Verify aud claim cf (#202)

* fix: verify audience claim

Co-Authored-By: Vladimir Pouzanov <[email protected]>
Signed-off-by: CI <[email protected]>

* fix unit tests

Signed-off-by: Michael Crenshaw <[email protected]>

* handle single aud claim marshaled as a string

Signed-off-by: Michael Crenshaw <[email protected]>

* fix dependencies

* fix: add CLI client IDs to default OIDC allowed audiences (argoproj#12170) (argoproj#12179)

* fix(settings): add CLI client ID in default OAuth2 allowed audiences

Signed-off-by: Yann Soubeyrand <[email protected]>

* fix: add CLI client IDs to default OIDC allowed audiences (argoproj#12170)

Signed-off-by: Michael Crenshaw <[email protected]>

* docs

Signed-off-by: Michael Crenshaw <[email protected]>

* test

Signed-off-by: Michael Crenshaw <[email protected]>

* handle expired token properly

Signed-off-by: Michael Crenshaw <[email protected]>

---------

Signed-off-by: Yann Soubeyrand <[email protected]>
Signed-off-by: Michael Crenshaw <[email protected]>
Co-authored-by: Yann Soubeyrand <[email protected]>

* fix dependencies

* update version

* update version

* update version

* fix linter

* fix linter

---------

Signed-off-by: CI <[email protected]>
Signed-off-by: Michael Crenshaw <[email protected]>
Signed-off-by: Yann Soubeyrand <[email protected]>
Co-authored-by: CI <[email protected]>
Co-authored-by: Vladimir Pouzanov <[email protected]>
Co-authored-by: pashakostohrys <[email protected]>
Co-authored-by: Yann Soubeyrand <[email protected]>

Author: 5 people

VERSION

@@ -1 +1 @@
-2.5.5-cap-CR-fix-rollouts-rollback
+2.5.5-cap-CR-verify-aud-claim

cmd/argocd/commands/admin/settings.go

@@ -206,7 +206,7 @@ var validatorsByGroup = map[string]settingValidator{
 			}
 			ssoProvider = "Dex"
 		} else if general.OIDCConfigRAW != "" {
-			if _, err := settings.UnmarshalOIDCConfig(general.OIDCConfigRAW); err != nil {
+			if err := settings.ValidateOIDCConfig(general.OIDCConfigRAW); err != nil {
 				return "", fmt.Errorf("invalid oidc.config: %v", err)
 			}
 			ssoProvider = "OIDC"

common/common.go

@@ -1,6 +1,7 @@
 package common
 
 import (
+	"errors"
 	"os"
 	"path/filepath"
 	"strconv"
@@ -78,10 +79,10 @@ const (
 
 	// ArgoCDAdminUsername is the username of the 'admin' user
 	ArgoCDAdminUsername = "admin"
-	// ArgoCDUserAgentName is the default user-agent name used by the gRPC API client library and grpc-gateway
-	ArgoCDUserAgentName = "argocd-client"
 	// ArgoCDSSAManager is the default argocd manager name used by server-side apply syncs
 	ArgoCDSSAManager = "argocd-controller"
+	// ArgoCDUserAgentName is the default user-agent name used by the gRPC API client library and grpc-gateway
+	ArgoCDUserAgentName = "argocd-client"
 	// AuthCookieName is the HTTP cookie name where we store our auth token
 	AuthCookieName = "argocd.token"
 	// StateCookieName is the HTTP cookie name that holds temporary nonce tokens for CSRF protection
@@ -227,12 +228,6 @@ const (
 	DefaultCMPWorkDirName = "_cmp_server"
 
 	ConfigMapPluginDeprecationWarning = "argocd-cm plugins are deprecated, and support will be removed in v2.6. Upgrade your plugin to be installed via sidecar. https://argo-cd.readthedocs.io/en/stable/user-guide/config-management-plugins/"
-
-	ConfigMapPluginCLIDeprecationWarning = "spec.plugin.name is set, which means this Application uses a plugin installed in the " +
-		"argocd-cm ConfigMap. Installing plugins via that ConfigMap is deprecated in Argo CD v2.5. " +
-		"Starting in Argo CD v2.6, this Application will fail to sync. Contact your Argo CD admin " +
-		"to make sure an upgrade plan is in place. More info: " +
-		"https://argo-cd.readthedocs.io/en/latest/operator-manual/upgrading/2.4-2.5/"
 )
 
 const (
@@ -299,7 +294,7 @@ func GetCMPWorkDir() string {
 }
 
 const (
-	// AnnotationApplicationRefresh is an annotation that is added when an ApplicationSet is requested to be refreshed by a webhook. The ApplicationSet controller will remove this annotation at the end of reconciliation.
+	// AnnotationApplicationRefresh is an annotation that is added when an ApplicationSet is requested to be refreshed by a webhook. The ApplicationSet controller will remove this annotation at the end of reconcilation.
 	AnnotationApplicationSetRefresh = "argocd.argoproj.io/application-set-refresh"
 )
 
@@ -312,11 +307,14 @@ const (
 
 // Security severity logging
 const (
-	SecurityField     = "security"
-	SecurityCWEField  = "CWE"
-	SecurityEmergency = 5 // Indicates unmistakably malicious events that should NEVER occur accidentally and indicates an active attack (i.e. brute forcing, DoS)
-	SecurityCritical  = 4 // Indicates any malicious or exploitable event that had a side effect (i.e. secrets being left behind on the filesystem)
-	SecurityHigh      = 3 // Indicates likely malicious events but one that had no side effects or was blocked (i.e. out of bounds symlinks in repos)
-	SecurityMedium    = 2 // Could indicate malicious events, but has a high likelihood of being user/system error (i.e. access denied)
-	SecurityLow       = 1 // Unexceptional entries (i.e. successful access logs)
+	SecurityField    = "security"
+	SecurityCWEField = "CWE"
+	SecurityHigh     = 3 // Indicates likely malicious events but one that had no side effects or was blocked (i.e. out of bounds symlinks in repos)
+	SecurityMedium   = 2 // Could indicate malicious events, but has a high likelihood of being user/system error (i.e. access denied)
+	SecurityLow      = 1 // Unexceptional entries (i.e. successful access logs)
 )
+
+// Common error messages
+const TokenVerificationError = "failed to verify the token"
+
+var TokenVerificationErr = errors.New(TokenVerificationError)