djpbessems
/
ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
ContainerImage.Pinniped/internal/controller/supervisorconfig/oidcupstreamwatcher/oidc_upstream_watcher_test.go

1660 lines
94 KiB
Go
Raw Normal View History

Addressing PR feedback store issuer and subject in storage for refresh Clean up some constants Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-01-07 23:04:58 +00:00
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
// SPDX-License-Identifier: Apache-2.0
Split package upstreamwatchers into four packages
2021-05-12 21:00:39 +00:00
package oidcupstreamwatcher
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
import (
"context"
Add controller support for spec.tls field. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-17 00:15:58 +00:00
"encoding/base64"
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
"encoding/json"
"net/http"
"net/url"
Add `https_proxy` and `no_proxy` settings for the Supervisor - Add new optional ytt params for the Supervisor deployment. - When the Supervisor is making calls to an upstream OIDC provider, use these variables if they were provided. - These settings are integration tested in the main CI pipeline by sometimes setting them on deployments in certain cases, and then letting the existing integration tests (e.g. TestE2EFullIntegration) provide the coverage, so there are no explicit changes to the integration tests themselves in this commit.
2021-07-07 19:50:13 +00:00
"reflect"
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
"strings"
"testing"
"time"
"github.com/stretchr/testify/require"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
Require refresh tokens for upstream OIDC and save more session data - Requiring refresh tokens to be returned from upstream OIDC idps - Storing refresh tokens (for oidc) and idp information (for all idps) in custom session data during authentication - Don't pass access=offline all the time
2021-10-08 22:48:21 +00:00
"k8s.io/apimachinery/pkg/types"
Force the use of secure TLS config This change updates the TLS config used by all pinniped components. There are no configuration knobs associated with this change. Thus this change tightens our static defaults. There are four TLS config levels: 1. Secure (TLS 1.3 only) 2. Default (TLS 1.2+ best ciphers that are well supported) 3. Default LDAP (TLS 1.2+ with less good ciphers) 4. Legacy (currently unused, TLS 1.2+ with all non-broken ciphers) Highlights per component: 1. pinniped CLI - uses "secure" config against KAS - uses "default" for all other connections 2. concierge - uses "secure" config as an aggregated API server - uses "default" config as a impersonation proxy API server - uses "secure" config against KAS - uses "default" config for JWT authenticater (mostly, see code) - no changes to webhook authenticater (see code) 3. supervisor - uses "default" config as a server - uses "secure" config against KAS - uses "default" config against OIDC IDPs - uses "default LDAP" config against LDAP IDPs Signed-off-by: Monis Khan <mok@vmware.com>
2021-10-20 11:59:24 +00:00
"k8s.io/apimachinery/pkg/util/net"
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
"k8s.io/client-go/informers"
"k8s.io/client-go/kubernetes/fake"
Use new 'go.pinniped.dev/generated/latest' package. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-16 19:00:08 +00:00
"go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1"
pinnipedfake "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/fake"
pinnipedinformers "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions"
Do not truncate x509 errors Signed-off-by: Monis Khan <mok@vmware.com>
2021-09-29 13:26:29 +00:00
"go.pinniped.dev/internal/certauthority"
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
"go.pinniped.dev/internal/controllerlib"
"go.pinniped.dev/internal/oidc/provider"
Switch to go.uber.org/zap for JSON formatted logging Signed-off-by: Monis Khan <mok@vmware.com>
2022-04-16 02:43:53 +00:00
"go.pinniped.dev/internal/plog"
Add controller support for spec.tls field. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-17 00:15:58 +00:00
"go.pinniped.dev/internal/testutil"
Implement upstream LDAP support in auth_handler.go - When the upstream IDP is an LDAP IDP and the user's LDAP username and password are received as new custom headers, then authenticate the user and, if authentication was successful, return a redirect with an authcode. Handle errors according to the OAuth/OIDC specs. - Still does not support having multiple upstream IDPs defined at the same time, which was an existing limitation of this endpoint. - Does not yet include the actual LDAP authentication, which is hidden behind an interface from the point of view of auth_handler.go - Move the oidctestutil package to the testutil directory. - Add an interface for Fosite storage to avoid a cyclical test dependency. - Add GetURL() to the UpstreamLDAPIdentityProviderI interface. - Extract test helpers to be shared between callback_handler_test.go and auth_handler_test.go because the authcode and fosite storage assertions should be identical. - Backfill Content-Type assertions in callback_handler_test.go. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-09 00:28:01 +00:00
"go.pinniped.dev/internal/testutil/oidctestutil"
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
"go.pinniped.dev/internal/testutil/testlogger"
Add upstreamoidc.ProviderConfig type implementing provider.UpstreamOIDCIdentityProviderI. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-30 20:54:11 +00:00
"go.pinniped.dev/internal/upstreamoidc"
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
)
More LDAP WIP: started controller and LDAP server connection code Both are unfinished works in progress.
2021-04-10 01:49:43 +00:00
func TestOIDCUpstreamWatcherControllerFilterSecret(t *testing.T) {
Upstream Watcher Controller Syncs less often by adjusting its filters - Only watches Secrets of type "secrets.pinniped.dev/oidc-client" Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-18 23:41:07 +00:00
t.Parallel()
tests := []struct {
name string
secret metav1.Object
wantAdd bool
wantUpdate bool
wantDelete bool
}{
{
name: "a secret of the right type",
secret: &corev1.Secret{
Type: "secrets.pinniped.dev/oidc-client",
ObjectMeta: metav1.ObjectMeta{Name: "some-name", Namespace: "some-namespace"},
},
wantAdd: true,
wantUpdate: true,
wantDelete: true,
},
{
name: "a secret of the wrong type",
secret: &corev1.Secret{
Type: "secrets.pinniped.dev/not-the-oidc-client-type",
ObjectMeta: metav1.ObjectMeta{Name: "some-name", Namespace: "some-namespace"},
},
},
{
name: "resource of wrong data type",
secret: &corev1.Namespace{
ObjectMeta: metav1.ObjectMeta{Name: "some-name", Namespace: "some-namespace"},
},
},
}
for _, test := range tests {
test := test
t.Run(test.name, func(t *testing.T) {
t.Parallel()
fakePinnipedClient := pinnipedfake.NewSimpleClientset()
pinnipedInformers := pinnipedinformers.NewSharedInformerFactory(fakePinnipedClient, 0)
fakeKubeClient := fake.NewSimpleClientset()
kubeInformers := informers.NewSharedInformerFactory(fakeKubeClient, 0)
cache := provider.NewDynamicUpstreamIDPProvider()
Supervisor pre-factor to make room for upstream LDAP identity providers
2021-04-07 23:12:13 +00:00
cache.SetOIDCIdentityProviders([]provider.UpstreamOIDCIdentityProviderI{
Upstream Watcher Controller Syncs less often by adjusting its filters - Only watches Secrets of type "secrets.pinniped.dev/oidc-client" Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-18 23:41:07 +00:00
&upstreamoidc.ProviderConfig{Name: "initial-entry"},
})
secretInformer := kubeInformers.Core().V1().Secrets()
withInformer := testutil.NewObservableWithInformerOption()
Split package upstreamwatchers into four packages
2021-05-12 21:00:39 +00:00
New(
Upstream Watcher Controller Syncs less often by adjusting its filters - Only watches Secrets of type "secrets.pinniped.dev/oidc-client" Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-18 23:41:07 +00:00
cache,
nil,
pinnipedInformers.IDP().V1alpha1().OIDCIdentityProviders(),
secretInformer,
Upgrade the linter and fix all new linter warnings Also fix some tests that were broken by bumping golang and dependencies in the previous commits. Note that in addition to changes made to satisfy the linter which do not impact the behavior of the code, this commit also adds ReadHeaderTimeout to all usages of http.Server to satisfy the linter (and because it seemed like a good suggestion).
2022-08-24 21:45:55 +00:00
plog.Logr(), //nolint:staticcheck // old test with no log assertions
Upstream Watcher Controller Syncs less often by adjusting its filters - Only watches Secrets of type "secrets.pinniped.dev/oidc-client" Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-18 23:41:07 +00:00
withInformer.WithInformer,
)
unrelated := corev1.Secret{}
filter := withInformer.GetFilterForInformer(secretInformer)
require.Equal(t, test.wantAdd, filter.Add(test.secret))
require.Equal(t, test.wantUpdate, filter.Update(&unrelated, test.secret))
require.Equal(t, test.wantUpdate, filter.Update(test.secret, &unrelated))
require.Equal(t, test.wantDelete, filter.Delete(test.secret))
})
}
}
More LDAP WIP: started controller and LDAP server connection code Both are unfinished works in progress.
