Merge pull request #542 from indigo-dc/prerel

oidc-agent 5

.gitlab-ci-scripts/local-before-script.sh

@@ -7,14 +7,16 @@ echo "======== oidc-agent-local-before-script starting======="
 export VERSION=`cat VERSION`
 # clone the packages file of this repo:
 # Try with VERSION
+echo "Trying to use branch for packaging: ${PACKAGING_BRANCH}/v${VERSION}"
 git clone -b ${PACKAGING_BRANCH}/v${VERSION} http://git.scc.kit.edu/m-team/oidc-agent.git delme || {
+    echo "Falling back to ${PACKAGING_BRANCH}/latest"
     git clone -b ${PACKAGING_BRANCH}/latest http://git.scc.kit.edu/m-team/oidc-agent.git delme
 }
 
 
 case ${DISTRO} in
     debian|ubuntu)
-        ls -la
+        # ls -la
         [ -d debian ] && {
             echo "There IS an existing debian folder"
             echo "This is the content:"
@@ -41,33 +43,44 @@ case ${DISTRO} in
             echo "converting changelog.template"
             # define variables
             export VERSION=`cat VERSION`
-            export RELEASE=1
+            export RELNUM=1
             export DATE=`date -R`
             # envsubst
             FILES="${FILES} debian/changelog"
             for FILE in ${FILES}; do
                 cat ${FILE}.template | envsubst > ${FILE}
                 rm ${FILE}.template
-                cat ${FILE}
+                echo -e "\n---------- generated: ${FILE}"
+                # cat ${FILE}
+                # echo -e "---------- end of generated: ${FILE} \n"
             done
         }
+        case ${RELEASE} in
+            buster)     make buster-debsource                           ;;
+            bionic)     make bionic-debsource                           ;;
+            focal)      make focal-debsource                            ;;
+            buster)     make buster-debsource                           ;;
+        esac
     ;;
     *) # We expect only RPM by default
         [ -d rpm ] || {
             echo "using freshly cloned and adapted rpm folder"
 
             mv delme/rpm .
+            mv delme/debian .
         }
         # define variables
         export VERSION=`cat VERSION`
-        export RELEASE=1
-        export DATE=`date +"%a %B %d %Y"`
+        export RELNUM=1
+        export DATE=`date +"%a %b %d %Y"`
         # envsubst
-        FILES="${FILES} rpm/oidc-agent.spec"
+        FILES="debian/changelog ${FILES} rpm/oidc-agent.spec"
         for FILE in ${FILES}; do
             cat ${FILE}.template | envsubst > ${FILE}
             rm ${FILE}.template
+            echo -e "\n---------- generated: ${FILE}"
             cat ${FILE}
+            echo -e "---------- end of generated: ${FILE} \n"
         done
     ;;
 esac

.gitlab-ci.yml

@@ -34,55 +34,13 @@ variables:
   MTEAM_CI_ADDITIONAL_PACKAGES_ZYPPER: ''
 
 
-build-debian-buster:
-  extends:
-    - .build-debian-buster
-  script:
-    - make buster-debsource
-    - dpkg-buildpackage -uc -us
-  allow_failure: true
-
-build-debian-bullseye:
-  extends:
-    - .build-debian-bullseye
-
-build-debian-bookworm:
-  extends:
-    - .build-debian-bookworm
-
-build-ubuntu-focal:
-  extends:
-    - .build-ubuntu-focal
-  script:
-    - make focal-debsource
-    - dpkg-buildpackage -uc -us
-  allow_failure: true
-
-build-ubuntu-bionic:
-  extends:
-    - .build-ubuntu-bionic
-  script:
-    - make bionic-debsource
-    - dpkg-buildpackage -uc -us
-  allow_failure: true
-
-build-ubuntu-jammy:
-  extends:
-    - .build-ubuntu-jammy
-
-build-ubuntu-kinetic:
-  extends:
-    - .build-ubuntu-kinetic
-
-
-
 ###### WINDOWS ######
 build-windows-lib-64:
   extends:
     - .build-win-msys2-mingw64
     - .on-push-and-master
   variables:
-    DOCKER_IMAGE_VERSION_WINDOWS: '3'
+    DOCKER_IMAGE_VERSION_WINDOWS: 'latest'
   artifacts:
     paths:
       - bin
@@ -106,7 +64,7 @@ build-windows-64:
     - .build-win-msys2
     - .on-push-and-master
   variables:
-    DOCKER_IMAGE_VERSION_WINDOWS: '3'
+    DOCKER_IMAGE_VERSION_WINDOWS: 'latest'
   artifacts:
     paths:
       - bin
@@ -182,7 +140,7 @@ installer:
         TRIGGER_BRANCH: main
     - if: $CI_COMMIT_REF_NAME != $CI_DEFAULT_BRANCH
       variables:
-        TRIGGER_BRANCH: devel
+        TRIGGER_BRANCH: devel # TODO change back to devel if 5 is merged
   inherit:
     variables:
       - ANYBRANCH_RESOLVE_DEPENDENCIES_REPO
@@ -208,3 +166,4 @@ installer:
     project: m-team/oidc/oidc-agent-win-installer
     branch: $TRIGGER_BRANCH
     strategy: depend
+

