Affected by GO-2023-1520 and 10 other vulnerabilities

GO-2023-1520: JWT audience claim is not verified in github.com/argoproj/argo-cd

GO-2023-1670: Argo CD authenticated but unauthorized users may enumerate Application names via the API in github.com/argoproj/argo-cd

GO-2023-2049: Argo CD cluster secret might leak in cluster details page in github.com/argoproj/argo-cd

GO-2023-2085: Path traversal allows leaking out-of-bound Helm charts from Argo CD repo-server in github.com/argoproj/argo-cd

GO-2024-2646: Cross-site scripting on application summary component in github.com/argoproj/argo-cd/v2

GO-2024-2652: Brute force protection bypass in github.com/argoproj/argo-cd/v2

GO-2024-2654: Denial of service in github.com/argoproj/argo-cd/v2

GO-2024-2792: Argo CD vulnerable to a Denial of Service via malicious jqPathExpressions in ignoreDifferences in github.com/argoproj/argo-cd

GO-2024-2877: ArgoCD Vulnerable to Use of Risky or Missing Cryptographic Algorithms in Redis Cache in github.com/argoproj/argo-cd

GO-2024-2898: Argo-cd authenticated users can enumerate clusters by name in github.com/argoproj/argo-cd

GO-2024-3002: Argo CD Unauthenticated Denial of Service (DoS) Vulnerability via /api/webhook Endpoint in github.com/argoproj/argo-cd

session

package

v2.2.14 Latest Latest Go to latest Published: Oct 5, 2022 License: Apache-2.0 Imports: 31 Imported by: 4

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/argoproj/argo-cd

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
Variables
func GetSubjectAccountAndCapability(subject string) (string, settings.AccountCapability)
func Groups(ctx context.Context, scopes []string) []string
func Iat(ctx context.Context) (time.Time, error)
func Iss(ctx context.Context) string
func LoggedIn(ctx context.Context) bool
func NewUserStateStorage(redis *redis.Client) *userStateStorage
func Sub(ctx context.Context) string
func Username(ctx context.Context) string
type LoginAttempts
type SessionManager
- func NewSessionManager(settingsMgr *settings.SettingsManager, ...) *SessionManager
type UserStateStorage

Constants ¶

View Source

const (
	// SessionManagerClaimsIssuer fills the "iss" field of the token.
	SessionManagerClaimsIssuer = "argocd"
	AuthErrorCtxKey            = "auth-error"
)

Variables ¶

View Source

var (
	InvalidLoginErr = status.Errorf(codes.Unauthenticated, invalidLoginError)
)

Functions ¶

func GetSubjectAccountAndCapability ¶

func GetSubjectAccountAndCapability(subject string) (string, settings.AccountCapability)

GetSubjectAccountAndCapability analyzes Argo CD account token subject and extract account name and the capability it was generated for (default capability is API Key).

func Groups ¶

func Groups(ctx context.Context, scopes []string) []string

func Iat ¶

func Iat(ctx context.Context) (time.Time, error)

func Iss ¶

func Iss(ctx context.Context) string

func LoggedIn ¶

func LoggedIn(ctx context.Context) bool

func NewUserStateStorage ¶

func NewUserStateStorage(redis *redis.Client) *userStateStorage

func Sub ¶

func Sub(ctx context.Context) string

func Username ¶

func Username(ctx context.Context) string

Username is a helper to extract a human readable username from a context

Types ¶

type LoginAttempts ¶

type LoginAttempts struct {
	// Time of the last failed login
	LastFailed time.Time `json:"lastFailed"`
	// Number of consecutive login failures
	FailCount int `json:"failCount"`
}

LoginAttempts is a timestamped counter for failed login attempts

type SessionManager ¶

type SessionManager struct {
	// contains filtered or unexported fields
}

SessionManager generates and validates JWT tokens for login sessions.

func NewSessionManager ¶

func NewSessionManager(settingsMgr *settings.SettingsManager, projectsLister v1alpha1.AppProjectNamespaceLister, dexServerAddr string, storage UserStateStorage) *SessionManager

NewSessionManager creates a new session manager from Argo CD settings

func (*SessionManager) Create ¶

func (mgr *SessionManager) Create(subject string, secondsBeforeExpiry int64, id string) (string, error)

Create creates a new token for a given subject (user) and returns it as a string. Passing a value of `0` for secondsBeforeExpiry creates a token that never expires. The id parameter holds an optional unique JWT token identifier and stored as a standard claim "jti" in the JWT token.

func (*SessionManager) GetLoginFailures ¶

func (mgr *SessionManager) GetLoginFailures() map[string]LoginAttempts

GetLoginFailures retrieves the login failure information from the cache

func (*SessionManager) Parse ¶

func (mgr *SessionManager) Parse(tokenString string) (jwt.Claims, string, error)

Parse tries to parse the provided string and returns the token claims for local login.

func (*SessionManager) RevokeToken ¶

func (mgr *SessionManager) RevokeToken(ctx context.Context, id string, expiringAt time.Duration) error

func (*SessionManager) VerifyToken ¶

func (mgr *SessionManager) VerifyToken(tokenString string) (jwt.Claims, string, error)

VerifyToken verifies if a token is correct. Tokens can be issued either from us or by an IDP. We choose how to verify based on the issuer.

func (*SessionManager) VerifyUsernamePassword ¶

func (mgr *SessionManager) VerifyUsernamePassword(username string, password string) error

VerifyUsernamePassword verifies if a username/password combo is correct

type UserStateStorage ¶

type UserStateStorage interface {
	Init(ctx context.Context)
	// GetLoginAttempts return number of concurrent login attempts
	GetLoginAttempts(attempts *map[string]LoginAttempts) error
	// SetLoginAttempts sets number of concurrent login attempts
	SetLoginAttempts(attempts map[string]LoginAttempts) error
	// RevokeToken revokes token with given id (information about revocation expires after specified timeout)
	RevokeToken(ctx context.Context, id string, expiringAt time.Duration) error
	// IsTokenRevoked checks if given token is revoked
	IsTokenRevoked(id string) bool
}

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL