The filters for user and group searches hadn't been included in our LDAP
tests. Now they are.

The concrete test cases are somewhat contrived, but that shouldn't
matter too much. Also note that the example queries I've used are not
supported in AD: https://stackoverflow.com/a/10043452Signed-off-by: Stephan Renatus <srenatus@chef.io>

update MAINTAINERS, mirror guidelines into dev doc

Bump minimum TLS protocol to TLSv1.2

Some environments are subject to strict rules about the permitted TLS
protocol verion and available ciphers. Setting TLSv1.2 as the minimum
version ensures we do not use weaker protocols. We've opted against
making this configurable given the age of TLSv1.2 and the increasing
push to deprecate TLSv1.1 and older.

The PreferServerCipherSuites setting is also commonly flagged by SSL
quality scanning tools. Since Go provides a relatively modern set of
default ciphers by default, defaulting this to true is unlikely to
make much practical difference.
Signed-off-by: Steven Danna <steve@chef.io>

Signed-off-by: Stephan Renatus <srenatus@chef.io>

Signed-off-by: Stephan Renatus <srenatus@chef.io>

Dockerfile: update Go to 1.11.5

PR contains connector for openstack keystone.

Features:

    access tokens
    refresh tokens
    groups

Requirements:

    access to openstack keystone instance
    keystone administrative account credentials

Enabling keystone connector specific tests:

    make sure docker is running
    export DEX_TEST_KEYSTONE=1
    make tests

LDAP connector - add emailSuffix config option

Replace "GET", "POST" to http.MethodGet and http.MethodPost

Dockerfile: update to Go 1.11.3

Go 1.11.3 and 1.10.6 were released to mitigate security issues.
These don't appear to impact dex, but update anyway.

Ref: https://groups.google.com/forum/#!topic/golang-announce/Kw31K8G7Fi0

Make expiry of auth requests configurable

This is a band-aid against #1292

I did not change the default from 24h, but I think it should be much lower for safety.

postgres: expose database/sql tunables

Fixes #1354.

I've not had a need for MaxIdleConns and ConnMaxLifetime myself, but it felt weird to only expose of the three settings.

Documentation/dev-dependencies.md: Update for Go modules

Makefile: cleanups for newer versions of Go

Go 1.9 removed "./..." matching the vendor directory while Go 1.10 added
build and test caching. This means we no longer need to grep out
vendored matches (except for golint which doesn't implement the same
behavior), and we no longer need to pre-build packages with "go build -i".

https://golang.org/doc/go1.9#vendor-dotdotdot
https://golang.org/doc/go1.10#build

Go 1.9 removed "./..." matching the vendor directory while Go 1.10 added
build and test caching. This means we no longer need to grep out
vendored matches (except for golint which doesn't implement the same
behavior), and we no longer need to pre-build packages with "go build -i".

https://golang.org/doc/go1.9#vendor-dotdotdot
https://golang.org/doc/go1.10#build

Migrate to go modules

bump lib/pq

taken from @vito's #1342.

- adapted TestUnmarshalConfig to ensure the fields are read in
- added a test to see that at least MaxOpenConns works:
  - this is only exposed through (*db).Stats() in go 1.11, so this test
    has a build tag
  - the other two configurables can't be read back, so we've got to
    trust that the mechanism works given the one instance that's tested..
Signed-off-by: Stephan Renatus <srenatus@chef.io>

Revert "retry on serialization errors"

This will come back, as outline here: https://github.com/dexidp/dex/pull/1356#issuecomment-442523779

Extend the API with a function which updates the client configuration

Kubernetes docs: clarify steps around use/creation of TLS assets.

LDAP connector - Document that 'DN' must be in capitals