Merge pull request #590 from indigo-dc/prerel

5.2.0
indigo-dc · Aug 28, 2024 · 4ce6ed3 · 4ce6ed3
2 parents aad31ba + a31f335
commit 4ce6ed3
Show file tree

Hide file tree

Showing 83 changed files with 1,501 additions and 270 deletions.
diff --git a/.gitlab-ci-scripts/install-extra-packages.sh b/.gitlab-ci-scripts/install-extra-packages.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+case ${DISTRO} in
+    fedora)
+            yum -y clean all
+            yum -y install clibs-list-devel
+        ;;
+    centos)
+            yum -y clean all
+            yum -y install clibs-list-devel cjson-devel
+        ;;
+    almalinux)
+            yum -y clean all
+            dnf -y upgrade almalinux-release --nogpgcheck
+            yum -y install clibs-list-devel curl-devel systemd-rpm-macros webkit2gtk3-devel\
+                gstreamer1 gstreamer1-plugins-base
+        ;;
+    rockylinux)
+            yum -y clean all
+            yum -y install cjson-devel clibs-list-devel curl-devel systemd-rpm-macros webkit2gtk3-devel\
+                gstreamer1 gstreamer1-plugins-base
+        ;;
+    opensuse)
+                zypper -n install cJSON-devel systemd-rpm-macros webkit2gtk3-devel
+        ;;
+esac
diff --git a/.gitlab-ci-scripts/local-before-script.sh b/.gitlab-ci-scripts/local-before-script.sh
@@ -7,10 +7,9 @@ echo "======== oidc-agent-local-before-script starting======="
 export VERSION=`cat VERSION`
 # clone the packages file of this repo:
 # Try with VERSION
-echo "Trying to use branch for packaging: ${PACKAGING_BRANCH}/v${VERSION}"
-git clone -b ${PACKAGING_BRANCH}/v${VERSION} http://codebase.helmholtz.cloud/m-team/oidc/oidc-agent.git delme || {
-    echo "Falling back to ${PACKAGING_BRANCH}/latest"
-    git clone -b ${PACKAGING_BRANCH}/latest http://codebase.helmholtz.cloud/m-team/oidc/oidc-agent.git delme
+echo "Trying to use branch for packaging: ${PACKAGING_BRANCH}/test-ellert-spec"
+git clone -b ${PACKAGING_BRANCH}/test-ellert-spec http://codebase.helmholtz.cloud/m-team/oidc/oidc-agent.git delme || {
+    exit 10
 }
 
 

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
@@ -12,6 +12,7 @@ variables:
   DOCKER_IMAGE_NAME: 'oidc-agent'
   GIT_STRATEGY: clone
   GIT_DEPTH: 0
+  # KI_OIDC_TRIGGER_TOKEN: glptt-c5d04fbd30ad088fcacdaadc90c974e18f35ecee
   # TARGET_REPO: 'devel'
   # The following varialbes can be overwritten only in specific targets
   # See generic-ci.yml -> .repo-definition for the full list
@@ -82,4 +83,69 @@ build-windows-64:
       make -j 1 win
       ls -la bin
 