2021-04-10 01:49:43 +00:00
func TestOIDCUpstreamWatcherControllerSync(t *testing.T) {
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
t.Parallel()
now := metav1.NewTime(time.Now().UTC())
earlier := metav1.NewTime(now.Add(-1 * time.Hour).UTC())
// Start another test server that answers discovery successfully.
Add controller support for spec.tls field. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-17 00:15:58 +00:00
testIssuerCA, testIssuerURL := newTestIssuer(t)
testIssuerCABase64 := base64.StdEncoding.EncodeToString([]byte(testIssuerCA))
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
testIssuerAuthorizeURL, err := url.Parse("https://example.com/authorize")
require.NoError(t, err)
WIP towards revoking upstream refresh tokens during GC - Discover the revocation endpoint of the upstream provider in oidc_upstream_watcher.go and save it into the cache for future use by the garbage collector controller - Adds RevokeRefreshToken to UpstreamOIDCIdentityProviderI - Implements the production version of RevokeRefreshToken - Implements test doubles for RevokeRefreshToken for future use in garbage collector's unit tests - Prefactors the crud and session storage types for future use in the garbage collector controller - See remaining TODOs in garbage_collector.go
2021-10-22 21:32:26 +00:00
testIssuerRevocationURL, err := url.Parse("https://example.com/revoke")
require.NoError(t, err)
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
Do not truncate x509 errors Signed-off-by: Monis Khan <mok@vmware.com>
2021-09-29 13:26:29 +00:00
wrongCA, err := certauthority.New("foo", time.Hour)
require.NoError(t, err)
wrongCABase64 := base64.StdEncoding.EncodeToString(wrongCA.Bundle())
More small updates based on PR feedback
2021-10-22 17:23:21 +00:00
happyAdditionalAuthorizeParametersValidCondition := v1alpha1.Condition{
Type: "AdditionalAuthorizeParametersValid",
Status: "True",
Reason: "Success",
Message: "additionalAuthorizeParameters parameter names are allowed",
LastTransitionTime: now,
}
happyAdditionalAuthorizeParametersValidConditionEarlier := happyAdditionalAuthorizeParametersValidCondition
happyAdditionalAuthorizeParametersValidConditionEarlier.LastTransitionTime = earlier
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
var (
Require refresh tokens for upstream OIDC and save more session data - Requiring refresh tokens to be returned from upstream OIDC idps - Storing refresh tokens (for oidc) and idp information (for all idps) in custom session data during authentication - Don't pass access=offline all the time
2021-10-08 22:48:21 +00:00
testNamespace = "test-namespace"
testName = "test-name"
testSecretName = "test-client-secret"
testAdditionalScopes = []string{"scope1", "scope2", "scope3"}
Add upstream refresh related config to OIDCIdentityProvider CRD Also update related docs.
2021-10-14 22:49:44 +00:00
testExpectedScopes = []string{"openid", "scope1", "scope2", "scope3"}
Change default of additionalScopes and disallow "hd" in additionalAuthorizeParameters
2021-10-18 23:41:31 +00:00
testDefaultExpectedScopes = []string{"openid", "offline_access", "email", "profile"}
Add upstream refresh related config to OIDCIdentityProvider CRD Also update related docs.
2021-10-14 22:49:44 +00:00
testAdditionalParams = []v1alpha1.Parameter{{Name: "prompt", Value: "consent"}, {Name: "foo", Value: "bar"}}
testExpectedAdditionalParams = map[string]string{"prompt": "consent", "foo": "bar"}
Require refresh tokens for upstream OIDC and save more session data - Requiring refresh tokens to be returned from upstream OIDC idps - Storing refresh tokens (for oidc) and idp information (for all idps) in custom session data during authentication - Don't pass access=offline all the time
2021-10-08 22:48:21 +00:00
testClientID = "test-oidc-client-id"
testClientSecret = "test-oidc-client-secret"
testValidSecretData = map[string][]byte{"clientID": []byte(testClientID), "clientSecret": []byte(testClientSecret)}
testGroupsClaim = "test-groups-claim"
testUsernameClaim = "test-username-claim"
testUID = types.UID("test-uid")
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
)
tests := []struct {
name string
inputUpstreams []runtime.Object
inputSecrets []runtime.Object
wantErr string
wantLogs []string
WIP towards revoking upstream refresh tokens during GC - Discover the revocation endpoint of the upstream provider in oidc_upstream_watcher.go and save it into the cache for future use by the garbage collector controller - Adds RevokeRefreshToken to UpstreamOIDCIdentityProviderI - Implements the production version of RevokeRefreshToken - Implements test doubles for RevokeRefreshToken for future use in garbage collector's unit tests - Prefactors the crud and session storage types for future use in the garbage collector controller - See remaining TODOs in garbage_collector.go
2021-10-22 21:32:26 +00:00
wantResultingCache []*oidctestutil.TestUpstreamOIDCIdentityProvider
Rename off of main Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 22:27:09 +00:00
wantResultingUpstreams []v1alpha1.OIDCIdentityProvider
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
}{
{
name: "no upstreams",
},
{
name: "missing secret",
Rename off of main Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 22:27:09 +00:00
inputUpstreams: []runtime.Object{&v1alpha1.OIDCIdentityProvider{
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
Rename off of main Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 22:27:09 +00:00
Spec: v1alpha1.OIDCIdentityProviderSpec{
Add upstream refresh related config to OIDCIdentityProvider CRD Also update related docs.
2021-10-14 22:49:44 +00:00
Issuer: testIssuerURL,
TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64},
Client: v1alpha1.OIDCClient{SecretName: testSecretName},
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
},
}},
inputSecrets: []runtime.Object{},
wantErr: controllerlib.ErrSyntheticRequeue.Error(),
wantLogs: []string{
Some renames in pkg upstreamwatcher to make room for a second controller
2021-04-09 15:43:09 +00:00
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="secret \"test-client-secret\" not found" "reason"="SecretNotFound" "status"="False" "type"="ClientCredentialsValid"`,
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="discovered issuer configuration" "reason"="Success" "status"="True" "type"="OIDCDiscoverySucceeded"`,
More small updates based on PR feedback
2021-10-22 17:23:21 +00:00
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="additionalAuthorizeParameters parameter names are allowed" "reason"="Success" "status"="True" "type"="AdditionalAuthorizeParametersValid"`,
Some renames in pkg upstreamwatcher to make room for a second controller
2021-04-09 15:43:09 +00:00
`oidc-upstream-observer "msg"="found failing condition" "error"="OIDCIdentityProvider has a failing condition" "message"="secret \"test-client-secret\" not found" "name"="test-name" "namespace"="test-namespace" "reason"="SecretNotFound" "type"="ClientCredentialsValid"`,
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
},
WIP towards revoking upstream refresh tokens during GC - Discover the revocation endpoint of the upstream provider in oidc_upstream_watcher.go and save it into the cache for future use by the garbage collector controller - Adds RevokeRefreshToken to UpstreamOIDCIdentityProviderI - Implements the production version of RevokeRefreshToken - Implements test doubles for RevokeRefreshToken for future use in garbage collector's unit tests - Prefactors the crud and session storage types for future use in the garbage collector controller - See remaining TODOs in garbage_collector.go
2021-10-22 21:32:26 +00:00
wantResultingCache: []*oidctestutil.TestUpstreamOIDCIdentityProvider{},
Rename off of main Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 22:27:09 +00:00
wantResultingUpstreams: []v1alpha1.OIDCIdentityProvider{{
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
Rename off of main Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 22:27:09 +00:00
Status: v1alpha1.OIDCIdentityProviderStatus{
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
Phase: "Error",
Conditions: []v1alpha1.Condition{
More small updates based on PR feedback
2021-10-22 17:23:21 +00:00
happyAdditionalAuthorizeParametersValidCondition,
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
{
Type: "ClientCredentialsValid",
Status: "False",
LastTransitionTime: now,
Reason: "SecretNotFound",
Message: `secret "test-client-secret" not found`,
},
{
Type: "OIDCDiscoverySucceeded",
Status: "True",
LastTransitionTime: now,
Reason: "Success",
Message: "discovered issuer configuration",
},
},
},
}},
},
{
name: "secret has wrong type",
Rename off of main Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 22:27:09 +00:00
inputUpstreams: []runtime.Object{&v1alpha1.OIDCIdentityProvider{
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
Rename off of main Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 22:27:09 +00:00
Spec: v1alpha1.OIDCIdentityProviderSpec{
Add upstream refresh related config to OIDCIdentityProvider CRD Also update related docs.
