From e4b944f4ef72b21d2c9e3bba5b059644802ff26c Mon Sep 17 00:00:00 2001 From: Anton Engelhardt Date: Mon, 6 May 2024 21:50:01 +0200 Subject: [PATCH 1/8] disable warning log level for unauthenticated requests Signed-off-by: Anton Engelhardt --- src/lib.rs | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/src/lib.rs b/src/lib.rs index 5ae82b0..83bb18e 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -221,9 +221,12 @@ impl HttpContext for ConfiguredOidc { // Allow request to pass return Action::Continue; } - Err(e) => { - warn!("cookie validation failed: {}", e); - } + Err(e) => match e { + // disable logging for these errors + PluginError::SessionCookieNotFoundError => {} + PluginError::NonceCookieNotFoundError => {} + _ => warn!("cookie validation failed: {}", e), + }, } // Redirect to `authorization_endpoint` if no cookie is found or previous cases have returned an error. From 8b7b9195892d65c8a777770f2867a4cfdb2f7697 Mon Sep 17 00:00:00 2001 From: Anton Engelhardt Date: Mon, 6 May 2024 21:50:21 +0200 Subject: [PATCH 2/8] capitalization of logs Signed-off-by: Anton Engelhardt --- src/cookie.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/cookie.rs b/src/cookie.rs index df3d6ee..3050e62 100644 --- a/src/cookie.rs +++ b/src/cookie.rs @@ -69,7 +69,7 @@ impl Session { let encrypted_cookie = cipher.encrypt(&nonce, serde_json::to_vec(&self)?.as_slice())?; let encoded_cookie = base64engine.encode(encrypted_cookie.as_slice()); - debug!("Encrypted with nonce: {}", &encoded_nonce); + debug!("encrypted with nonce: {}", &encoded_nonce); Ok((encoded_cookie, encoded_nonce)) } @@ -148,7 +148,7 @@ impl Session { encoded_nonce: String, ) -> Result { // Decode nonce using base64 - debug!("Decrypting with nonce: {}", encoded_nonce); + debug!("decrypting with nonce: {}", encoded_nonce); let decoded_nonce = base64engine.decode(encoded_nonce.as_bytes())?; let nonce = aes_gcm::Nonce::from_slice(decoded_nonce.as_slice()); From 725965fa7740131f55ebe2ada95362d2fc82bce2 Mon Sep 17 00:00:00 2001 From: Anton Engelhardt Date: Mon, 6 May 2024 21:55:59 +0200 Subject: [PATCH 3/8] more capitalization of logs Signed-off-by: Anton Engelhardt --- src/cookie.rs | 2 +- src/lib.rs | 12 ++++++------ 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/src/cookie.rs b/src/cookie.rs index 3050e62..7f88739 100644 --- a/src/cookie.rs +++ b/src/cookie.rs @@ -160,7 +160,7 @@ impl Session { // Parse cookie into a struct let state = serde_json::from_slice::(&decrypted_cookie)?; - debug!("State: {:?}", state); + debug!("state: {:?}", state); Ok(state) } } diff --git a/src/lib.rs b/src/lib.rs index 83bb18e..81c7943 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -124,7 +124,7 @@ impl HttpContext for ConfiguredOidc { .iter() .any(|x| x.is_match(&host)) { - debug!("Host {} is excluded. Forwarding request.", host); + debug!("host {} is excluded, forwarding request.", host); self.filter_proxy_cookies(); return Action::Continue; } @@ -136,7 +136,7 @@ impl HttpContext for ConfiguredOidc { .iter() .any(|x| x.is_match(&path)) { - debug!("Path {} is excluded. Forwarding request.", path); + debug!("path {} is excluded, forwarding request.", path); self.filter_proxy_cookies(); return Action::Continue; } @@ -149,7 +149,7 @@ impl HttpContext for ConfiguredOidc { .iter() .any(|x| x.is_match(url.as_str())) { - debug!("Url {} is excluded. Forwarding request.", url.as_str()); + debug!("url {} is excluded, forwarding request.", url.as_str()); self.filter_proxy_cookies(); return Action::Continue; } @@ -402,7 +402,7 @@ impl ConfiguredOidc { match validation_result { Ok(_) => return Ok(()), Err(e) => { - debug!("Token validation failed: {:?}", e); + debug!("token validation failed: {:?}", e); continue; } } @@ -435,9 +435,9 @@ impl ConfiguredOidc { )?; // Get state and code from query - let state = callback_params.state; let code = callback_params.code; debug!("authorization code: {}", code); + let state = callback_params.state; debug!("client state: {}", state); debug!("cookie state: {}", session.state); @@ -535,8 +535,8 @@ impl ConfiguredOidc { match self.get_http_call_response_body(0, body_size) { Some(body) => { // Get nonce and cookie - let encoded_nonce = self.get_nonce()?; let encoded_cookie = self.get_session_cookie_as_string()?; + let encoded_nonce = self.get_nonce()?; // Get session from cookie let mut session = Session::decode_and_decrypt( From 68e994fe62df087e379680161b300c10c8336a37 Mon Sep 17 00:00:00 2001 From: Anton Engelhardt Date: Thu, 9 May 2024 20:34:31 +0200 Subject: [PATCH 4/8] rename wasm-oidc-plugin from WASM OIDC plugin Signed-off-by: Anton Engelhardt --- .github/workflows/build.yml | 2 +- .github/workflows/test.yml | 2 +- k8s/ci.