-      set +x
+trigger-ki-oidc-plugin:
+  stage: build
+  image: marcvs/build_oidc-agent_debian-trixie
+  needs:
+    - build-windows-64
+    - build-windows-lib-64
+  rules:
+    - if: $CI_PIPELINE_SOURCE != "push" && $CI_PIPELINE_SOURCE != "web"
+      when: never
+    - if: $CI_PIPELINE_SOURCE == "external_pull_request_event"
+      variables:
+        TRIGGER_BRANCH: main
+    - if: $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH
+      variables:
+        TRIGGER_BRANCH: main
+    - if: $CI_COMMIT_REF_NAME != $CI_DEFAULT_BRANCH
+      variables:
+        TRIGGER_BRANCH: devel
+  script:
+    - !reference [.def-trigger-pipeline]
+    - |
+      trigger_pipeline  --project-name m-team/oidc/ssh/ki-oidc-plugin\
+                        --branch ${TRIGGER_BRANCH} \
+                        --trigger-token ${TRIGGER_TOKEN_KI_OIDC_PLUGIN}
+      echo "KI_OIDC_PIPELINE_ID=${TRIGGERED_PIPELINE_ID}" >> ki-oidc-plugin.env
+  artifacts:
+    reports:
+      dotenv: ki-oidc-plugin.env
+
+trigger-win-installer:
+  stage: build
+  image: marcvs/build_oidc-agent_debian-trixie
+  needs:
+    - build-windows-64
+    - trigger-ki-oidc-plugin
+  rules:
+    - if: $CI_PIPELINE_SOURCE != "push" && $CI_PIPELINE_SOURCE != "web"
+      when: never
+    - if: $CI_PIPELINE_SOURCE == "external_pull_request_event"
+      variables:
+        TRIGGER_BRANCH: main
+    - if: $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH
+      variables:
+        TRIGGER_BRANCH: main
+    - if: $CI_COMMIT_REF_NAME != $CI_DEFAULT_BRANCH
+      variables:
+        TRIGGER_BRANCH: devel # TODO change back to devel if 5 is merged
+  script:
+    - !reference [.def-trigger-pipeline]
+    - !reference [.def-get-artifacts]
+    - |
+      echo "KI_OIDC_PIPELINE_ID: ${KI_OIDC_PIPELINE_ID}"
+      trigger_pipeline \
+          --project-name "m-team/oidc/oidc-agent-win-installer" \
+          --branch ${TRIGGER_BRANCH} \
+          --KI_OIDC_PIPELINE_ID ${KI_OIDC_PIPELINE_ID} \
+          --trigger-token ${TRIGGER_TOKEN_WIN_INSTALLER}
+      get_artifacts --upstream-project-name "m-team/oidc/oidc-agent-win-installer" \
+                    --upstream-job-name "build-windows-64" \
+                    --upstream-pipeline-id ${TRIGGERED_PIPELINE_ID}
+  artifacts:
+    paths:
+      - "results/*" 
+
+
+
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -12,6 +12,59 @@
 <!-- ### Dependencies -->
 <!--  -->
 
+## oidc-agent 5.2.0
+
+### Features
+
+- Added possibility to add custom request parameters to requests done by the agent. This is done through
+  a `custom_parameters.config` file placed in the agent dir or `/etc/oidc-agent`
+- Added the capability to `oidc-agent` to restart after an update, i.e. when the oidc-agent binary changes, i.e. after a
+  package update. This behavior is enabled through the `--restart-on-update` option.
+- `oidc-agent-service` includes the `--restart-on-update` option on default in the `oidc-agent-service.options` file,
+  i.e. auto-restart after update is enabled on default for agents started through `oidc-agent-service`. This can be
+  disabled in the `oidc-agent-service.options` file.
+- Added the `--bearer` and `--auth-header` options to `oidc-token`. These can be used to ease api calls.
+
+## Changes
+
+- Renamed the long option of `oidc-agent` `-a` from `--bind_address` to
+  `--bind-address`.
+
+### Change / Enhancement / Bugfix
+
+The previous release stated that:
+
+    When an account configuration is generated and the OP returns scopes in the initial token flow, the account
+    configuration is updated with those scopes.
+
+This did not work as intended. We made the following changes:
+
+- Fixed a bug, so that the agent now actually behaves as described.
+- Implemented separate scope lists for the initial token flow and the refreshing of tokens. Only the refresh-scope-list
+  is updated. This way access tokens can be obtained with the correct (updated) scope, but re-authentication flows can
+  still use the original scope list.
+
+### Enhancements
+
+- `oidc-add` can now also take an issuer url to load the default account for this issuer, i.e. `oidc-add <issuer_url>`
+- `oidc-agent` now has a command line argument `--pid-file` to which the agent's pid is written.
+- `oidc-agent-service` uses the new `--pid-file` option of `oidc-agent`
+- If no socket path is set a default path is tried. The default path
+  is `$TMPDIR/oidc-agent-service-$UID/oidc-agent.sock`, this is the path used by `oidc-agent-service`
+
+### Bugfixes
+
+- Fixed a bug where the ipc api would return always `success` when a mytoken is requested, even when this failed.
+- Fixed some memory leaks
+
+### OpenID Provider
+
+- Added  https://alice-auth.cern.ch/
+- Added https://atlas-auth.cern.ch/
+- Added https://cms-auth.cern.ch/
+- Added https://lhcb-auth.cern.ch/
+- Added https://dteam-auth.cern.ch/
+
 ## oidc-agent 5.1.0
 
