Merge remote-tracking branches 'origin/pr/add-cf-connector', 'origin/…

…pr/add-oauth-connector', 'origin/pr/github-teams-no-org-and-slugs', 'origin/pr/gitlab-broken-auth-headers', 'origin/pr/gitlab-include-user-scope-for-groups-inspection', 'origin/pr/oidc-groups-and-tls', 'origin/pr/optional-prometheus-logger', 'origin/pr/password-grant', 'origin/pr/postgres-unix-sockets' and 'origin/pr/unset-pg-serializable-transaction-level'

cmd/dex/config.go

@@ -94,6 +94,8 @@ type OAuth2 struct {
 	// If specified, do not prompt the user to approve client authorization. The
 	// act of logging in implies authorization.
 	SkipApprovalScreen bool `json:"skipApprovalScreen"`
+	// This is the connector that can be used for password grant
+	PasswordConnector string `json:"passwordConnector"`
 }
 
 // Web is the config format for the HTTP server.

cmd/dex/serve.go

@@ -208,6 +208,9 @@ func serve(cmd *cobra.Command, args []string) error {
 	if c.OAuth2.SkipApprovalScreen {
 		logger.Infof("config skipping approval screen")
 	}
+	if c.OAuth2.PasswordConnector != "" {
+		logger.Infof("config using password grant connector: %s", c.OAuth2.PasswordConnector)
+	}
 	if len(c.Web.AllowedOrigins) > 0 {
 		logger.Infof("config allowed origins: %s", c.Web.AllowedOrigins)
 	}
@@ -218,6 +221,7 @@ func serve(cmd *cobra.Command, args []string) error {
 	serverConfig := server.Config{
 		SupportedResponseTypes: c.OAuth2.ResponseTypes,
 		SkipApprovalScreen:     c.OAuth2.SkipApprovalScreen,
+		PasswordConnector:      c.OAuth2.PasswordConnector,
 		AllowedOrigins:         c.Web.AllowedOrigins,
 		Issuer:                 c.Issuer,
 		Storage:                s,

connector/github/github.go

@@ -316,6 +316,8 @@ func (c *githubConnector) getGroups(ctx context.Context, client *http.Client, gr
 		return c.groupsForOrgs(ctx, client, userLogin)
 	} else if c.org != "" {
 		return c.teamsForOrg(ctx, client, c.org)
+	} else if groupScope {
+		return c.userGroups(ctx, client)
 	}
 	return nil, nil
 }
@@ -563,9 +565,12 @@ func (c *githubConnector) userInOrg(ctx context.Context, client *http.Client, us
 // https://developer.github.com/v3/orgs/teams/#response-12
 type team struct {
 	Name string `json:"name"`
-	Org  struct {
-		Login string `json:"login"`
-	} `json:"organization"`
+	Slug string `json:"slug"`
+	Org  org    `json:"organization"`
+}
+
+type org struct {
+	Login string `json:"login"`
 }
 
 // teamsForOrg queries the GitHub API for team membership within a specific organization.
@@ -597,3 +602,77 @@ func (c *githubConnector) teamsForOrg(ctx context.Context, client *http.Client,
 
 	return groups, nil
 }
+
+func (c *githubConnector) userGroups(ctx context.Context, client *http.Client) (groups []string, err error) {
+
+	orgs, err := c.userOrgs(ctx, client)
+	if err != nil {
+		return groups, err
+	}
+
+	orgTeams, err := c.userOrgTeams(ctx, client)
+	if err != nil {
+		return groups, err
+	}
+
+	for _, org := range orgs {
+		if teams, ok := orgTeams[org]; !ok {
+			groups = append(groups, org)
+		} else {
+			for _, team := range teams {
+				groups = append(groups, org+":"+team)
+			}
+		}
+	}
+
+	return groups, err
+}
+
+func (c *githubConnector) userOrgs(ctx context.Context, client *http.Client) ([]string, error) {
+	apiURL, groups := c.apiURL+"/user/orgs", []string{}
+	for {
+		// https://developer.github.com/v3/orgs/#list-your-organizations
+		var (
+			orgs []org
+			err  error
+		)
+		if apiURL, err = get(ctx, client, apiURL, &orgs); err != nil {
+			return nil, fmt.Errorf("github: get orgs: %v", err)
+		}
+
+		for _, org := range orgs {
+			groups = append(groups, org.Login)
+		}
+
+		if apiURL == "" {
+			break
+		}
+	}
+
+	return groups, nil
+}
+
+func (c *githubConnector) userOrgTeams(ctx context.Context, client *http.Client) (map[string][]string, error) {
+	apiURL, groups := c.apiURL+"/user/teams", map[string][]string{}
+	for {
+		// https://developer.github.com/v3/orgs/teams/#list-user-teams
+		var (
+			teams []team
+			err   error
+		)
+		if apiURL, err = get(ctx, client, apiURL, &teams); err != nil {
+			return nil, fmt.Errorf("github: get teams: %v", err)
+		}
+
+		for _, team := range teams {
+			groups[team.Org.Login] = append(groups[team.Org.Login], team.Name)
+			groups[team.Org.Login] = append(groups[team.Org.Login], team.Slug)
+		}
+
+		if apiURL == "" {
+			break
+		}
+	}
+
+	return groups, nil
+}

