 	"strings"
@@ -103,7 +103,6 @@ type GitlabAuth struct {
 	tmplResult *template.Template
 }
 
-
 func NewGitlabAuth(c *GitlabAuthConfig) (*GitlabAuth, error) {
 	var db TokenDB
 	var err error
@@ -205,7 +204,7 @@ func (glab *GitlabAuth) doGitlabAuthCreateToken(rw http.ResponseWriter, code str
 		http.Error(rw, fmt.Sprintf("Error talking to GitLab auth backend: %s", err), http.StatusServiceUnavailable)
 		return
 	}
-	codeResp, _ := ioutil.ReadAll(resp.Body)
+	codeResp, _ := io.ReadAll(resp.Body)
 	resp.Body.Close()
 	glog.V(2).Infof("Code to token resp: %s", strings.Replace(string(codeResp), "\n", " ", -1))
 
@@ -230,7 +229,6 @@ func (glab *GitlabAuth) doGitlabAuthCreateToken(rw http.ResponseWriter, code str
 
 	glog.Infof("New GitLab auth token for %s", user)
 
-
 	v := &TokenDBValue{
 		TokenType:   c2t.TokenType,
 		AccessToken: c2t.AccessToken,
@@ -247,7 +245,7 @@ func (glab *GitlabAuth) doGitlabAuthCreateToken(rw http.ResponseWriter, code str
 
 func (glab *GitlabAuth) validateGitlabAccessToken(token string) (user string, err error) {
 	glog.Infof("Gitlab API: Fetching user info")
-	req, err := http.NewRequest("GET", fmt.Sprintf("%s/user", glab.getGitlabApiUri()),nil)
+	req, err := http.NewRequest("GET", fmt.Sprintf("%s/user", glab.getGitlabApiUri()), nil)
 
 	if err != nil {
 		err = fmt.Errorf("could not create request to get information for token %s: %s", token, err)
@@ -261,7 +259,7 @@ func (glab *GitlabAuth) validateGitlabAccessToken(token string) (user string, er
 		err = fmt.Errorf("could not verify token %s: %s", token, err)
 		return
 	}
-	body, _ := ioutil.ReadAll(resp.Body)
+	body, _ := io.ReadAll(resp.Body)
 	resp.Body.Close()
 	var ti GitlabTokenUser
 	err = json.Unmarshal(body, &ti)
@@ -302,7 +300,6 @@ func (glab *GitlabAuth) checkGitlabOrganization(token, user string) (err error)
 	return fmt.Errorf("Unknown status for membership of organization %s: %s", glab.config.Organization, resp.Status)
 }
 
-
 func (glab *GitlabAuth) validateGitlabServerToken(user string) (*TokenDBValue, error) {
 	v, err := glab.db.GetValue(user)
 	if err != nil || v == nil {

auth_server/authn/google_auth.go

@@ -21,7 +21,7 @@ import (
 	"errors"
 	"fmt"
 	"html/template"
-	"io/ioutil"
+	"io"
 	"net/http"
 	"net/url"
 	"strings"
@@ -162,7 +162,7 @@ func (ga *GoogleAuth) DoGoogleAuth(rw http.ResponseWriter, req *http.Request) {
 		ga.doGoogleAuthPage(rw, req)
 		return
 	}
-	gauthRequest, _ := ioutil.ReadAll(req.Body)
+	gauthRequest, _ := io.ReadAll(req.Body)
 	glog.V(2).Infof("gauth request: %s", string(gauthRequest))
 	var gar GoogleAuthRequest
 	err := json.Unmarshal(gauthRequest, &gar)
@@ -203,7 +203,7 @@ func (ga *GoogleAuth) doGoogleAuthCreateToken(rw http.ResponseWriter, code strin
 		http.Error(rw, fmt.Sprintf("Error talking to Google auth backend: %s", err), http.StatusServiceUnavailable)
 		return
 	}
-	codeResp, _ := ioutil.ReadAll(resp.Body)
+	codeResp, _ := io.ReadAll(resp.Body)
 	resp.Body.Close()
 	glog.V(2).Infof("Code to token resp: %s", strings.Replace(string(codeResp), "\n", " ", -1))
 