 ### Changes

diff --git a/Makefile b/Makefile
@@ -30,6 +30,7 @@ GEN           = oidc-gen
 ADD           = oidc-add
 CLIENT        = oidc-token
 KEYCHAIN      = oidc-keychain
+TOKENSH      = oidc-tokensh
 AGENT_SERVICE = oidc-agent-service
 PROMPT        = oidc-prompt
 
@@ -132,6 +133,7 @@ endif
 endif
 ifndef ANY_MSYS
 DEFINE_CONFIG_PATH        := -DCONFIG_PATH=\"$(CONFIG_AFTER_INST_PATH)\"
+DEFINE_BIN_PATH           := -DBIN_PATH=\"$(BIN_AFTER_INST_PATH)/bin\"
 endif
 
 USE_CJSON_SO ?= $(shell /sbin/ldconfig -N -v $(sed 's/:/ /g' <<< $LD_LIBRARY_PATH) 2>/dev/null | grep -i libcjson >/dev/null && echo 1 || echo 0)
@@ -186,6 +188,10 @@ CPPFLAGS += -fPIC
 ifndef MAC_OS
 ifndef ANY_MSYS
 WEBKITGTK ?= webkit2gtk-4.0
+WEBKITGTK41:= $(firstword $(wildcard /usr/include/webkitgtk-4.1))
+ifneq (,$(WEBKITGTK41))
+	WEBKITGTK=webkit2gtk-4.1
+endif
 CPPFLAGS += $(shell pkg-config --cflags --libs gtk+-3.0 $(WEBKITGTK)) -lstdc++
 endif
 endif
@@ -334,6 +340,7 @@ endif
 SIMPLECSS_FILE := $(shell CSS="/usr/share/simple.css/simple.min.css" && [ -f "$$CSS" ] || CSS="$(PROMPT_SRCDIR)/html/static/css/lib/simple.min.css" ; echo "$$CSS")
 ifndef ANY_MSYS
 KEYCHAIN_SOURCES := $(SRCDIR)/$(KEYCHAIN)/$(KEYCHAIN)
+TOKENSH_SOURCES := $(SRCDIR)/$(TOKENSH)/$(TOKENSH)
 AGENTSERVICE_SRCDIR := $(SRCDIR)/$(AGENT_SERVICE)
 endif
 endif
@@ -421,7 +428,7 @@ else
 ifdef MINGW
 build: shared_lib $(APILIB)/liboidc-agent.a
 else
-build: $(BINDIR)/$(AGENT) $(BINDIR)/$(GEN) $(BINDIR)/$(ADD) $(BINDIR)/$(CLIENT) $(BINDIR)/$(AGENT_SERVICE) $(BINDIR)/$(KEYCHAIN) $(BINDIR)/$(PROMPT)
+build: $(BINDIR)/$(AGENT) $(BINDIR)/$(GEN) $(BINDIR)/$(ADD) $(BINDIR)/$(CLIENT) $(BINDIR)/$(AGENT_SERVICE) $(BINDIR)/$(KEYCHAIN) $(BINDIR)/$(TOKENSH) $(BINDIR)/$(PROMPT)
 endif
 endif
 
@@ -432,7 +439,7 @@ endif
 $(OBJDIR)/$(CLIENT)/$(CLIENT).o : $(APILIB)/$(SHARED_LIB_NAME_FULL)
 $(OBJDIR)/%.o : $(SRCDIR)/%.c
 	@mkdir -p $(@D)
-	@$(CC) $(CFLAGS) -c $< -o $@ -DVERSION=\"$(VERSION)\" $(DEFINE_CONFIG_PATH) $(DEFINE_USE_CJSON_SO) $(DEFINE_USE_LIST_SO) $(DEFINE_USE_MUSTACHE_SO)
+	@$(CC) $(CFLAGS) -c $< -o $@ -DVERSION=\"$(VERSION)\" $(DEFINE_CONFIG_PATH) $(DEFINE_BIN_PATH) $(DEFINE_USE_CJSON_SO) $(DEFINE_USE_LIST_SO) $(DEFINE_USE_MUSTACHE_SO)
 	@# Create dependency infos
 	@{ \
 	set -e ;\
@@ -448,7 +455,7 @@ $(OBJDIR)/%.o : $(SRCDIR)/%.c
 
