0.8.0 (#247)

Author: zachmann

.gitlab-ci.yml

@@ -81,6 +81,9 @@ prerelease:
 
 deploy-dev:
   stage: deploy
+  only:
+    refs:
+      - prerel
   before_script:
     - mkdir -p /root/.ssh
     - cp $KNOWN_HOSTS /root/.ssh/known_hosts

CHANGELOG.md

@@ -12,6 +12,54 @@
 <!-- ### Dependencies -->
 <!--  -->
 
+## mytoken 0.8.0
+
+### Features
+
+- Added support for RFC8707 for requesting audience restricted ATs
+
+### Changes
+
+- Default behavior for requesting audience restricted ATs is now according to RFC8707; the previous behavor can be
+  configured with these options:
+  ```yaml
+  audience:
+    use_rfc8707: false
+    request_parameter: "audience"
+    space_separate_auds: true
+  ```
+
+### API
+
+- When creating a mytoken from a mytoken and it is returned as a transfer code the response now contains the
+  `mom_id` of the created mytoken.
+
+### Bugfixes
+
+- Fixed a bug where wrong dates where returned if the database used a different timezone than UTC.
+- Fixed a bug in `mytoken-migratedb` were empty databases could not be setup.
+
+### Security Fixes
+
+- Replaced the uuid library; the old library had a security flaw CVE-2021-3538
+
+### Dependencies
+
+- Bump golang.org/x/term from 0.5.0 to 0.8.0
+- Bump github.com/valyala/fasthttp from 1.44.0 to 1.47.0
+- Bump golang.org/x/net from 0.6.0 to 0.7.0
+- Bump golang.org/x/crypto from 0.6.0 to 0.9.0
+- Bump golang.org/x/oauth2 from 0.5.0 to 0.8.0
+- Bump golang.org/x/mod from 0.8.0 to 0.9.0
+- Bump github.com/gofiber/helmet/v2 from 2.2.24 to 2.2.25
+- Bump github.com/gofiber/template from 1.7.5 to 1.8.0
+- Bump github.com/gofiber/fiber/v2 from 2.42.0 to 2.46.0
+- Bump github.com/pires/go-proxyproto from 0.6.2 to 0.7.0
+- Bump github.com/go-sql-driver/mysql from 1.7.0 to 1.7.1
+- Bump github.com/sirupsen/logrus from 1.9.0 to 1.9.2
+- Bump github.com/coreos/go-oidc/v3 from 3.5.0 to 3.6.0
+- Replaced github.com/satori/go.uuid with github.com/gofrs/uuid
+
 ## mytoken 0.7.2
 
 ### Bugfixes

cmd/mytoken-server/mytoken-migratedb/main.go

@@ -134,7 +134,10 @@ var app = &cli.App{
 		}
 		dbConfig.ReconnectInterval = 60
 		dbConfig.DBConf.Hosts = dbConfig.Hosts.Value()
+		tmpScheduleEnabled := dbConfig.DBConf.EnableScheduledCleanup
+		dbConfig.DBConf.EnableScheduledCleanup = false
 		db.ConnectConfig(dbConfig.DBConf)
+		dbConfig.DBConf.EnableScheduledCleanup = tmpScheduleEnabled
 		return migrateDB(mytokenNodes)
 	},
 }

config/example-config.yaml

@@ -193,6 +193,14 @@ features:
       - /etc/ssh/ssh_host_ed25519_key
       - /etc/ssh/ssh_host_rsa_key
 
+  # Settings related to server profiles and templates
+  server_profiles:
+    enabled: true
+    # group names and passwords; those are used by an entity to add, update, delete profiles on this server, the '_'
+    # group is the default group managed by the server admin
+    groups:
+    # _: admin
+
 # The list of supported providers
 providers:
   - issuer: "https://example.provider.com/"
@@ -205,4 +213,12 @@ providers:
     # Maximum lifetime for mytokens for this issuer, given in seconds. On default the lifetime of mytokens is not
     # restricted. Setting this value to 0, means that there is no maximum lifetime.
     mytokens_max_lifetime: 0
+    # Settings related to how the audience(s) of ATs is requested
+    audience:
+      # Unless false audiences are requested according to RFC8707; other options are ignored;
+      use_rfc8707: true
+      # The parameter used in the request, common options are "resource" and "audience"
+      request_parameter: "resource"
+      # Defines how multiple audience values in a request are handled;
+      space_separate_auds: false
 

