Improve TLS handling for Redis to support non-standalone mode with TLS

* init TLS.Config when connecting to Redis with TLS

* don't overwrite TLS config if it exists

* add tests for Redis with TLS

* remove hardcoded certs

* add GenerateCert func

* use GenerateCert util func

* fix issue reported by go fmt

* limit return statements in GenerateCert

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

Fix exclude-logging-path documentation

Improve build times by sharing cache and allowing platform selection

Improve error message when no cookie is found

Add --force-json-errors flag

* linkedin: Update provider to v2

* changelog: Add change

* Use the httputil.NewSingleHostReverseProxy instad of yhat/wsutil for websocket proxying. This correctly handles 404 responses with keep-alive by terminating the tunnel rather than keeping it alive

* Tidy up dependencies - yhat/wsutil is no longer required

* Update changelog to include reference to 1348

Co-authored-by: Matt Lilley <matt.lilley@securitease.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

Store groups from the htpasswd-user-group in the session during the manual sign in process

Fix formatting of Keycloak provider documentation

This change puts the groups from the htpasswd-user-group in the
session during the manual sign in process. This fixes the issue
with being unable to properly authenticate using the manual
sign in form when certain group membership is required (e.g. when
the --gitlab-group option is used).

The groups configured in the `htpasswd-user-group` are not
stored in the session, resulting in unauthorized errors when
group membership is required. Please see:
https://gist.github.com/janrotter/b3d806a59292f07fe83bc52c061226e0
for instructions on reproducing the issue.

Make GitLab Provider based on OIDC Provider

RefreshSession will override session.Groups with the new
`groups` claims. We need to preserve all `project:` prefixed
groups and reattach them post refresh.

Previously this was only done in the `EnrichSession` stage
which would've missed Bearer usages & `RefreshSession`
would've overriden the User to the Subject.

* extract email from id_token for azure provider (#914)

* extract email from id_token for azure provider

this change fixes a bug when --resource is specified with non-Graph
api and the access token destined to --resource is used to call Graph
api

* fixed typo

* refactor GetEmailAddress to EnrichSessionState

* make getting email from idtoken best effort and fall back to previous behavior when it's absent

* refactor to use jwt package to extract claims

* fix lint

* refactor unit tests to use test table
refactor the get email logic from profile api

* addressing feedback

* added oidc verifier to azure provider and extract email from id_token if present

* fix lint and codeclimate

* refactor to use oidc verifier to verify id_token if oidc is configured

* fixed UT

* addressed comments

* minor refactor

* addressed feedback

* extract email from id_token first and fallback to access token

* fallback to access token as well when id_token doesn't have email claim

* address feedbacks

* updated change log!

* switch to docker buildx for multiarch builds

* add setup docker buildx action

* update docker push to push the multiarch image

* make multiarch image have parity with currently produced images by adding linux/armv6

* triaging issue with arm v6

* incorporating feedback

* fixing rebase disaster

* reset Makefile to blessed state

Co-authored-by: Weinong Wang <weinong@outlook.com>

Use the raw url path when proxying upstream requests

Refactor proxy_test to set mux/upstream options for each test
individually and add tests for encoded urls with ProxyRawPath set and
unset.

Setting this flag will configure the upstream proxy to pass encoded urls
as-is.

Adding a new option to the yaml alpha config will result in failed tests
unless you manually increment the line count. This commit computes this
dynamically.

This commit changes Upstreams from []Upstream to a struct{}
moving the previous []Upstream into .Configs and adjusts all uses of it.

This allows urls with encoded characters (e.g.: /%2F/) to pass to the
upstream mux instead of triggering a HTTP 301 from the frontend.
Otherwise a /%2F/test/ will result in a HTTP 301 -> /test/

* fix(1356): test if session variable is null

* fix(1356): adding changelog

Co-authored-by: Hedi Harzallah <hharzalla@talend.com>

* Allow specifying URL as input for custom logos

* Fix typo

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Update changelog

* Only allow HTTPS URLs

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Co-authored-by: Nick Meves <nicholas.meves@gmail.com>

* Changing user field type to text

* Updated changelog

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>