 $(OBJDIR)/%.o : $(SRCDIR)/%.cc
 	@mkdir -p $(@D)
-	@$(CXX) $(CPPFLAGS) -c $< -o $@ -DVERSION=\"$(VERSION)\" $(DEFINE_CONFIG_PATH)
+	@$(CXX) $(CPPFLAGS) -c $< -o $@ -DVERSION=\"$(VERSION)\" $(DEFINE_CONFIG_PATH) $(DEFINE_BIN_PATH)
 	@# Create dependency infos
 	@{ \
 	set -e ;\
@@ -472,7 +479,7 @@ $(OBJDIR)/%.o : $(LIBDIR)/%.c
 ## Compile position independent code
 $(PICOBJDIR)/%.o : $(SRCDIR)/%.c
 	@mkdir -p $(@D)
-	@$(CC) $(CFLAGS) -fpic -fvisibility=hidden -c $< -o $@ -DVERSION=\"$(VERSION)\" -DCONFIG_PATH=\"$(CONFIG_AFTER_INST_PATH)\" $(DEFINE_USE_CJSON_SO) $(DEFINE_USE_LIST_SO) $(DEFINE_USE_MUSTACHE_SO)
+	@$(CC) $(CFLAGS) -fpic -fvisibility=hidden -c $< -o $@ -DVERSION=\"$(VERSION)\" $(DEFINE_CONFIG_PATH) $(DEFINE_BIN_PATH) $(DEFINE_USE_CJSON_SO) $(DEFINE_USE_LIST_SO) $(DEFINE_USE_MUSTACHE_SO)
 	@echo "Compiled "$<" with pic successfully!"
 
 $(PICOBJDIR)/%.o : $(LIBDIR)/%.c
@@ -508,6 +515,10 @@ $(BINDIR)/$(KEYCHAIN): $(KEYCHAIN_SOURCES) $(BINDIR)
 	@cat $(KEYCHAIN_SOURCES) >$@ && chmod 755 $@
 	@echo "Building "$@" complete!"
 
+$(BINDIR)/$(TOKENSH): $(TOKENSH_SOURCES) $(BINDIR)
+	@cat $(TOKENSH_SOURCES) >$@ && chmod 755 $@
+	@echo "Building "$@" complete!"
+
 $(BINDIR)/$(AGENT_SERVICE): $(AGENTSERVICE_SRCDIR)/$(AGENT_SERVICE) $(AGENTSERVICE_SRCDIR)/options $(BINDIR)
 	@sed -n '/OIDC_INCLUDE/!p;//q' $< >$@
 	@sed 's!/etc/oidc-agent!$(CONFIG_AFTER_INST_PATH)/oidc-agent!' $(AGENTSERVICE_SRCDIR)/options | sed 's!/usr/bin/oidc-agent!$(BIN_AFTER_INST_PATH)/bin/$(AGENT)!' >>$@
@@ -541,15 +552,15 @@ endif
 
 ifndef ANY_MSYS
 .PHONY: install_bin
-install_bin: $(BIN_PATH)/bin/$(AGENT) $(BIN_PATH)/bin/$(GEN) $(BIN_PATH)/bin/$(ADD) $(BIN_PATH)/bin/$(CLIENT) $(BIN_PATH)/bin/$(KEYCHAIN) $(BIN_PATH)/bin/$(AGENT_SERVICE) $(PROMPT_BIN_PATH)/bin/$(PROMPT)
+install_bin: $(BIN_PATH)/bin/$(AGENT) $(BIN_PATH)/bin/$(GEN) $(BIN_PATH)/bin/$(ADD) $(BIN_PATH)/bin/$(CLIENT) $(BIN_PATH)/bin/$(KEYCHAIN) $(BIN_PATH)/bin/$(TOKENSH) $(BIN_PATH)/bin/$(AGENT_SERVICE) $(PROMPT_BIN_PATH)/bin/$(PROMPT)
 	@echo "Installed binaries"
 