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 039aead..68ddad6 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -108,7 +108,7 @@ jobs: target/ key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }} - - name: Build WASM OIDC Plugin + - name: Build wasm-oidc-plugin run: | cargo build --target wasm32-wasi --release diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 3dfc9e5..c96793e 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -105,7 +105,7 @@ jobs: target/ key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }} - - name: Build WASM OIDC Plugin + - name: Build wasm-oidc-plugin run: | cargo build --target wasm32-wasi --release diff --git a/k8s/ci.yml b/k8s/ci.yml index 6ba6843..30051ed 100644 --- a/k8s/ci.yml +++ b/k8s/ci.yml @@ -110,7 +110,7 @@ jobs: target/ key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }} - - name: Build WASM OIDC Plugin + - name: Build wasm-oidc-plugin run: | cargo build --target wasm32-wasi --release From 220420e2456105005fd7bc750a3e8cd63ce2aed5 Mon Sep 17 00:00:00 2001 From: Anton Engelhardt Date: Mon, 13 May 2024 11:00:57 +0200 Subject: [PATCH 5/8] add codeowners for future prs Signed-off-by: Anton Engelhardt --- .github/CODEOWNERS | 1 + 1 file changed, 1 insertion(+) create mode 100644 .github/CODEOWNERS diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 0000000..1380211 --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1 @@ +* @antonengelhardt @miwig From b3a76878fbbbbc36985ba0cb8ec791dc241f9a1b Mon Sep 17 00:00:00 2001 From: Anton Engelhardt Date: Wed, 15 May 2024 11:42:28 +0200 Subject: [PATCH 6/8] missing docker image caching in ci Signed-off-by: Anton Engelhardt --- .github/workflows/build.yml | 3 +++ .github/workflows/test.yml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 68ddad6..c154e13 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -132,6 +132,9 @@ jobs: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_PASSWORD }} + - name: Pull previous image to cache + run: docker pull antonengelhardt/wasm-oidc-plugin:latest + - name: Push to Docker Hub uses: docker/build-push-action@v2 with: diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index c96793e..4e6ec54 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -129,6 +129,9 @@ jobs: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_PASSWORD }} + - name: Pull previous image to cache + run: docker pull antonengelhardt/wasm-oidc-plugin:pr-${{ github.event.pull_request.head.ref }} || true + - name: Push to Docker Hub uses: docker/build-push-action@v2 with: From a15455c5188072882bd6d1c02e23c58d9c0f7ed7 Mon Sep 17 00:00:00 2001 From: Anton Engelhardt Date: Tue, 21 May 2024 21:40:38 +0200 Subject: [PATCH 7/8] chore(dependabot): second rule to separate patches and other updates Signed-off-by: Anton Engelhardt --- .github/dependabot.yml | 27 ++++++++++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 69dbb8c..3cfe921 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,12 +4,33 @@ # https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates version: 2 + updates: - - package-ecosystem: "cargo" # See documentation for possible values - directory: "/" # Location of package manifests + # This checks for minor and major version updates every week + - package-ecosystem: "cargo" + directory: "/" labels: - "dependencies" schedule: interval: "weekly" - reviewers: + reviewers: - "antonengelhardt" + ignore: + - update-types: + - "version-update:semver-patch" + + # Patches are grouped together into one PR every month + - package-ecosystem: "cargo" + directory: "/" + labels: + - "dependencies" + schedule: + interval: "monthly" + reviewers: + - "antonengelhardt" + + # Group all patches into one PR + groups: + patches: + update-types: + - "patch" From 76c5dec937f215053bdef946ed9a0321ffc5cfc8 Mon Sep 17 00:00:00 2001 From: Anton Engelhardt Date: Tue, 21 May 2024 21:42:14 +0200 Subject: [PATCH 8/8] chore(dependabot): comment out second rule :( Signed-off-by: Anton Engelhardt --- .github/dependabot.yml | 31 ++++++++++++++++--------------- 1 file changed, 16 insertions(+), 15 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 3cfe921..88c707f 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -16,21 +16,22 @@ updates: reviewers: - "antonengelhardt" ignore: - - update-types: - - "version-update:semver-patch" + - dependency-name: "*" + update-types: + - "version-update:semver-patch" # Patches are grouped together into one PR every month - - package-ecosystem: "cargo" - directory: "/" - labels: - - "dependencies" - schedule: - interval: "monthly" - reviewers: - - "antonengelhardt" + # - package-ecosystem: "cargo" + # directory: "/" + # labels: + # - "dependencies" + # schedule: + # interval: "monthly" + # reviewers: + # - "antonengelhardt" - # Group all patches into one PR - groups: - patches: - update-types: - - "patch" + # # Group all patches into one PR + # groups: + # patches: + # update-types: + # - "patch"