2021-10-14 22:49:44 +00:00
Issuer: testIssuerURL,
TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64},
Client: v1alpha1.OIDCClient{SecretName: testSecretName},
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
},
}},
inputSecrets: []runtime.Object{&corev1.Secret{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testSecretName},
Type: "some-other-type",
Data: testValidSecretData,
}},
wantErr: controllerlib.ErrSyntheticRequeue.Error(),
wantLogs: []string{
Some renames in pkg upstreamwatcher to make room for a second controller
2021-04-09 15:43:09 +00:00
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="referenced Secret \"test-client-secret\" has wrong type \"some-other-type\" (should be \"secrets.pinniped.dev/oidc-client\")" "reason"="SecretWrongType" "status"="False" "type"="ClientCredentialsValid"`,
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="discovered issuer configuration" "reason"="Success" "status"="True" "type"="OIDCDiscoverySucceeded"`,
More small updates based on PR feedback
2021-10-22 17:23:21 +00:00
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="additionalAuthorizeParameters parameter names are allowed" "reason"="Success" "status"="True" "type"="AdditionalAuthorizeParametersValid"`,
Some renames in pkg upstreamwatcher to make room for a second controller
2021-04-09 15:43:09 +00:00
`oidc-upstream-observer "msg"="found failing condition" "error"="OIDCIdentityProvider has a failing condition" "message"="referenced Secret \"test-client-secret\" has wrong type \"some-other-type\" (should be \"secrets.pinniped.dev/oidc-client\")" "name"="test-name" "namespace"="test-namespace" "reason"="SecretWrongType" "type"="ClientCredentialsValid"`,
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
},
WIP towards revoking upstream refresh tokens during GC - Discover the revocation endpoint of the upstream provider in oidc_upstream_watcher.go and save it into the cache for future use by the garbage collector controller - Adds RevokeRefreshToken to UpstreamOIDCIdentityProviderI - Implements the production version of RevokeRefreshToken - Implements test doubles for RevokeRefreshToken for future use in garbage collector's unit tests - Prefactors the crud and session storage types for future use in the garbage collector controller - See remaining TODOs in garbage_collector.go
2021-10-22 21:32:26 +00:00
wantResultingCache: []*oidctestutil.TestUpstreamOIDCIdentityProvider{},
Rename off of main Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 22:27:09 +00:00
wantResultingUpstreams: []v1alpha1.OIDCIdentityProvider{{
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
Rename off of main Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 22:27:09 +00:00
Status: v1alpha1.OIDCIdentityProviderStatus{
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
Phase: "Error",
Conditions: []v1alpha1.Condition{
More small updates based on PR feedback
2021-10-22 17:23:21 +00:00
happyAdditionalAuthorizeParametersValidCondition,
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
{
Type: "ClientCredentialsValid",
Status: "False",
LastTransitionTime: now,
Reason: "SecretWrongType",
Message: `referenced Secret "test-client-secret" has wrong type "some-other-type" (should be "secrets.pinniped.dev/oidc-client")`,
},
{
Type: "OIDCDiscoverySucceeded",
Status: "True",
LastTransitionTime: now,
Reason: "Success",
Message: "discovered issuer configuration",
},
},
},
}},
},
{
name: "secret is missing key",
Rename off of main Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 22:27:09 +00:00
inputUpstreams: []runtime.Object{&v1alpha1.OIDCIdentityProvider{
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
Rename off of main Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 22:27:09 +00:00
Spec: v1alpha1.OIDCIdentityProviderSpec{
Add upstream refresh related config to OIDCIdentityProvider CRD Also update related docs.
2021-10-14 22:49:44 +00:00
Issuer: testIssuerURL,
TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64},
Client: v1alpha1.OIDCClient{SecretName: testSecretName},
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
},
}},
inputSecrets: []runtime.Object{&corev1.Secret{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testSecretName},
Type: "secrets.pinniped.dev/oidc-client",
}},
wantErr: controllerlib.ErrSyntheticRequeue.Error(),
wantLogs: []string{
Some renames in pkg upstreamwatcher to make room for a second controller
2021-04-09 15:43:09 +00:00
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="referenced Secret \"test-client-secret\" is missing required keys [\"clientID\" \"clientSecret\"]" "reason"="SecretMissingKeys" "status"="False" "type"="ClientCredentialsValid"`,
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="discovered issuer configuration" "reason"="Success" "status"="True" "type"="OIDCDiscoverySucceeded"`,
More small updates based on PR feedback
2021-10-22 17:23:21 +00:00
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="additionalAuthorizeParameters parameter names are allowed" "reason"="Success" "status"="True" "type"="AdditionalAuthorizeParametersValid"`,
Some renames in pkg upstreamwatcher to make room for a second controller
2021-04-09 15:43:09 +00:00
`oidc-upstream-observer "msg"="found failing condition" "error"="OIDCIdentityProvider has a failing condition" "message"="referenced Secret \"test-client-secret\" is missing required keys [\"clientID\" \"clientSecret\"]" "name"="test-name" "namespace"="test-namespace" "reason"="SecretMissingKeys" "type"="ClientCredentialsValid"`,
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
},
WIP towards revoking upstream refresh tokens during GC - Discover the revocation endpoint of the upstream provider in oidc_upstream_watcher.go and save it into the cache for future use by the garbage collector controller - Adds RevokeRefreshToken to UpstreamOIDCIdentityProviderI - Implements the production version of RevokeRefreshToken - Implements test doubles for RevokeRefreshToken for future use in garbage collector's unit tests - Prefactors the crud and session storage types for future use in the garbage collector controller - See remaining TODOs in garbage_collector.go
2021-10-22 21:32:26 +00:00
wantResultingCache: []*oidctestutil.TestUpstreamOIDCIdentityProvider{},
Rename off of main Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 22:27:09 +00:00
wantResultingUpstreams: []v1alpha1.OIDCIdentityProvider{{
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
Rename off of main Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 22:27:09 +00:00
Status: v1alpha1.OIDCIdentityProviderStatus{
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
Phase: "Error",
Conditions: []v1alpha1.Condition{
More small updates based on PR feedback
2021-10-22 17:23:21 +00:00
happyAdditionalAuthorizeParametersValidCondition,
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
{
Type: "ClientCredentialsValid",
Status: "False",
LastTransitionTime: now,
Reason: "SecretMissingKeys",
Message: `referenced Secret "test-client-secret" is missing required keys ["clientID" "clientSecret"]`,
},
{
Type: "OIDCDiscoverySucceeded",
Status: "True",
LastTransitionTime: now,
Reason: "Success",
Message: "discovered issuer configuration",
},
},
},
}},
},
Add controller support for spec.tls field. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-17 00:15:58 +00:00
{
name: "TLS CA bundle is invalid base64",
Rename off of main Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 22:27:09 +00:00
inputUpstreams: []runtime.Object{&v1alpha1.OIDCIdentityProvider{
Add controller support for spec.tls field. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-17 00:15:58 +00:00
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: "test-name"},
Rename off of main Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 22:27:09 +00:00
Spec: v1alpha1.OIDCIdentityProviderSpec{
Add controller support for spec.tls field. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-17 00:15:58 +00:00
Issuer: testIssuerURL,
TLS: &v1alpha1.TLSSpec{
CertificateAuthorityData: "invalid-base64",
},
Add upstream refresh related config to OIDCIdentityProvider CRD Also update related docs.