 .PHONY: install_conf
 install_conf: $(CONFIG_PATH)/oidc-agent/$(PROVIDERCONFIGD) $(CONFIG_PATH)/oidc-agent/$(PROVIDERCONFIG) $(CONFIG_PATH)/oidc-agent/$(GLOBALCONFIG) $(CONFIG_PATH)/oidc-agent/$(SERVICECONFIG) $(TMPFILES_PATH)/oidc-agent.conf
 	@echo "Installed config files"
 
 .PHONY: install_bash
-install_bash: $(BASH_COMPLETION_PATH)/$(AGENT) $(BASH_COMPLETION_PATH)/$(GEN) $(BASH_COMPLETION_PATH)/$(ADD) $(BASH_COMPLETION_PATH)/$(CLIENT) $(BASH_COMPLETION_PATH)/$(AGENT_SERVICE) $(BASH_COMPLETION_PATH)/$(KEYCHAIN)
+install_bash: $(BASH_COMPLETION_PATH)/$(AGENT) $(BASH_COMPLETION_PATH)/$(GEN) $(BASH_COMPLETION_PATH)/$(ADD) $(BASH_COMPLETION_PATH)/$(CLIENT) $(BASH_COMPLETION_PATH)/$(AGENT_SERVICE) $(BASH_COMPLETION_PATH)/$(KEYCHAIN) $(BASH_COMPLETION_PATH)/$(TOKENSH)
 	@echo "Installed bash completion"
 
 .PHONY: install_man
@@ -650,6 +661,9 @@ $(BIN_PATH)/bin/$(CLIENT): $(BINDIR)/$(CLIENT) $(BIN_PATH)/bin
 $(BIN_PATH)/bin/$(KEYCHAIN): $(BINDIR)/$(KEYCHAIN) $(BIN_PATH)/bin
 	@install -p $< $@
 
+$(BIN_PATH)/bin/$(TOKENSH): $(BINDIR)/$(TOKENSH) $(BIN_PATH)/bin
+	@install -p $< $@
+
 $(BIN_PATH)/bin/$(AGENT_SERVICE): $(BINDIR)/$(AGENT_SERVICE) $(BIN_PATH)/bin
 	@install -p $< $@
 
@@ -686,6 +700,9 @@ $(BASH_COMPLETION_PATH)/$(CLIENT): $(BASH_COMPLETION_PATH)
 $(BASH_COMPLETION_PATH)/$(KEYCHAIN): $(BASH_COMPLETION_PATH)
 	@ln -s $(AGENT) $@
 
+$(BASH_COMPLETION_PATH)/$(TOKENSH): $(BASH_COMPLETION_PATH)
+	@ln -s $(AGENT) $@
+
 $(BASH_COMPLETION_PATH)/$(AGENT_SERVICE): $(CONFDIR)/bash-completion/oidc-agent-service $(BASH_COMPLETION_PATH)
 	@install -p -m 644 $< $@
 
@@ -777,6 +794,7 @@ uninstall_bin:
 	@$(rm) $(BIN_PATH)/bin/$(ADD)
 	@$(rm) $(BIN_PATH)/bin/$(CLIENT)
 	@$(rm) $(BIN_PATH)/bin/$(KEYCHAIN)
+	@$(rm) $(BIN_PATH)/bin/$(TOKENSH)
 	@$(rm) $(BIN_PATH)/bin/$(AGENT_SERVICE)
 	@$(rm) $(PROMPT_BIN_PATH)/bin/$(PROMPT)
 	@echo "Uninstalled binaries"
@@ -808,6 +826,7 @@ uninstall_bashcompletion:
 	@$(rm) $(BASH_COMPLETION_PATH)/$(AGENT)
 	@$(rm) $(BASH_COMPLETION_PATH)/$(AGENT_SERVICE)
 	@$(rm) $(BASH_COMPLETION_PATH)/$(KEYCHAIN)
+	@$(rm) $(BASH_COMPLETION_PATH)/$(TOKENSH)
 	@echo "Uninstalled bash completion"
 