go.mod

@@ -4,38 +4,38 @@ go 1.19
 
 require (
 	github.com/Songmu/prompter v0.5.1
-	github.com/coreos/go-oidc/v3 v3.5.0
+	github.com/coreos/go-oidc/v3 v3.6.0
 	github.com/evanphx/json-patch/v5 v5.6.0
 	github.com/fatih/structs v1.1.0
 	github.com/gliderlabs/ssh v0.3.5
-	github.com/go-sql-driver/mysql v1.7.0
-	github.com/gofiber/fiber/v2 v2.41.0
-	github.com/gofiber/helmet/v2 v2.2.23
-	github.com/gofiber/template v1.7.4
+	github.com/go-sql-driver/mysql v1.7.1
+	github.com/gofiber/fiber/v2 v2.46.0
+	github.com/gofiber/helmet/v2 v2.2.26
+	github.com/gofiber/template v1.8.1
+	github.com/gofrs/uuid v4.4.0+incompatible
 	github.com/golang-jwt/jwt v3.2.2+incompatible
 	github.com/ip2location/ip2location-go v8.3.0+incompatible
 	github.com/jinzhu/copier v0.3.5
 	github.com/jmoiron/sqlx v1.3.5
 	github.com/lestrrat-go/jwx v1.2.25
-	github.com/oidc-mytoken/api v0.10.0
+	github.com/oidc-mytoken/api v0.10.1-0.20230412103735-ccd26fb9a9ae
 	github.com/oidc-mytoken/lib v0.7.0
 	github.com/oidc-mytoken/utils v0.1.2
 	github.com/patrickmn/go-cache v2.1.0+incompatible
-	github.com/pires/go-proxyproto v0.6.2
+	github.com/pires/go-proxyproto v0.7.0
 	github.com/pkg/errors v0.9.1
-	github.com/satori/go.uuid v1.2.0
-	github.com/sirupsen/logrus v1.9.0
+	github.com/sirupsen/logrus v1.9.2
 	github.com/urfave/cli/v2 v2.3.1-0.20211205195634-e8d81738896c
-	github.com/valyala/fasthttp v1.44.0
-	golang.org/x/crypto v0.5.0
-	golang.org/x/mod v0.7.0
-	golang.org/x/oauth2 v0.4.0
-	golang.org/x/term v0.4.0
+	github.com/valyala/fasthttp v1.47.0
+	golang.org/x/crypto v0.9.0
+	golang.org/x/mod v0.10.0
+	golang.org/x/oauth2 v0.8.0
+	golang.org/x/term v0.8.0
 	gopkg.in/yaml.v3 v3.0.1
 )
 
 require (
-	github.com/andybalholm/brotli v1.0.4 // indirect
+	github.com/andybalholm/brotli v1.0.5 // indirect
 	github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be // indirect
 	github.com/cbroglie/mustache v1.4.0 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.1 // indirect
@@ -44,21 +44,26 @@ require (
 	github.com/go-resty/resty/v2 v2.7.0 // indirect
 	github.com/goccy/go-json v0.9.7 // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
-	github.com/klauspost/compress v1.15.11 // indirect
+	github.com/google/uuid v1.3.0 // indirect
+	github.com/klauspost/compress v1.16.3 // indirect
 	github.com/lestrrat-go/backoff/v2 v2.0.8 // indirect
 	github.com/lestrrat-go/blackmagic v1.0.0 // indirect
 	github.com/lestrrat-go/httpcc v1.0.1 // indirect
 	github.com/lestrrat-go/iter v1.0.1 // indirect
 	github.com/lestrrat-go/option v1.0.0 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
-	github.com/mattn/go-isatty v0.0.17 // indirect
+	github.com/mattn/go-isatty v0.0.18 // indirect
 	github.com/mattn/go-runewidth v0.0.14 // indirect
+	github.com/philhofer/fwd v1.1.2 // indirect
 	github.com/rivo/uniseg v0.2.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
+	github.com/savsgio/dictpool v0.0.0-20221023140959-7bf2e61cea94 // indirect
+	github.com/savsgio/gotils v0.0.0-20230208104028-c358bd845dee // indirect
+	github.com/tinylib/msgp v1.1.8 // indirect
 	github.com/valyala/bytebufferpool v1.0.0 // indirect
 	github.com/valyala/tcplisten v1.0.0 // indirect
-	golang.org/x/net v0.5.0 // indirect
-	golang.org/x/sys v0.4.0 // indirect
+	golang.org/x/net v0.10.0 // indirect
+	golang.org/x/sys v0.8.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/protobuf v1.28.0 // indirect
 )