2021-10-14 22:49:44 +00:00
Client: v1alpha1.OIDCClient{SecretName: testSecretName},
Add controller support for spec.tls field. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-17 00:15:58 +00:00
},
}},
inputSecrets: []runtime.Object{&corev1.Secret{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testSecretName},
Type: "secrets.pinniped.dev/oidc-client",
Data: testValidSecretData,
}},
wantErr: controllerlib.ErrSyntheticRequeue.Error(),
wantLogs: []string{
Some renames in pkg upstreamwatcher to make room for a second controller
2021-04-09 15:43:09 +00:00
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="loaded client credentials" "reason"="Success" "status"="True" "type"="ClientCredentialsValid"`,
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="spec.certificateAuthorityData is invalid: illegal base64 data at input byte 7" "reason"="InvalidTLSConfig" "status"="False" "type"="OIDCDiscoverySucceeded"`,
More small updates based on PR feedback
2021-10-22 17:23:21 +00:00
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="additionalAuthorizeParameters parameter names are allowed" "reason"="Success" "status"="True" "type"="AdditionalAuthorizeParametersValid"`,
Some renames in pkg upstreamwatcher to make room for a second controller
2021-04-09 15:43:09 +00:00
`oidc-upstream-observer "msg"="found failing condition" "error"="OIDCIdentityProvider has a failing condition" "message"="spec.certificateAuthorityData is invalid: illegal base64 data at input byte 7" "name"="test-name" "namespace"="test-namespace" "reason"="InvalidTLSConfig" "type"="OIDCDiscoverySucceeded"`,
Add controller support for spec.tls field. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-17 00:15:58 +00:00
},
WIP towards revoking upstream refresh tokens during GC - Discover the revocation endpoint of the upstream provider in oidc_upstream_watcher.go and save it into the cache for future use by the garbage collector controller - Adds RevokeRefreshToken to UpstreamOIDCIdentityProviderI - Implements the production version of RevokeRefreshToken - Implements test doubles for RevokeRefreshToken for future use in garbage collector's unit tests - Prefactors the crud and session storage types for future use in the garbage collector controller - See remaining TODOs in garbage_collector.go
2021-10-22 21:32:26 +00:00
wantResultingCache: []*oidctestutil.TestUpstreamOIDCIdentityProvider{},
Rename off of main Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 22:27:09 +00:00
wantResultingUpstreams: []v1alpha1.OIDCIdentityProvider{{
Add controller support for spec.tls field. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-17 00:15:58 +00:00
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
Rename off of main Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 22:27:09 +00:00
Status: v1alpha1.OIDCIdentityProviderStatus{
Add controller support for spec.tls field. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-17 00:15:58 +00:00
Phase: "Error",
Conditions: []v1alpha1.Condition{
More small updates based on PR feedback
2021-10-22 17:23:21 +00:00
happyAdditionalAuthorizeParametersValidCondition,
Add controller support for spec.tls field. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-17 00:15:58 +00:00
{
Type: "ClientCredentialsValid",
Status: "True",
LastTransitionTime: now,
Reason: "Success",
Message: "loaded client credentials",
},
{
Type: "OIDCDiscoverySucceeded",
Status: "False",
LastTransitionTime: now,
Reason: "InvalidTLSConfig",
Message: `spec.certificateAuthorityData is invalid: illegal base64 data at input byte 7`,
},
},
},
}},
},
{
name: "TLS CA bundle does not have any certificates",
Rename off of main Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 22:27:09 +00:00
inputUpstreams: []runtime.Object{&v1alpha1.OIDCIdentityProvider{
Add controller support for spec.tls field. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-17 00:15:58 +00:00
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: "test-name"},
Rename off of main Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 22:27:09 +00:00
Spec: v1alpha1.OIDCIdentityProviderSpec{
Add controller support for spec.tls field. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-17 00:15:58 +00:00
Issuer: testIssuerURL,
TLS: &v1alpha1.TLSSpec{
CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte("not-a-pem-ca-bundle")),
},
Add upstream refresh related config to OIDCIdentityProvider CRD Also update related docs.
2021-10-14 22:49:44 +00:00
Client: v1alpha1.OIDCClient{SecretName: testSecretName},
Add controller support for spec.tls field. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-17 00:15:58 +00:00
},
}},
inputSecrets: []runtime.Object{&corev1.Secret{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testSecretName},
Type: "secrets.pinniped.dev/oidc-client",
Data: testValidSecretData,
}},
wantErr: controllerlib.ErrSyntheticRequeue.Error(),
wantLogs: []string{
Some renames in pkg upstreamwatcher to make room for a second controller
2021-04-09 15:43:09 +00:00
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="loaded client credentials" "reason"="Success" "status"="True" "type"="ClientCredentialsValid"`,
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="spec.certificateAuthorityData is invalid: no certificates found" "reason"="InvalidTLSConfig" "status"="False" "type"="OIDCDiscoverySucceeded"`,
More small updates based on PR feedback
2021-10-22 17:23:21 +00:00
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="additionalAuthorizeParameters parameter names are allowed" "reason"="Success" "status"="True" "type"="AdditionalAuthorizeParametersValid"`,
Some renames in pkg upstreamwatcher to make room for a second controller
2021-04-09 15:43:09 +00:00
`oidc-upstream-observer "msg"="found failing condition" "error"="OIDCIdentityProvider has a failing condition" "message"="spec.certificateAuthorityData is invalid: no certificates found" "name"="test-name" "namespace"="test-namespace" "reason"="InvalidTLSConfig" "type"="OIDCDiscoverySucceeded"`,
Add controller support for spec.tls field. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-17 00:15:58 +00:00
},
WIP towards revoking upstream refresh tokens during GC - Discover the revocation endpoint of the upstream provider in oidc_upstream_watcher.go and save it into the cache for future use by the garbage collector controller - Adds RevokeRefreshToken to UpstreamOIDCIdentityProviderI - Implements the production version of RevokeRefreshToken - Implements test doubles for RevokeRefreshToken for future use in garbage collector's unit tests - Prefactors the crud and session storage types for future use in the garbage collector controller - See remaining TODOs in garbage_collector.go
2021-10-22 21:32:26 +00:00
wantResultingCache: []*oidctestutil.TestUpstreamOIDCIdentityProvider{},
Rename off of main Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 22:27:09 +00:00
wantResultingUpstreams: []v1alpha1.OIDCIdentityProvider{{
Add controller support for spec.tls field. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-17 00:15:58 +00:00
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
Rename off of main Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 22:27:09 +00:00
Status: v1alpha1.OIDCIdentityProviderStatus{
Add controller support for spec.tls field. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-17 00:15:58 +00:00
Phase: "Error",
Conditions: []v1alpha1.Condition{
More small updates based on PR feedback
2021-10-22 17:23:21 +00:00
happyAdditionalAuthorizeParametersValidCondition,
Add controller support for spec.tls field. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-17 00:15:58 +00:00
{
Type: "ClientCredentialsValid",
Status: "True",
LastTransitionTime: now,
Reason: "Success",
Message: "loaded client credentials",
},
{
Type: "OIDCDiscoverySucceeded",
Status: "False",
LastTransitionTime: now,
Reason: "InvalidTLSConfig",
Message: `spec.certificateAuthorityData is invalid: no certificates found`,
},
},
},
}},
},
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
{
name: "issuer is invalid URL",
Rename off of main Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 22:27:09 +00:00
inputUpstreams: []runtime.Object{&v1alpha1.OIDCIdentityProvider{
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
Rename off of main Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 22:27:09 +00:00
Spec: v1alpha1.OIDCIdentityProviderSpec{
Validate that issuer url and urls returned from discovery are https and that they have no query or fragment Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-12-04 00:11:53 +00:00
Issuer: "%invalid-url-that-is-really-really-long-nanananananananannanananan-batman-nanananananananananananananana-batman-lalalalalalalalalal-batman-weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee",
Add upstream refresh related config to OIDCIdentityProvider CRD Also update related docs.
