diff --git a/.github/SECURITY.md b/.github/SECURITY.md index 9decd34e..eab38858 100644 --- a/.github/SECURITY.md +++ b/.github/SECURITY.md @@ -11,10 +11,10 @@ to confirm receipt of the issue. ## Review Process Once a maintainer has confirmed the relevance of the report, a draft security -advisory will be created on Github. The draft advisory will be used to discuss +advisory will be created on GitHub. The draft advisory will be used to discuss the issue with maintainers, the reporter(s). If the reporter(s) wishes to participate in this discussion, then provide -reporter Github username(s) to be invited to the discussion. If the reporter(s) +reporter GitHub username(s) to be invited to the discussion. If the reporter(s) does not wish to participate directly in the discussion, then the reporter(s) can request to be updated regularly via email. diff --git a/api/api.pb.go b/api/api.pb.go index 8e24f61d..3b680dd6 100644 --- a/api/api.pb.go +++ b/api/api.pb.go @@ -957,7 +957,7 @@ type VersionResp struct { // Semantic version of the server. Server string `protobuf:"bytes,1,opt,name=server,proto3" json:"server,omitempty"` - // Numeric version of the API. It increases everytime a new call is added to the API. + // Numeric version of the API. It increases every time a new call is added to the API. // Clients should use this info to determine if the server supports specific features. Api int32 `protobuf:"varint,2,opt,name=api,proto3" json:"api,omitempty"` } diff --git a/api/api.proto b/api/api.proto index 7d25771a..cfb7979c 100644 --- a/api/api.proto +++ b/api/api.proto @@ -112,7 +112,7 @@ message VersionReq {} message VersionResp { // Semantic version of the server. string server = 1; - // Numeric version of the API. It increases everytime a new call is added to the API. + // Numeric version of the API. It increases every time a new call is added to the API. // Clients should use this info to determine if the server supports specific features. int32 api = 2; } diff --git a/api/v2/api.pb.go b/api/v2/api.pb.go index abaef0ee..99b69639 100644 --- a/api/v2/api.pb.go +++ b/api/v2/api.pb.go @@ -957,7 +957,7 @@ type VersionResp struct { // Semantic version of the server. Server string `protobuf:"bytes,1,opt,name=server,proto3" json:"server,omitempty"` - // Numeric version of the API. It increases everytime a new call is added to the API. + // Numeric version of the API. It increases every time a new call is added to the API. // Clients should use this info to determine if the server supports specific features. Api int32 `protobuf:"varint,2,opt,name=api,proto3" json:"api,omitempty"` } diff --git a/api/v2/api.proto b/api/v2/api.proto index 82a2e2af..eceef77c 100644 --- a/api/v2/api.proto +++ b/api/v2/api.proto @@ -112,7 +112,7 @@ message VersionReq {} message VersionResp { // Semantic version of the server. string server = 1; - // Numeric version of the API. It increases everytime a new call is added to the API. + // Numeric version of the API. It increases every time a new call is added to the API. // Clients should use this info to determine if the server supports specific features. int32 api = 2; } diff --git a/config.yaml.dist b/config.yaml.dist index ba7bad68..12d9b927 100644 --- a/config.yaml.dist +++ b/config.yaml.dist @@ -118,7 +118,7 @@ web: # name: 'Example App' # secret: ZXhhbXBsZS1hcHAtc2VjcmV0 -# Connectors are used to authenticate users agains upstream identity providers. +# Connectors are used to authenticate users against upstream identity providers. # # See the documentation (https://dexidp.io/docs/connectors/) for further information. # connectors: [] diff --git a/connector/gitlab/gitlab.go b/connector/gitlab/gitlab.go index f35ac357..099cd2ef 100644 --- a/connector/gitlab/gitlab.go +++ b/connector/gitlab/gitlab.go @@ -1,4 +1,4 @@ -// Package gitlab provides authentication strategies using Gitlab. +// Package gitlab provides authentication strategies using GitLab. package gitlab import ( diff --git a/connector/google/google_test.go b/connector/google/google_test.go index cf5977ab..262657db 100644 --- a/connector/google/google_test.go +++ b/connector/google/google_test.go @@ -86,7 +86,7 @@ func TestOpen(t *testing.T) { expectedErr string // string to set in GOOGLE_APPLICATION_CREDENTIALS. As local development environments can - // already contain ADC, test cases will be built uppon this setting this env variable + // already contain ADC, test cases will be built upon this setting this env variable adc string } diff --git a/connector/ldap/ldap.go b/connector/ldap/ldap.go index 54340271..c26960ba 100644 --- a/connector/ldap/ldap.go +++ b/connector/ldap/ldap.go @@ -619,7 +619,7 @@ func (c *ldapConnector) groups(ctx context.Context, user ldap.Entry) ([]string, for _, group := range groups { name := getAttr(*group, c.GroupSearch.NameAttr) if name == "" { - // Be obnoxious about missing missing attributes. If the group entry is + // Be obnoxious about missing attributes. If the group entry is // missing its name attribute, that indicates a misconfiguration. // // In the future we can add configuration options to just log these errors. diff --git a/connector/ldap/ldap_test.go b/connector/ldap/ldap_test.go index 83f9f479..9e0003b8 100644 --- a/connector/ldap/ldap_test.go +++ b/connector/ldap/ldap_test.go @@ -523,7 +523,7 @@ func getenv(key, defaultVal string) string { // runTests runs a set of tests against an LDAP schema. // -// The tests require LDAP to be runnning. +// The tests require LDAP to be running. // You can use the provided docker-compose file to setup an LDAP server. func runTests(t *testing.T, connMethod connectionMethod, config *Config, tests []subtest) { ldapHost := os.Getenv("DEX_LDAP_HOST") diff --git a/connector/oidc/oidc.go b/connector/oidc/oidc.go index 5c10f74a..c022b2ca 100644 --- a/connector/oidc/oidc.go +++ b/connector/oidc/oidc.go @@ -38,7 +38,7 @@ type Config struct { // Certificates for SSL validation RootCAs []string `json:"rootCAs"` - // Override the value of email_verifed to true in the returned claims + // Override the value of email_verified to true in the returned claims InsecureSkipEmailVerified bool `json:"insecureSkipEmailVerified"` // InsecureEnableGroups enables groups claims. This is disabled by default until https://github.com/dexidp/dex/issues/1065 is resolved diff --git a/docs/enhancements/token-exchange-2023-02-03-#2812.md b/docs/enhancements/token-exchange-2023-02-03-#2812.md index 33d80b8e..f9f556d2 100644 --- a/docs/enhancements/token-exchange-2023-02-03-#2812.md +++ b/docs/enhancements/token-exchange-2023-02-03-#2812.md @@ -40,18 +40,18 @@ without issuing long lived API tokens. Examples of downstream issues: -- [argoproj/argo-cd#11632 Argocd SSO login via Azure AD Auth using OIDC not work for cli sso login] +- [argoproj/argo-cd#11632 ArgoCD SSO login via Azure AD Auth using OIDC not work for cli sso login] Other related Dex issues: - [#2450 Non-OIDC JWT Connector] is a functionally similar request, but expanded to arbitrary JWTs -- [#1225 GitHub Non-Web application flow support] also asks for an exchange, but for an opaque Github PAT +- [#1225 GitHub Non-Web application flow support] also asks for an exchange, but for an opaque GitHub PAT More broadly, this fits into recent movements to issue machine identities: - [GCP Service Identity](https://cloud.google.com/run/docs/securing/service-identity) - [AWS Execution Role](https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html) -- [Github Actions OIDC](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect) +- [GitHub Actions OIDC](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect) - [CircleCI OIDC](https://circleci.com/docs/openid-connect-tokens/) - [Kubernetes Service Accounts](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/) - [SPIFFE](https://spiffe.io/) @@ -64,7 +64,7 @@ and granting access to resources based on trusting federated identities: [#1484 Token exchange for external tokens]: https://github.com/dexidp/dex/issues/1484 [#1668 Question: non-web based clients?]: https://github.com/dexidp/dex/issues/1668 [#2657 Get OIDC token issued by Dex using a token issued by one of the connectors]: https://github.com/dexidp/dex/issues/2657 -[argoproj/argo-cd#11632 Argocd SSO login via Azure AD Auth using OIDC not work for cli sso login]: https://github.com/argoproj/argo-cd/issues/11632 +[argoproj/argo-cd#11632 ArgoCD SSO login via Azure AD Auth using OIDC not work for cli sso login]: https://github.com/argoproj/argo-cd/issues/11632 [#2450 Non-OIDC JWT Connector]: https://github.com/dexidp/dex/issues/2450 [#1225 GitHub Non-Web application flow support]: https://github.com/dexidp/dex/issues/1225 @@ -166,7 +166,7 @@ Additionally, a new `allowedGrantTypes` would allow for disabling exchanges if t - The password