connector/github/github_test.go

@@ -0,0 +1,125 @@
+package github
+
+import (
+	"context"
+	"crypto/tls"
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"reflect"
+	"testing"
+
+	"github.com/coreos/dex/connector"
+)
+
+func TestUserGroups(t *testing.T) {
+
+	orgs := []org{
+		{Login: "org-1"},
+		{Login: "org-2"},
+		{Login: "org-3"},
+	}
+
+	teams := []team{
+		{Name: "Team 1", Slug: "team-1", Org: org{Login: "org-1"}},
+		{Name: "Team 2", Slug: "team-2", Org: org{Login: "org-1"}},
+		{Name: "Team 3", Slug: "team-3", Org: org{Login: "org-1"}},
+		{Name: "Team 4", Slug: "team-4", Org: org{Login: "org-2"}},
+	}
+
+	s := newTestServer(map[string]interface{}{
+		"/user/orgs":  orgs,
+		"/user/teams": teams,
+	})
+
+	connector := githubConnector{apiURL: s.URL}
+	groups, err := connector.userGroups(context.Background(), newClient())
+
+	expectNil(t, err)
+	expectEquals(t, groups, []string{
+		"org-1:Team 1",
+		"org-1:team-1",
+		"org-1:Team 2",
+		"org-1:team-2",
+		"org-1:Team 3",
+		"org-1:team-3",
+		"org-2:Team 4",
+		"org-2:team-4",
+		"org-3",
+	})
+
+	s.Close()
+}
+
+func TestUserGroupsWithoutOrgs(t *testing.T) {
+
+	s := newTestServer(map[string]interface{}{
+		"/user/orgs":  []org{},
+		"/user/teams": []team{},
+	})
+
+	connector := githubConnector{apiURL: s.URL}
+	groups, err := connector.userGroups(context.Background(), newClient())
+
+	expectNil(t, err)
+	expectEquals(t, len(groups), 0)
+
+	s.Close()
+}
+
+func TestUsernameIncludedInFederatedIdentity(t *testing.T) {
+
+	s := newTestServer(map[string]interface{}{
+		"/user": user{Login: "some-login"},
+		"/user/emails": []userEmail{{
+			Email:    "[email protected]",
+			Verified: true,
+			Primary:  true,
+		}},
+		"/login/oauth/access_token": map[string]interface{}{
+			"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9",
+			"expires_in":   "30",
+		},
+	})
+
+	hostURL, err := url.Parse(s.URL)
+	expectNil(t, err)
+
+	req, err := http.NewRequest("GET", hostURL.String(), nil)
+	expectNil(t, err)
+
+	githubConnector := githubConnector{apiURL: s.URL, hostName: hostURL.Host, httpClient: newClient()}
+	identity, err := githubConnector.HandleCallback(connector.Scopes{}, req)
+
+	expectNil(t, err)
+	expectEquals(t, identity.Username, "some-login")
+
+	s.Close()
+}
+
+func newTestServer(responses map[string]interface{}) *httptest.Server {
+	return httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Add("Content-Type", "application/json")
+		json.NewEncoder(w).Encode(responses[r.URL.Path])
+	}))
+}
+
+func newClient() *http.Client {
+	tr := &http.Transport{
+		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+	}
+	return &http.Client{Transport: tr}
+}
+
+func expectNil(t *testing.T, a interface{}) {
+	if a != nil {
+		t.Errorf("Expected %+v to equal nil", a)
+	}
+}
+
+func expectEquals(t *testing.T, a interface{}, b interface{}) {
+	if !reflect.DeepEqual(a, b) {
+		t.Errorf("Expected %+v to equal %+v", a, b)
+	}
+}

connector/gitlab/gitlab.go

@@ -86,7 +86,7 @@ type gitlabConnector struct {
 func (c *gitlabConnector) oauth2Config(scopes connector.Scopes) *oauth2.Config {
 	gitlabScopes := []string{scopeUser}
 	if scopes.Groups {
-		gitlabScopes = []string{scopeAPI}
+		gitlabScopes = append(gitlabScopes, scopeAPI)
 	}
 
 	gitlabEndpoint := oauth2.Endpoint{AuthURL: c.baseURL + "/oauth/authorize", TokenURL: c.baseURL + "/oauth/token"}
@@ -127,6 +127,8 @@ func (c *gitlabConnector) HandleCallback(s connector.Scopes, r *http.Request) (i
 	oauth2Config := c.oauth2Config(s)
 	ctx := r.Context()
 
+	oauth2.RegisterBrokenAuthHeaderProvider(c.baseURL)
+
 	token, err := oauth2Config.Exchange(ctx, q.Get("code"))
 	if err != nil {
 		return identity, fmt.Errorf("gitlab: failed to get token: %v", err)