2021-10-14 22:49:44 +00:00
Client: v1alpha1.OIDCClient{SecretName: testSecretName},
Do not truncate x509 errors Signed-off-by: Monis Khan <mok@vmware.com>
2021-09-29 13:26:29 +00:00
},
}},
inputSecrets: []runtime.Object{&corev1.Secret{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testSecretName},
Type: "secrets.pinniped.dev/oidc-client",
Data: testValidSecretData,
}},
wantErr: controllerlib.ErrSyntheticRequeue.Error(),
wantLogs: []string{
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="loaded client credentials" "reason"="Success" "status"="True" "type"="ClientCredentialsValid"`,
Validate that issuer url and urls returned from discovery are https and that they have no query or fragment Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-12-04 00:11:53 +00:00
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="failed to parse issuer URL: parse \"%invalid-url-that-is-really-really-long-nanananananananannanananan-batman-nanananananananananananananana-batman-lalalalalalalalalal-batman-weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee\": invalid URL escape \"%in\"" "reason"="Unreachable" "status"="False" "type"="OIDCDiscoverySucceeded"`,
More small updates based on PR feedback
2021-10-22 17:23:21 +00:00
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="additionalAuthorizeParameters parameter names are allowed" "reason"="Success" "status"="True" "type"="AdditionalAuthorizeParametersValid"`,
Validate that issuer url and urls returned from discovery are https and that they have no query or fragment Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-12-04 00:11:53 +00:00
`oidc-upstream-observer "msg"="found failing condition" "error"="OIDCIdentityProvider has a failing condition" "message"="failed to parse issuer URL: parse \"%invalid-url-that-is-really-really-long-nanananananananannanananan-batman-nanananananananananananananana-batman-lalalalalalalalalal-batman-weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee\": invalid URL escape \"%in\"" "name"="test-name" "namespace"="test-namespace" "reason"="Unreachable" "type"="OIDCDiscoverySucceeded"`,
Do not truncate x509 errors Signed-off-by: Monis Khan <mok@vmware.com>
2021-09-29 13:26:29 +00:00
},
WIP towards revoking upstream refresh tokens during GC - Discover the revocation endpoint of the upstream provider in oidc_upstream_watcher.go and save it into the cache for future use by the garbage collector controller - Adds RevokeRefreshToken to UpstreamOIDCIdentityProviderI - Implements the production version of RevokeRefreshToken - Implements test doubles for RevokeRefreshToken for future use in garbage collector's unit tests - Prefactors the crud and session storage types for future use in the garbage collector controller - See remaining TODOs in garbage_collector.go
2021-10-22 21:32:26 +00:00
wantResultingCache: []*oidctestutil.TestUpstreamOIDCIdentityProvider{},
Do not truncate x509 errors Signed-off-by: Monis Khan <mok@vmware.com>
2021-09-29 13:26:29 +00:00
wantResultingUpstreams: []v1alpha1.OIDCIdentityProvider{{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
Status: v1alpha1.OIDCIdentityProviderStatus{
Phase: "Error",
Conditions: []v1alpha1.Condition{
More small updates based on PR feedback
2021-10-22 17:23:21 +00:00
happyAdditionalAuthorizeParametersValidCondition,
Do not truncate x509 errors Signed-off-by: Monis Khan <mok@vmware.com>
2021-09-29 13:26:29 +00:00
{
Type: "ClientCredentialsValid",
Status: "True",
LastTransitionTime: now,
Reason: "Success",
Message: "loaded client credentials",
},
{
Type: "OIDCDiscoverySucceeded",
Status: "False",
LastTransitionTime: now,
Reason: "Unreachable",
Validate that issuer url and urls returned from discovery are https and that they have no query or fragment Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-12-04 00:11:53 +00:00
Message: `failed to parse issuer URL: parse "%invalid-url-that-is-really-really-long-nanananananananannanananan-batman-nanananananananananananananana-batman-lalalalalalalalalal-batman-weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee": invalid URL escape "%in"`,
},
},
},
}},
},
{
name: "issuer is insecure http URL",
inputUpstreams: []runtime.Object{&v1alpha1.OIDCIdentityProvider{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
Spec: v1alpha1.OIDCIdentityProviderSpec{
Issuer: strings.Replace(testIssuerURL, "https", "http", 1),
Client: v1alpha1.OIDCClient{SecretName: testSecretName},
},
}},
inputSecrets: []runtime.Object{&corev1.Secret{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testSecretName},
Type: "secrets.pinniped.dev/oidc-client",
Data: testValidSecretData,
}},
wantErr: controllerlib.ErrSyntheticRequeue.Error(),
wantLogs: []string{
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="loaded client credentials" "reason"="Success" "status"="True" "type"="ClientCredentialsValid"`,
Addressing PR feedback store issuer and subject in storage for refresh Clean up some constants Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-01-07 23:04:58 +00:00
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="issuer URL '` + strings.Replace(testIssuerURL, "https", "http", 1) + `' must have \"https\" scheme, not \"http\"" "reason"="Unreachable" "status"="False" "type"="OIDCDiscoverySucceeded"`,
Validate that issuer url and urls returned from discovery are https and that they have no query or fragment Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-12-04 00:11:53 +00:00
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="additionalAuthorizeParameters parameter names are allowed" "reason"="Success" "status"="True" "type"="AdditionalAuthorizeParametersValid"`,
Addressing PR feedback store issuer and subject in storage for refresh Clean up some constants Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-01-07 23:04:58 +00:00
`oidc-upstream-observer "msg"="found failing condition" "error"="OIDCIdentityProvider has a failing condition" "message"="issuer URL '` + strings.Replace(testIssuerURL, "https", "http", 1) + `' must have \"https\" scheme, not \"http\"" "name"="test-name" "namespace"="test-namespace" "reason"="Unreachable" "type"="OIDCDiscoverySucceeded"`,
Validate that issuer url and urls returned from discovery are https and that they have no query or fragment Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-12-04 00:11:53 +00:00
},
wantResultingCache: []*oidctestutil.TestUpstreamOIDCIdentityProvider{},
wantResultingUpstreams: []v1alpha1.OIDCIdentityProvider{{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
Status: v1alpha1.OIDCIdentityProviderStatus{
Phase: "Error",
Conditions: []v1alpha1.Condition{
happyAdditionalAuthorizeParametersValidCondition,
{
Type: "ClientCredentialsValid",
Status: "True",
LastTransitionTime: now,
Reason: "Success",
Message: "loaded client credentials",
},
{
Type: "OIDCDiscoverySucceeded",
Status: "False",
LastTransitionTime: now,
Reason: "Unreachable",
Addressing PR feedback store issuer and subject in storage for refresh Clean up some constants Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-01-07 23:04:58 +00:00
Message: `issuer URL '` + strings.Replace(testIssuerURL, "https", "http", 1) + `' must have "https" scheme, not "http"`,
Validate that issuer url and urls returned from discovery are https and that they have no query or fragment Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-12-04 00:11:53 +00:00
},
},
},
}},
},
{
name: "issuer contains a query param",
inputUpstreams: []runtime.Object{&v1alpha1.OIDCIdentityProvider{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
Spec: v1alpha1.OIDCIdentityProviderSpec{
Issuer: testIssuerURL + "?sub=foo",
Client: v1alpha1.OIDCClient{SecretName: testSecretName},
},
}},
inputSecrets: []runtime.Object{&corev1.Secret{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testSecretName},
Type: "secrets.pinniped.dev/oidc-client",
Data: testValidSecretData,
}},
wantErr: controllerlib.ErrSyntheticRequeue.Error(),
wantLogs: []string{
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="loaded client credentials" "reason"="Success" "status"="True" "type"="ClientCredentialsValid"`,
Addressing PR feedback store issuer and subject in storage for refresh Clean up some constants Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-01-07 23:04:58 +00:00
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="issuer URL '` + testIssuerURL + "?sub=foo" + `' cannot contain query or fragment component" "reason"="Unreachable" "status"="False" "type"="OIDCDiscoverySucceeded"`,
Validate that issuer url and urls returned from discovery are https and that they have no query or fragment Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-12-04 00:11:53 +00:00
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="additionalAuthorizeParameters parameter names are allowed" "reason"="Success" "status"="True" "type"="AdditionalAuthorizeParametersValid"`,
Addressing PR feedback store issuer and subject in storage for refresh Clean up some constants Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-01-07 23:04:58 +00:00
`oidc-upstream-observer "msg"="found failing condition" "error"="OIDCIdentityProvider has a failing condition" "message"="issuer URL '` + testIssuerURL + "?sub=foo" + `' cannot contain query or fragment component" "name"="test-name" "namespace"="test-namespace" "reason"="Unreachable" "type"="OIDCDiscoverySucceeded"`,
Validate that issuer url and urls returned from discovery are https and that they have no query or fragment Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-12-04 00:11:53 +00:00
},
wantResultingCache: []*oidctestutil.TestUpstreamOIDCIdentityProvider{},
wantResultingUpstreams: []v1alpha1.OIDCIdentityProvider{{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
Status: v1alpha1.OIDCIdentityProviderStatus{
Phase: "Error",
Conditions: []v1alpha1.Condition{
happyAdditionalAuthorizeParametersValidCondition,
{
Type: "ClientCredentialsValid",
Status: "True",
LastTransitionTime: now,
Reason: "Success",
Message: "loaded client credentials",
},
{
Type: "OIDCDiscoverySucceeded",
Status: "False",
LastTransitionTime: now,
Reason: "Unreachable",
Addressing PR feedback store issuer and subject in storage for refresh Clean up some constants Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-01-07 23:04:58 +00:00