 endif

diff --git a/README.md b/README.md
@@ -1,8 +1,6 @@
 ![oidc-agent logo](https://raw.githubusercontent.com/indigo-dc/oidc-agent/master/logo_wide.png)
 <!-- [![Build Status](https://jenkins.indigo-datacloud.eu/buildStatus/icon?job=Pipeline-as-code/oidc-agent/master)](https://jenkins.indigo-datacloud.eu/job/Pipeline-as-code/job/oidc-agent/job/master/) -->
 [![License](https://img.shields.io/github/license/indigo-dc/oidc-agent.svg)](https://github.com/indigo-dc/oidc-agent/blob/master/LICENSE)
-[![Total alerts](https://img.shields.io/lgtm/alerts/g/indigo-dc/oidc-agent.svg?logo=lgtm&logoWidth=18)](https://lgtm.com/projects/g/indigo-dc/oidc-agent/alerts/)
-[![Language grade](https://img.shields.io/lgtm/grade/cpp/g/indigo-dc/oidc-agent.svg?logo=lgtm&logoWidth=18&label=code%20quality)](https://lgtm.com/projects/g/indigo-dc/oidc-agent/context:cpp)
 [![Code size](https://img.shields.io/github/languages/code-size/indigo-dc/oidc-agent.svg)](https://github.com/indigo-dc/oidc-agent/tree/master/src)
 [![Release date](https://img.shields.io/github/release-date/indigo-dc/oidc-agent.svg)](https://github.com/indigo-dc/oidc-agent/releases/latest)
 [![Release version](https://img.shields.io/github/release/indigo-dc/oidc-agent.svg)](https://github.com/indigo-dc/oidc-agent/releases/latest)
@@ -23,7 +21,7 @@ variables the agent can be located and used to handle OIDC tokens.
 The agent initially does not have any account configurations loaded. You can load an account configuration by
 using `oidc-add`. Multiple account configurations may be loaded in `oidc-agent` concurrently.  `oidc-add` is also used
 to remove a loaded configuration from `oidc-agent`. `oidc-gen` is used to initially generate an account configurations
-file [(Help for different providers)](https://indigo-dc.gitbooks.io/oidc-agent/provider.html).
+file [(Help for different providers)](https://indigo-dc.gitbook.io/oidc-agent/user/oidc-gen/provider).
 
 **Full documentation** can be found at https://indigo-dc.gitbooks.io/oidc-agent/.
 
@@ -32,9 +30,9 @@ releases: [Subscribe oidc-agent-user](https://www.lists.kit.edu/sympa/subscribe/
 
 ## Installation
 
-oidc-agent is directly available for some newer debian-based distributions. Releases for all distributions are available
-at
-http://repo.data.kit.edu/
+oidc-agent is directly available for some distributions.
+Additionally, we build the newest packages fora wide range of different
+distributions that are available at: http://repo.data.kit.edu/
 
 ### Linux
 

diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-5.1.0
+5.2.0
diff --git a/config/custom_parameters.config.example b/config/custom_parameters.config.example
@@ -0,0 +1,23 @@
+[
+  {
+    "parameter": "key",
+    "value": "value / $VALUE / /home/user/value",
+    "for_issuer": [
+      "https://example.com"
+    ],
+    "for_account": [
+      "iam",
+      "example"
+    ],
+    "request": [
+      "refresh",
+      "auth_url",
+      "code-exchange",
+      "device-init",
+      "device-polling",
+      "registration",
+      "revocation",
+      "password"
+    ]
+  }
+]
diff --git a/config/custom_parameters.config.unity b/config/custom_parameters.config.unity
@@ -0,0 +1,13 @@
+[
+  {
+    "parameter": "claims_in_tokens",
+    "value": "id_token token",
+    "for_issuer": [
+      "https://login.helmholtz.de/oauth2",
+      "https://login-dev.helmholtz.de/oauth2"
+    ],
+    "request": [
+      "auth_url"
+    ]
+  }
+]