Affected by GO-2023-1512 and 19 other vulnerabilities

GO-2023-1512: Controller reconciles apps outside configured namespaces when sharding is enabled in github.com/argoproj/argo-cd

GO-2023-1520: JWT audience claim is not verified in github.com/argoproj/argo-cd

GO-2023-1577: Users with any cluster secret update access may update out-of-bounds cluster secrets in github.com/argoproj/argo-cd

GO-2023-1670: Argo CD authenticated but unauthorized users may enumerate Application names via the API in github.com/argoproj/argo-cd

GO-2023-2049: Argo CD cluster secret might leak in cluster details page in github.com/argoproj/argo-cd

GO-2023-2050: Argo CD repo-server Denial of Service vulnerability in github.com/argoproj/argo-cd

GO-2024-2646: Cross-site scripting on application summary component in github.com/argoproj/argo-cd/v2

GO-2024-2652: Brute force protection bypass in github.com/argoproj/argo-cd/v2

GO-2024-2654: Denial of service in github.com/argoproj/argo-cd/v2

GO-2024-2667: Out of memory crash from malicious Helm registry in github.com/argoproj/argo-cd/v2

GO-2024-2728: Argo CD's API server does not enforce project sourceNamespaces in github.com/argoproj/argo-cd

GO-2024-2792: Argo CD vulnerable to a Denial of Service via malicious jqPathExpressions in ignoreDifferences in github.com/argoproj/argo-cd

GO-2024-2877: ArgoCD Vulnerable to Use of Risky or Missing Cryptographic Algorithms in Redis Cache in github.com/argoproj/argo-cd

GO-2024-2898: Argo-cd authenticated users can enumerate clusters by name in github.com/argoproj/argo-cd

GO-2024-3002: Argo CD Unauthenticated Denial of Service (DoS) Vulnerability via /api/webhook Endpoint in github.com/argoproj/argo-cd

GO-2025-3433: Argo CD does not scrub secret values from patch errors in github.com/argoproj/argo-cd

GO-2025-3720: Argo CD allows cross-site scripting on repositories page in github.com/argoproj/argo-cd

GO-2025-3993: Unauthenticated argocd-server panic via a malicious Bitbucket-Server webhook payload in github.com/argoproj/argo-cd

GO-2025-3994: Repository Credentials Race Condition Crashes Argo CD Server in github.com/argoproj/argo-cd

GO-2025-3996: argo-cd vulnerable unauthenticated DoS via malformed Gogs webhook payload in github.com/argoproj/argo-cd

The highest tagged major version is v3.

session

package

v2.5.2 Latest Latest Go to latest Published: Nov 7, 2022 License: Apache-2.0 Imports: 30 Imported by: 4

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/argoproj/argo-cd

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
Variables
func GetSubjectAccountAndCapability(subject string) (string, settings.AccountCapability)
func Groups(ctx context.Context, scopes []string) []string
func Iat(ctx context.Context) (time.Time, error)
func Iss(ctx context.Context) string
func LoggedIn(ctx context.Context) bool
func NewUserStateStorage(redis *redis.Client) *userStateStorage
func Sub(ctx context.Context) string
func Username(ctx context.Context) string
type LoginAttempts
type SessionManager
- func NewSessionManager(settingsMgr *settings.SettingsManager, ...) *SessionManager
type UserStateStorage

Constants ¶

View Source

const (
	// SessionManagerClaimsIssuer fills the "iss" field of the token.
	SessionManagerClaimsIssuer = "argocd"
	AuthErrorCtxKey            = "auth-error"
)

Variables ¶

View Source

var (
	InvalidLoginErr = status.Errorf(codes.Unauthenticated, invalidLoginError)
)

Functions ¶

func GetSubjectAccountAndCapability ¶

func GetSubjectAccountAndCapability(subject string) (string, settings.AccountCapability)

GetSubjectAccountAndCapability analyzes Argo CD account token subject and extract account name and the capability it was generated for (default capability is API Key).

func Groups ¶

func Groups(ctx context.Context, scopes []string) []string

func Iat ¶

func Iat(ctx context.Context) (time.Time, error)

func Iss ¶

func Iss(ctx context.Context) string

func LoggedIn ¶

func LoggedIn(ctx context.Context) bool

func NewUserStateStorage ¶

func NewUserStateStorage(redis *redis.Client) *userStateStorage

func Sub ¶

func Sub(ctx context.Context) string

func Username ¶

func Username(ctx context.Context) string

Username is a helper to extract a human readable username from a context

Types ¶

type LoginAttempts ¶

type LoginAttempts struct {
	// Time of the last failed login
	LastFailed time.Time `json:"lastFailed"`
	// Number of consecutive login failures
	FailCount int `json:"failCount"`
}

LoginAttempts is a timestamped counter for failed login attempts

type SessionManager ¶

type SessionManager struct {
	// contains filtered or unexported fields
}

SessionManager generates and validates JWT tokens for login sessions.

func NewSessionManager ¶

func NewSessionManager(settingsMgr *settings.SettingsManager, projectsLister v1alpha1.AppProjectNamespaceLister, dexServerAddr string, dexTlsConfig *dex.DexTLSConfig, storage UserStateStorage) *SessionManager

NewSessionManager creates a new session manager from Argo CD settings

func (*SessionManager) Create ¶

func (mgr *SessionManager) Create(subject string, secondsBeforeExpiry int64, id string) (string, error)

Create creates a new token for a given subject (user) and returns it as a string. Passing a value of `0` for secondsBeforeExpiry creates a token that never expires. The id parameter holds an optional unique JWT token identifier and stored as a standard claim "jti" in the JWT token.

func (*SessionManager) GetLoginFailures ¶

func (mgr *SessionManager) GetLoginFailures() map[string]LoginAttempts

GetLoginFailures retrieves the login failure information from the cache

func (*SessionManager) Parse ¶

func (mgr *SessionManager) Parse(tokenString string) (jwt.Claims, string, error)

Parse tries to parse the provided string and returns the token claims for local login.

func (*SessionManager) RevokeToken ¶

func (mgr *SessionManager) RevokeToken(ctx context.Context, id string, expiringAt time.Duration) error

func (*SessionManager) VerifyToken ¶

func (mgr *SessionManager) VerifyToken(tokenString string) (jwt.Claims, string, error)

VerifyToken verifies if a token is correct. Tokens can be issued either from us or by an IDP. We choose how to verify based on the issuer.

func (*SessionManager) VerifyUsernamePassword ¶

func (mgr *SessionManager) VerifyUsernamePassword(username string, password string) error

VerifyUsernamePassword verifies if a username/password combo is correct

type UserStateStorage ¶

type UserStateStorage interface {
	Init(ctx context.Context)
	// GetLoginAttempts return number of concurrent login attempts
	GetLoginAttempts(attempts *map[string]LoginAttempts) error
	// SetLoginAttempts sets number of concurrent login attempts
	SetLoginAttempts(attempts map[string]LoginAttempts) error
	// RevokeToken revokes token with given id (information about revocation expires after specified timeout)
	RevokeToken(ctx context.Context, id string, expiringAt time.Duration) error
	// IsTokenRevoked checks if given token is revoked
	IsTokenRevoked(id string) bool
}

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL