Some IdPs might have eventual consistency for their API calls, and refreshing the cache with its data may return the deleted user as part of the account
Introduce a new account manager method, removeUserFromCache, to remove the user from the local cache without refresh
* Added function to check user access by JWT groups in the account management mock server and account manager
* Refactor auth middleware for group-based JWT access control
* Add group-based JWT access control on adding new peer with JWT
* Remove mapping error as the token validation error is already present in grpc error codes
* use GetAccountFromToken to prevent single mode issues
* handle foreground login message
---------
Co-authored-by: Maycon Santos <mlsmaycon@gmail.com>
Ensure the jwks expiresInTime is not zero and add a log indicating the new expiration time
Replace the configuration property only when the flag is being used
* Extend management API to support list of allowed JWT groups (#1366)
* Add JWTAllowGroups settings to account management
* Return an empty group list if jwt allow groups is not set
* Add JwtAllowGroups to account settings in handler test
* Add JWT group-based user authorization (#1373)
* Add JWTAllowGroups settings to account management
* Return an empty group list if jwt allow groups is not set
* Add JwtAllowGroups to account settings in handler test
* Implement user access validation authentication based on JWT groups
* Remove the slices package import due to compatibility issues with the gitHub workflow(s) Go version
* Refactor auth middleware and test for extracted claim handling
* Optimize JWT group check in auth middleware to cover nil and empty allowed groups
This PR adds `gosec` linter with the following checks disabled:
- G102: Bind to all interfaces
- G107: Url provided to HTTP request as taint input
- G112: Potential slowloris attack
- G114: Use of net/http serve function that has no support for setting timeouts
- G204: Audit use of command execution
- G401: Detect the usage of DES, RC4, MD5 or SHA1
- G402: Look for bad TLS connection settings
- G404: Insecure random number source (rand)
- G501: Import blocklist: crypto/md5
- G505: Import blocklist: crypto/sha1
We have complaints related to the checks above. They have to be addressed separately.
This PR adds support to Owner roles.
The owner role has a similar access level as the admin, but it has the power to delete the account.
Besides that, the role has the following constraints:
- The role can only be transferred. So, only a user with the owner role can transfer the owner role to a new user
- It can't be assigned to users being invited
- It can't be assigned to service users
Adding support to account owners to delete an account
This will remove all users from local, and if --user-delete-from-idp is set it will remove from the remote IDP
* Add gocritic linter
`gocritic` provides diagnostics that check for bugs, performance, and style issues
We disable the following checks:
- commentFormatting
- captLocal
- deprecatedComment
This PR contains many `//nolint:gocritic` to disable `appendAssign`.
With this change we should be able to collect and expose the following histograms:
* `management.updatechannel.create.duration.ms` with `closed` boolean label
* `management.updatechannel.create.duration.micro` with `closed` boolean label
* `management.updatechannel.close.one.duration.ms`
* `management.updatechannel.close.one.duration.micro`
* `management.updatechannel.close.multiple.duration.ms`
* `management.updatechannel.close.multiple.duration.micro`
* `management.updatechannel.close.multiple.channels`
* `management.updatechannel.send.duration.ms` with `found` and `dropped` boolean labels
* `management.updatechannel.send.duration.micro` with `found` and `dropped` boolean labels
* `management.updatechannel.get.all.duration.ms`
* `management.updatechannel.get.all.duration.micro`
* `management.updatechannel.get.all.peers`
* Add non-deletable flag for service users
* fix non deletable service user created as deletable
* Exclude non deletable service users in service users api response
* Fix broken tests
* Add test for non deletable service user
* Add handling for non-deletable service users in tests
* Remove non-deletable service users when fetching all users
* Ensure non-deletable users are filtered out when fetching all user data