Message: `issuer URL '` + testIssuerURL + "?sub=foo" + `' cannot contain query or fragment component`,
Validate that issuer url and urls returned from discovery are https and that they have no query or fragment Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-12-04 00:11:53 +00:00
},
},
},
}},
},
{
name: "issuer contains a fragment",
inputUpstreams: []runtime.Object{&v1alpha1.OIDCIdentityProvider{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
Spec: v1alpha1.OIDCIdentityProviderSpec{
Issuer: testIssuerURL + "#fragment",
Client: v1alpha1.OIDCClient{SecretName: testSecretName},
},
}},
inputSecrets: []runtime.Object{&corev1.Secret{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testSecretName},
Type: "secrets.pinniped.dev/oidc-client",
Data: testValidSecretData,
}},
wantErr: controllerlib.ErrSyntheticRequeue.Error(),
wantLogs: []string{
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="loaded client credentials" "reason"="Success" "status"="True" "type"="ClientCredentialsValid"`,
Addressing PR feedback store issuer and subject in storage for refresh Clean up some constants Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-01-07 23:04:58 +00:00
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="issuer URL '` + testIssuerURL + "#fragment" + `' cannot contain query or fragment component" "reason"="Unreachable" "status"="False" "type"="OIDCDiscoverySucceeded"`,
Validate that issuer url and urls returned from discovery are https and that they have no query or fragment Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-12-04 00:11:53 +00:00
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="additionalAuthorizeParameters parameter names are allowed" "reason"="Success" "status"="True" "type"="AdditionalAuthorizeParametersValid"`,
Addressing PR feedback store issuer and subject in storage for refresh Clean up some constants Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-01-07 23:04:58 +00:00
`oidc-upstream-observer "msg"="found failing condition" "error"="OIDCIdentityProvider has a failing condition" "message"="issuer URL '` + testIssuerURL + "#fragment" + `' cannot contain query or fragment component" "name"="test-name" "namespace"="test-namespace" "reason"="Unreachable" "type"="OIDCDiscoverySucceeded"`,
Validate that issuer url and urls returned from discovery are https and that they have no query or fragment Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-12-04 00:11:53 +00:00
},
wantResultingCache: []*oidctestutil.TestUpstreamOIDCIdentityProvider{},
wantResultingUpstreams: []v1alpha1.OIDCIdentityProvider{{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
Status: v1alpha1.OIDCIdentityProviderStatus{
Phase: "Error",
Conditions: []v1alpha1.Condition{
happyAdditionalAuthorizeParametersValidCondition,
{
Type: "ClientCredentialsValid",
Status: "True",
LastTransitionTime: now,
Reason: "Success",
Message: "loaded client credentials",
},
{
Type: "OIDCDiscoverySucceeded",
Status: "False",
LastTransitionTime: now,
Reason: "Unreachable",
Addressing PR feedback store issuer and subject in storage for refresh Clean up some constants Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-01-07 23:04:58 +00:00
Message: `issuer URL '` + testIssuerURL + "#fragment" + `' cannot contain query or fragment component`,
Do not truncate x509 errors Signed-off-by: Monis Khan <mok@vmware.com>
2021-09-29 13:26:29 +00:00
},
},
},
}},
},
{
name: "really long issuer with invalid CA bundle",
inputUpstreams: []runtime.Object{&v1alpha1.OIDCIdentityProvider{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
Spec: v1alpha1.OIDCIdentityProviderSpec{
Add upstream refresh related config to OIDCIdentityProvider CRD Also update related docs.
2021-10-14 22:49:44 +00:00
Issuer: testIssuerURL + "/valid-url-that-is-really-really-long-nanananananananannanananan-batman-nanananananananananananananana-batman-lalalalalalalalalal-batman-weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee",
TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: wrongCABase64},
Client: v1alpha1.OIDCClient{SecretName: testSecretName},
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
},
}},
inputSecrets: []runtime.Object{&corev1.Secret{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testSecretName},
Type: "secrets.pinniped.dev/oidc-client",
Data: testValidSecretData,
}},
wantErr: controllerlib.ErrSyntheticRequeue.Error(),
wantLogs: []string{
Do not truncate x509 errors Signed-off-by: Monis Khan <mok@vmware.com>
2021-09-29 13:26:29 +00:00
`oidc-upstream-observer "msg"="failed to perform OIDC discovery" "error"="Get \"` + testIssuerURL + `/valid-url-that-is-really-really-long-nanananananananannanananan-batman-nanananananananananananananana-batman-lalalalalalalalalal-batman-weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee/.well-known/openid-configuration\": x509: certificate signed by unknown authority" "issuer"="` + testIssuerURL + `/valid-url-that-is-really-really-long-nanananananananannanananan-batman-nanananananananananananananana-batman-lalalalalalalalalal-batman-weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee" "name"="test-name" "namespace"="test-namespace"`,
Some renames in pkg upstreamwatcher to make room for a second controller
2021-04-09 15:43:09 +00:00
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="loaded client credentials" "reason"="Success" "status"="True" "type"="ClientCredentialsValid"`,
Do not truncate x509 errors Signed-off-by: Monis Khan <mok@vmware.com>
2021-09-29 13:26:29 +00:00
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="failed to perform OIDC discovery against \"` + testIssuerURL + `/valid-url-that-is-really-really-long-nanananananananannanananan-batman-nanananananananananananananana-batman-lalalalalalalalalal-batman-weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee\":\nGet \"` + testIssuerURL + `/valid-url-that-is-really-really-long-nanananananananannanananan-batman-nanananananananananananananana-batman-lalalalalalalalalal-batman-weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee/.well-known/openid-configuration\": x509: certificate signed by unknown authority" "reason"="Unreachable" "status"="False" "type"="OIDCDiscoverySucceeded"`,
More small updates based on PR feedback
2021-10-22 17:23:21 +00:00
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="additionalAuthorizeParameters parameter names are allowed" "reason"="Success" "status"="True" "type"="AdditionalAuthorizeParametersValid"`,
Do not truncate x509 errors Signed-off-by: Monis Khan <mok@vmware.com>
2021-09-29 13:26:29 +00:00
`oidc-upstream-observer "msg"="found failing condition" "error"="OIDCIdentityProvider has a failing condition" "message"="failed to perform OIDC discovery against \"` + testIssuerURL + `/valid-url-that-is-really-really-long-nanananananananannanananan-batman-nanananananananananananananana-batman-lalalalalalalalalal-batman-weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee\":\nGet \"` + testIssuerURL + `/valid-url-that-is-really-really-long-nanananananananannanananan-batman-nanananananananananananananana-batman-lalalalalalalalalal-batman-weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee/.well-known/openid-configuration\": x509: certificate signed by unknown authority" "name"="test-name" "namespace"="test-namespace" "reason"="Unreachable" "type"="OIDCDiscoverySucceeded"`,
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
},
WIP towards revoking upstream refresh tokens during GC - Discover the revocation endpoint of the upstream provider in oidc_upstream_watcher.go and save it into the cache for future use by the garbage collector controller - Adds RevokeRefreshToken to UpstreamOIDCIdentityProviderI - Implements the production version of RevokeRefreshToken - Implements test doubles for RevokeRefreshToken for future use in garbage collector's unit tests - Prefactors the crud and session storage types for future use in the garbage collector controller - See remaining TODOs in garbage_collector.go
2021-10-22 21:32:26 +00:00
wantResultingCache: []*oidctestutil.TestUpstreamOIDCIdentityProvider{},
Rename off of main Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 22:27:09 +00:00
wantResultingUpstreams: []v1alpha1.OIDCIdentityProvider{{
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
Rename off of main Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 22:27:09 +00:00
Status: v1alpha1.OIDCIdentityProviderStatus{
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
Phase: "Error",
Conditions: []v1alpha1.Condition{
More small updates based on PR feedback
2021-10-22 17:23:21 +00:00
happyAdditionalAuthorizeParametersValidCondition,
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
{
Type: "ClientCredentialsValid",
Status: "True",
LastTransitionTime: now,
Reason: "Success",
Message: "loaded client credentials",
},
{
Type: "OIDCDiscoverySucceeded",
Status: "False",
LastTransitionTime: now,
Reason: "Unreachable",
Do not truncate x509 errors Signed-off-by: Monis Khan <mok@vmware.com>
2021-09-29 13:26:29 +00:00
Message: `failed to perform OIDC discovery against "` + testIssuerURL + `/valid-url-that-is-really-really-long-nanananananananannanananan-batman-nanananananananananananananana-batman-lalalalalalalalalal-batman-weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee":
Get "` + testIssuerURL + `/valid-url-that-is-really-really-long-nanananananananannanananan-batman-nanananananananananananananana-batman-lalalalalalalalalal-batman-weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee/.well-known/openid-configuration": x509: certificate signed by unknown authority`,
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
},
},
},
}},
},
{
name: "issuer returns invalid authorize URL",
Rename off of main Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 22:27:09 +00:00
inputUpstreams: []runtime.Object{&v1alpha1.OIDCIdentityProvider{
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
Rename off of main Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 22:27:09 +00:00
Spec: v1alpha1.OIDCIdentityProviderSpec{
Add upstream refresh related config to OIDCIdentityProvider CRD Also update related docs.
2021-10-14 22:49:44 +00:00
Issuer: testIssuerURL + "/invalid",
TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64},
Client: v1alpha1.OIDCClient{SecretName: testSecretName},
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
},
}},
inputSecrets: []runtime.Object{&corev1.Secret{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testSecretName},
Type: "secrets.pinniped.dev/oidc-client",
Data: testValidSecretData,
}},
wantErr: controllerlib.ErrSyntheticRequeue.Error(),
wantLogs: []string{
Some renames in pkg upstreamwatcher to make room for a second controller
2021-04-09 15:43:09 +00:00
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="loaded client credentials" "reason"="Success" "status"="True" "type"="ClientCredentialsValid"`,
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="failed to parse authorization endpoint URL: parse \"%\": invalid URL escape \"%\"" "reason"="InvalidResponse" "status"="False" "type"="OIDCDiscoverySucceeded"`,
More small updates based on PR feedback
2021-10-22 17:23:21 +00:00
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="additionalAuthorizeParameters parameter names are allowed" "reason"="Success" "status"="True" "type"="AdditionalAuthorizeParametersValid"`,
Some renames in pkg upstreamwatcher to make room for a second controller
2021-04-09 15:43:09 +00:00
`oidc-upstream-observer "msg"="found failing condition" "error"="OIDCIdentityProvider has a failing condition" "message"="failed to parse authorization endpoint URL: parse \"%\": invalid URL escape \"%\"" "name"="test-name" "namespace"="test-namespace" "reason"="InvalidResponse" "type"="OIDCDiscoverySucceeded"`,
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
},
WIP towards revoking upstream refresh tokens during GC - Discover the revocation endpoint of the upstream provider in oidc_upstream_watcher.go and save it into the cache for future use by the garbage collector controller - Adds RevokeRefreshToken to UpstreamOIDCIdentityProviderI - Implements the production version of RevokeRefreshToken - Implements test doubles for RevokeRefreshToken for future use in garbage collector's unit tests - Prefactors the crud and session storage types for future use in the garbage collector controller - See remaining TODOs in garbage_collector.go
2021-10-22 21:32:26 +00:00
wantResultingCache: []*oidctestutil.TestUpstreamOIDCIdentityProvider{},
Rename off of main Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 22:27:09 +00:00
wantResultingUpstreams: []v1alpha1.OIDCIdentityProvider{{
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
Rename off of main Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 22:27:09 +00:00
Status: v1alpha1.OIDCIdentityProviderStatus{
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
Phase: "Error",
Conditions: []v1alpha1.Condition{
More small updates based on PR feedback
2021-10-22 17:23:21 +00:00
happyAdditionalAuthorizeParametersValidCondition,
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
{
Type: "ClientCredentialsValid",
Status: "True",
LastTransitionTime: now,
Reason: "Success",
Message: "loaded client credentials",
},
{
Type: "OIDCDiscoverySucceeded",
Status: "False",
LastTransitionTime: now,
Reason: "InvalidResponse",
Message: `failed to parse authorization endpoint URL: parse "%": invalid URL escape "%"`,
},
},
},
}},
},
WIP towards revoking upstream refresh tokens during GC - Discover the revocation endpoint of the upstream provider in oidc_upstream_watcher.go and save it into the cache for future use by the garbage collector controller - Adds RevokeRefreshToken to UpstreamOIDCIdentityProviderI - Implements the production version of RevokeRefreshToken - Implements test doubles for RevokeRefreshToken for future use in garbage collector's unit tests - Prefactors the crud and session storage types for future use in the garbage collector controller - See remaining TODOs in garbage_collector.go
2021-10-22 21:32:26 +00:00
{
name: "issuer returns invalid revocation URL",
inputUpstreams: []runtime.Object{&v1alpha1.OIDCIdentityProvider{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
Spec: v1alpha1.OIDCIdentityProviderSpec{
Issuer: testIssuerURL + "/invalid-revocation-url",
TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64},
Client: v1alpha1.OIDCClient{SecretName: testSecretName},
},
}},
inputSecrets: []runtime.Object{&corev1.Secret{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testSecretName},
Type: "secrets.pinniped.dev/oidc-client",
Data: testValidSecretData,
}},
wantErr: controllerlib.ErrSyntheticRequeue.Error(),
wantLogs: []string{
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="loaded client credentials" "reason"="Success" "status"="True" "type"="ClientCredentialsValid"`,
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="failed to parse revocation endpoint URL: parse \"%\": invalid URL escape \"%\"" "reason"="InvalidResponse" "status"="False" "type"="OIDCDiscoverySucceeded"`,
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="additionalAuthorizeParameters parameter names are allowed" "reason"="Success" "status"="True" "type"="AdditionalAuthorizeParametersValid"`,
`oidc-upstream-observer "msg"="found failing condition" "error"="OIDCIdentityProvider has a failing condition" "message"="failed to parse revocation endpoint URL: parse \"%\": invalid URL escape \"%\"" "name"="test-name" "namespace"="test-namespace" "reason"="InvalidResponse" "type"="OIDCDiscoverySucceeded"`,
},
wantResultingCache: []*oidctestutil.TestUpstreamOIDCIdentityProvider{},
wantResultingUpstreams: []v1alpha1.OIDCIdentityProvider{{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
Status: v1alpha1.OIDCIdentityProviderStatus{
Phase: "Error",
Conditions: []v1alpha1.Condition{
happyAdditionalAuthorizeParametersValidCondition,
{
Type: "ClientCredentialsValid",
Status: "True",
LastTransitionTime: now,
Reason: "Success",
Message: "loaded client credentials",
},
{
Type: "OIDCDiscoverySucceeded",
Status: "False",
LastTransitionTime: now,
Reason: "InvalidResponse",
Message: `failed to parse revocation endpoint URL: parse "%": invalid URL escape "%"`,
},
},
},
}},
},
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
{
name: "issuer returns insecure authorize URL",
Rename off of main Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 22:27:09 +00:00
inputUpstreams: []runtime.Object{&v1alpha1.OIDCIdentityProvider{
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
Rename off of main Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 22:27:09 +00:00
Spec: v1alpha1.OIDCIdentityProviderSpec{
Add upstream refresh related config to OIDCIdentityProvider CRD Also update related docs.