connector could be switch to support this new endpoint, submitting passwords as access tokens, allowing for multiple password connectors to be configured - The `audience` field could be made optional if there is a single connector or the id token is inspected for issuer url -- The `actor_token` and `actor_token_type` can be checked / validated if a suitable usecase is determined. +- The `actor_token` and `actor_token_type` can be checked / validated if a suitable use case is determined. - A policy language like [cel] or [rego] as mentioned on [#1635 Connector Middleware] would allow for stronger assertions of the provided identity against requested resource access. diff --git a/server/api_test.go b/server/api_test.go index 01c59cf8..bc0dcf11 100644 --- a/server/api_test.go +++ b/server/api_test.go @@ -337,7 +337,7 @@ func TestRefreshToken(t *testing.T) { } if resp, _ := client.ListRefresh(ctx, &listReq); len(resp.RefreshTokens) != 0 { - t.Fatalf("Refresh token returned inspite of revoking it.") + t.Fatalf("Refresh token returned in spite of revoking it.") } } diff --git a/server/deviceflowhandlers_test.go b/server/deviceflowhandlers_test.go index 9a9f2858..9abe4a62 100644 --- a/server/deviceflowhandlers_test.go +++ b/server/deviceflowhandlers_test.go @@ -508,7 +508,7 @@ func TestDeviceTokenResponse(t *testing.T) { expectedResponseCode: http.StatusBadRequest, }, { - testName: "Test Non-existent Device Code", + testName: "Test Nonexistent Device Code", testDeviceRequest: baseDeviceRequest, testDeviceToken: storage.DeviceToken{ DeviceCode: "foo", diff --git a/server/server.go b/server/server.go index 0aac0a6c..f23eb54b 100755 --- a/server/server.go +++ b/server/server.go @@ -118,7 +118,7 @@ type WebConfig struct { // * themes/(theme) - Static static served at "( issuer URL )/theme". Dir string - // Alternative way to programatically configure static web assets. + // Alternative way to programmatically configure static web assets. // If Dir is specified, WebFS is ignored. // It's expected to contain the same files and directories as mentioned above. // diff --git a/server/server_test.go b/server/server_test.go index aa34be8c..bedc336b 100644 --- a/server/server_test.go +++ b/server/server_test.go @@ -879,7 +879,7 @@ func TestOAuth2CodeFlow(t *testing.T) { for _, token := range tokens { if /* token was updated */ token.ObsoleteToken != "" && token.ConnectorData != nil { - t.Fatalf("token connectorDatawith id %q field is not nil: %s", token.ID, token.ConnectorData) + t.Fatalf("token connectorData with id %q field is not nil: %s", token.ID, token.ConnectorData) } } }) diff --git a/storage/conformance/conformance.go b/storage/conformance/conformance.go index 1b45b76c..71a2e181 100644 --- a/storage/conformance/conformance.go +++ b/storage/conformance/conformance.go @@ -63,7 +63,7 @@ func mustLoadJWK(b string) *jose.JSONWebKey { func mustBeErrNotFound(t *testing.T, kind string, err error) { switch { case err == nil: - t.Errorf("deleting non-existent %s should return an error", kind) + t.Errorf("deleting nonexistent %s should return an error", kind) case err != storage.ErrNotFound: t.Errorf("deleting %s expected storage.ErrNotFound, got %v", kind, err) } diff --git a/storage/kubernetes/client.go b/storage/kubernetes/client.go index e99c0690..fe53fb47 100644 --- a/storage/kubernetes/client.go +++ b/storage/kubernetes/client.go @@ -99,7 +99,7 @@ func (cli *client) urlForWithParams( if name != "" && (len(name) > kubeResourceMaxLen || !kubeResourceNameRegex.MatchString(name)) { // The actual name can be found in auth request or auth code objects and equals to the state value return "", fmt.Errorf( - "invalid kubernetes resource name: must match the pattern %s and be no longer than %d charactes", + "invalid kubernetes resource name: must match the pattern %s and be no longer than %d characters", kubeResourceNameRegex.String(), kubeResourceMaxLen) } diff --git a/storage/storage.go b/storage/storage.go index 0009d4b1..743d2ecb 100644 --- a/storage/storage.go +++ b/storage/storage.go @@ -317,7 +317,7 @@ type RefreshTokenRef struct { // OfflineSessions objects are sessions pertaining to users with refresh tokens. type OfflineSessions struct { - // UserID of an end user who has logged in to the server. + // UserID of an end user who has logged into the server. UserID string // The ID of the connector used to login the user.