@@ -262,7 +262,7 @@ func (ga *GoogleAuth) getIDTokenInfo(token string) (*GoogleTokenInfo, error) {
 	if err != nil {
 		return nil, fmt.Errorf("could not verify token %s: %s", token, err)
 	}
-	body, _ := ioutil.ReadAll(resp.Body)
+	body, _ := io.ReadAll(resp.Body)
 	resp.Body.Close()
 
 	var ti GoogleTokenInfo
@@ -317,7 +317,7 @@ func (ga *GoogleAuth) refreshAccessToken(refreshToken string) (rtr RefreshTokenR
 		err = fmt.Errorf("Error talking to Google auth backend: %s", err)
 		return
 	}
-	respStr, _ := ioutil.ReadAll(resp.Body)
+	respStr, _ := io.ReadAll(resp.Body)
 	glog.V(2).Infof("Refresh token resp: %s", strings.Replace(string(respStr), "\n", " ", -1))
 
 	err = json.Unmarshal(respStr, &rtr)
@@ -334,7 +334,7 @@ func (ga *GoogleAuth) validateAccessToken(toktype, token string) (user string, e
 	if err != nil {
 		return
 	}
-	respStr, _ := ioutil.ReadAll(resp.Body)
+	respStr, _ := io.ReadAll(resp.Body)
 	glog.V(2).Infof("Access token validation rrsponse: %s", strings.Replace(string(respStr), "\n", " ", -1))
 	var pr ProfileResponse
 	err = json.Unmarshal(respStr, &pr)

auth_server/authn/oidc_auth.go

@@ -22,7 +22,7 @@ import (
 	"errors"
 	"fmt"
 	"html/template"
-	"io/ioutil"
+	"io"
 	"net/http"
 	"strings"
 	"time"
@@ -40,29 +40,29 @@ import (
 type OIDCAuthConfig struct {
 	// --- necessary ---
 	// URL of the authentication provider. Must be able to serve the /.well-known/openid-configuration
-	Issuer           string            `yaml:"issuer,omitempty"`
+	Issuer string `yaml:"issuer,omitempty"`
 	// URL of the auth server. Has to end with /oidc_auth
-	RedirectURL      string            `yaml:"redirect_url,omitempty"`
+	RedirectURL string `yaml:"redirect_url,omitempty"`
 	// ID and secret, priovided by the OIDC provider after registration of the auth server
-	ClientId         string            `yaml:"client_id,omitempty"`
-	ClientSecret     string            `yaml:"client_secret,omitempty"`
-	ClientSecretFile string            `yaml:"client_secret_file,omitempty"`
+	ClientId         string `yaml:"client_id,omitempty"`
+	ClientSecret     string `yaml:"client_secret,omitempty"`
+	ClientSecretFile string `yaml:"client_secret_file,omitempty"`
 	// path where the tokendb should be stored within the container
-	LevelTokenDB     *LevelDBStoreConfig `yaml:"level_token_db,omitempty"`
-	GCSTokenDB       *GCSStoreConfig     `yaml:"gcs_token_db,omitempty"`
-	RedisTokenDB     *RedisStoreConfig   `yaml:"redis_token_db,omitempty"`
+	LevelTokenDB *LevelDBStoreConfig `yaml:"level_token_db,omitempty"`
+	GCSTokenDB   *GCSStoreConfig     `yaml:"gcs_token_db,omitempty"`
+	RedisTokenDB *RedisStoreConfig   `yaml:"redis_token_db,omitempty"`
 	// --- optional ---
-	HTTPTimeout      time.Duration     `yaml:"http_timeout,omitempty"`
+	HTTPTimeout time.Duration `yaml:"http_timeout,omitempty"`
 	// the URL of the docker registry. Used to generate a full docker login command after authentication
-	RegistryURL      string            `yaml:"registry_url,omitempty"`
+	RegistryURL string `yaml:"registry_url,omitempty"`
 	// --- optional ---
 	// String claim to use for the username
-	UserClaim        string            `yaml:"user_claim,omitempty"`
+	UserClaim string `yaml:"user_claim,omitempty"`
 	// --- optional ---
 	// []string to add as labels.
-	LabelsClaims     []string          `yaml:"labels_claims,omitempty"`
+	LabelsClaims []string `yaml:"labels_claims,omitempty"`
 	// --- optional ---
-	Scopes           []string          `yaml:"scopes,omitempty"`
+	Scopes []string `yaml:"scopes,omitempty"`
 }
 
 // OIDCRefreshTokenResponse is sent by OIDC provider in response to the grant_type=refresh_token request.
@@ -274,7 +274,7 @@ func (ga *OIDCAuth) refreshAccessToken(refreshToken string) (rtr OIDCRefreshToke
 		err = fmt.Errorf("error talking to OIDC auth backend: %s", err)
 		return
 	}
-	respStr, _ := ioutil.ReadAll(resp.Body)
+	respStr, _ := io.ReadAll(resp.Body)
 	glog.V(2).Infof("Refresh token resp: %s", strings.Replace(string(respStr), "\n", " ", -1))
 
 	err = json.Unmarshal(respStr, &rtr)