CHANGELOG.md

@@ -12,6 +12,100 @@
 <!-- ### Dependencies -->
 <!--  -->
 
+## oidc-agent 5.0.0
+
+oidc-agent 5 is a major update that brings the power of a true configuration file and focuses on improving the user
+experience and usability.
+**See our [migration guide](https://indigo-dc.gitbook.io/oidc-agent/migrating-to-oidc-agent-5) for details on how to
+migrate to oidc-agent 5.**
+
+### Changes
+
+- Reworked the `issuer.config` file:
+    - The `issuer.config` file in `/etc/oidc-agent` is updated on package upgrade
+    - The `issuer.config` in user's oidc-agent dir is automatically updated when needed
+    - The new format allows to set and tweak options / behavior on a per-issuer basis, e.g. if the encryption password
+      should be stored.
+- Dropped oidc-agent `--pw-lifetime` option. This did not work as expected. The intended usage can be achieved with
+  the `issuer.config` file.
+- Dropped support for storing encryption password in system's keyring (`--pw-keyring`)
+    - This still can be done through `--pw-cmd`
+- Changed the oidc-agent-service socket dir from `/tmp/oidc-agent-service/<uid>` to `/tmp/oidc-agent-service-<uid>`.
+  This allows (better) multiple users to run oidc-agent-service.
+    - This is a breaking change for all existing terminals that already have a `$OIDC_SOCK` set to a service socket. The
+      easiest way to make sure that also existing sessions with the old path have access to a newly started agent,
+      create a link from the old location to the new one, i.e.
+  ```bash
+  rm -rf /tmp/oidc-agent-service/${UID}/
+  ln -s /tmp/oidc-agent-service-${UID} /tmp/oidc-agent-service/${UID}
+  ```
+- Also changed how the socket is managed by `oidc-agent-service`: Instead of linking the random socket location to a
+  well known location, we now create the socket directly in the well known location. This improves security
+  and `oidc-agent-service` can make use of the trust-checks on the socket location performed by the agent.
+
+### Features
+
+- Added support for RFC8707 to request ATs with specific audiences
+    - Changed default audience request method to RFC8707
+    - Old audience request behavior can be enabled for issuers through the `issuer.config` file.
+    - For known IAM instances legacy aud mode is enabled by default
+- Added support for `oidc-agent <command> [command_args]`, similar to ssh-agent; e.g. `oidc-agent bash` starts the agent
+  and makes it available in a new bash.
+- Added possibility for stat logging and sharing
+    - Sharing usage statistics helps us better understanding how users use oidc-agent and therefore helps us to improve
+      oidc-agent
+
+### Security Fixes:
+
+- Fixed permissions of agent socket.
+- `oidc-agent` now checks the socket location to be trustworthy.
+
+### API
+
+- Added possibility to obtain (extended) account information from the agent. This includes all available accounts,
+  associated to their OP issuer, an indicator if the account is loaded or not, and an indicator if there is a public
+  client available for an issuer.
+- Dropped deprecated functions from liboidc-agent
+- Renamed numbered functions in liboidc-agent
+
+### Enhancements
+
+- A lot of the configuration options in the configuration file greatly improve the user experience, the following are
+  just a few examples of what is possible:
+    - Automatically store the encryption password for certain issuers
+    - Automatically encrypt new account configuration with gpg
+    - Automatically use a pre-registered client
+    - Automatically prefer configurations via a mytoken server if issuer is available there
+- Improved text and styling of prompts.
+- Several improvements to the windows installer
+- Improvements to the gui prompting design
+- Several smaller improvements
+
+### Bugfixes
+
+- Fixed a bug that potentially could cause a segmentation fault
+- Fixed a bug related to http retrying that potentially could cause a segmentation fault
+- Fixed a problem in oidc-agent-service where only one user could run oidc-agent-service
+- Fixed a bug where wrong unlock attempts of agent locking did not increase/create delay
+- Fixed more bugs
+
+### Dependencies
+
+- Dropped libsecret dependency
+
+### OpenID Provider
+
+- Added OP: https://alice-auth.web.cern.ch/
+- Added OP: https://atlas-auth.web.cern.ch/
+- Added OP: https://cms-auth.web.cern.ch/
+- Added OP: https://lhcb-auth.web.cern.ch/
+- Added OP: https://bildungsproxy.aai.dfn.de
+- Added public client for https://bildungsproxy.aai.dfn.de
+- Added OP: https://auth.didmos.nfdi-aai.de
+- Added public client for https://auth.didmos.nfdi-aai.de
+- Added OP: https://regapp.nfdi-aai.de/oidc/realms/nfdi_demo
+- Added public client for https://regapp.nfdi-aai.de/oidc/realms/nfdi_demo
+
 ## oidc-agent 4.5.2
 
 ### Changes