2021-10-14 22:49:44 +00:00
Issuer: testIssuerURL + "/insecure",
TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64},
Client: v1alpha1.OIDCClient{SecretName: testSecretName},
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
},
}},
inputSecrets: []runtime.Object{&corev1.Secret{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testSecretName},
Type: "secrets.pinniped.dev/oidc-client",
Data: testValidSecretData,
}},
wantErr: controllerlib.ErrSyntheticRequeue.Error(),
wantLogs: []string{
Some renames in pkg upstreamwatcher to make room for a second controller
2021-04-09 15:43:09 +00:00
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="loaded client credentials" "reason"="Success" "status"="True" "type"="ClientCredentialsValid"`,
Addressing PR feedback store issuer and subject in storage for refresh Clean up some constants Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-01-07 23:04:58 +00:00
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="authorization endpoint URL 'http://example.com/authorize' must have \"https\" scheme, not \"http\"" "reason"="InvalidResponse" "status"="False" "type"="OIDCDiscoverySucceeded"`,
More small updates based on PR feedback
2021-10-22 17:23:21 +00:00
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="additionalAuthorizeParameters parameter names are allowed" "reason"="Success" "status"="True" "type"="AdditionalAuthorizeParametersValid"`,
Addressing PR feedback store issuer and subject in storage for refresh Clean up some constants Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-01-07 23:04:58 +00:00
`oidc-upstream-observer "msg"="found failing condition" "error"="OIDCIdentityProvider has a failing condition" "message"="authorization endpoint URL 'http://example.com/authorize' must have \"https\" scheme, not \"http\"" "name"="test-name" "namespace"="test-namespace" "reason"="InvalidResponse" "type"="OIDCDiscoverySucceeded"`,
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
},
WIP towards revoking upstream refresh tokens during GC - Discover the revocation endpoint of the upstream provider in oidc_upstream_watcher.go and save it into the cache for future use by the garbage collector controller - Adds RevokeRefreshToken to UpstreamOIDCIdentityProviderI - Implements the production version of RevokeRefreshToken - Implements test doubles for RevokeRefreshToken for future use in garbage collector's unit tests - Prefactors the crud and session storage types for future use in the garbage collector controller - See remaining TODOs in garbage_collector.go
2021-10-22 21:32:26 +00:00
wantResultingCache: []*oidctestutil.TestUpstreamOIDCIdentityProvider{},
Rename off of main Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 22:27:09 +00:00
wantResultingUpstreams: []v1alpha1.OIDCIdentityProvider{{
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
Rename off of main Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 22:27:09 +00:00
Status: v1alpha1.OIDCIdentityProviderStatus{
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
Phase: "Error",
Conditions: []v1alpha1.Condition{
More small updates based on PR feedback
2021-10-22 17:23:21 +00:00
happyAdditionalAuthorizeParametersValidCondition,
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
{
Type: "ClientCredentialsValid",
Status: "True",
LastTransitionTime: now,
Reason: "Success",
Message: "loaded client credentials",
},
{
Type: "OIDCDiscoverySucceeded",
Status: "False",
LastTransitionTime: now,
Reason: "InvalidResponse",
Addressing PR feedback store issuer and subject in storage for refresh Clean up some constants Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-01-07 23:04:58 +00:00
Message: `authorization endpoint URL 'http://example.com/authorize' must have "https" scheme, not "http"`,
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
},
},
},
}},
},
WIP towards revoking upstream refresh tokens during GC - Discover the revocation endpoint of the upstream provider in oidc_upstream_watcher.go and save it into the cache for future use by the garbage collector controller - Adds RevokeRefreshToken to UpstreamOIDCIdentityProviderI - Implements the production version of RevokeRefreshToken - Implements test doubles for RevokeRefreshToken for future use in garbage collector's unit tests - Prefactors the crud and session storage types for future use in the garbage collector controller - See remaining TODOs in garbage_collector.go
2021-10-22 21:32:26 +00:00
{
name: "issuer returns insecure revocation URL",
inputUpstreams: []runtime.Object{&v1alpha1.OIDCIdentityProvider{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
Spec: v1alpha1.OIDCIdentityProviderSpec{
Issuer: testIssuerURL + "/insecure-revocation-url",
TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64},
Client: v1alpha1.OIDCClient{SecretName: testSecretName},
},
}},
inputSecrets: []runtime.Object{&corev1.Secret{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testSecretName},
Type: "secrets.pinniped.dev/oidc-client",
Data: testValidSecretData,
}},
wantErr: controllerlib.ErrSyntheticRequeue.Error(),
wantLogs: []string{
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="loaded client credentials" "reason"="Success" "status"="True" "type"="ClientCredentialsValid"`,
Addressing PR feedback store issuer and subject in storage for refresh Clean up some constants Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-01-07 23:04:58 +00:00
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="revocation endpoint URL 'http://example.com/revoke' must have \"https\" scheme, not \"http\"" "reason"="InvalidResponse" "status"="False" "type"="OIDCDiscoverySucceeded"`,
WIP towards revoking upstream refresh tokens during GC - Discover the revocation endpoint of the upstream provider in oidc_upstream_watcher.go and save it into the cache for future use by the garbage collector controller - Adds RevokeRefreshToken to UpstreamOIDCIdentityProviderI - Implements the production version of RevokeRefreshToken - Implements test doubles for RevokeRefreshToken for future use in garbage collector's unit tests - Prefactors the crud and session storage types for future use in the garbage collector controller - See remaining TODOs in garbage_collector.go
2021-10-22 21:32:26 +00:00
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="additionalAuthorizeParameters parameter names are allowed" "reason"="Success" "status"="True" "type"="AdditionalAuthorizeParametersValid"`,
Addressing PR feedback store issuer and subject in storage for refresh Clean up some constants Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-01-07 23:04:58 +00:00
`oidc-upstream-observer "msg"="found failing condition" "error"="OIDCIdentityProvider has a failing condition" "message"="revocation endpoint URL 'http://example.com/revoke' must have \"https\" scheme, not \"http\"" "name"="test-name" "namespace"="test-namespace" "reason"="InvalidResponse" "type"="OIDCDiscoverySucceeded"`,
WIP towards revoking upstream refresh tokens during GC - Discover the revocation endpoint of the upstream provider in oidc_upstream_watcher.go and save it into the cache for future use by the garbage collector controller - Adds RevokeRefreshToken to UpstreamOIDCIdentityProviderI - Implements the production version of RevokeRefreshToken - Implements test doubles for RevokeRefreshToken for future use in garbage collector's unit tests - Prefactors the crud and session storage types for future use in the garbage collector controller - See remaining TODOs in garbage_collector.go
2021-10-22 21:32:26 +00:00
},
wantResultingCache: []*oidctestutil.TestUpstreamOIDCIdentityProvider{},
wantResultingUpstreams: []v1alpha1.OIDCIdentityProvider{{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
Status: v1alpha1.OIDCIdentityProviderStatus{
Phase: "Error",
Conditions: []v1alpha1.Condition{
happyAdditionalAuthorizeParametersValidCondition,
{
Type: "ClientCredentialsValid",
Status: "True",
LastTransitionTime: now,
Reason: "Success",
Message: "loaded client credentials",
},
{
Type: "OIDCDiscoverySucceeded",
Status: "False",
LastTransitionTime: now,
Reason: "InvalidResponse",
Addressing PR feedback store issuer and subject in storage for refresh Clean up some constants Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-01-07 23:04:58 +00:00
Message: `revocation endpoint URL 'http://example.com/revoke' must have "https" scheme, not "http"`,
WIP towards revoking upstream refresh tokens during GC - Discover the revocation endpoint of the upstream provider in oidc_upstream_watcher.go and save it into the cache for future use by the garbage collector controller - Adds RevokeRefreshToken to UpstreamOIDCIdentityProviderI - Implements the production version of RevokeRefreshToken - Implements test doubles for RevokeRefreshToken for future use in garbage collector's unit tests - Prefactors the crud and session storage types for future use in the garbage collector controller - See remaining TODOs in garbage_collector.go
2021-10-22 21:32:26 +00:00
},
},
},
}},
},
Validate that issuer url and urls returned from discovery are https and that they have no query or fragment Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-12-04 00:11:53 +00:00
{
name: "issuer returns insecure token URL",
inputUpstreams: []runtime.Object{&v1alpha1.OIDCIdentityProvider{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
Spec: v1alpha1.OIDCIdentityProviderSpec{
Issuer: testIssuerURL + "/insecure-token-url",
TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64},
Client: v1alpha1.OIDCClient{SecretName: testSecretName},
},
}},
inputSecrets: []runtime.Object{&corev1.Secret{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testSecretName},
Type: "secrets.pinniped.dev/oidc-client",
Data: testValidSecretData,
}},
wantErr: controllerlib.ErrSyntheticRequeue.Error(),
wantLogs: []string{
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="loaded client credentials" "reason"="Success" "status"="True" "type"="ClientCredentialsValid"`,
Addressing PR feedback store issuer and subject in storage for refresh Clean up some constants Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-01-07 23:04:58 +00:00
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="token endpoint URL 'http://example.com/token' must have \"https\" scheme, not \"http\"" "reason"="InvalidResponse" "status"="False" "type"="OIDCDiscoverySucceeded"`,
Validate that issuer url and urls returned from discovery are https and that they have no query or fragment Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-12-04 00:11:53 +00:00
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="additionalAuthorizeParameters parameter names are allowed" "reason"="Success" "status"="True" "type"="AdditionalAuthorizeParametersValid"`,
Addressing PR feedback store issuer and subject in storage for refresh Clean up some constants Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-01-07 23:04:58 +00:00
`oidc-upstream-observer "msg"="found failing condition" "error"="OIDCIdentityProvider has a failing condition" "message"="token endpoint URL 'http://example.com/token' must have \"https\" scheme, not \"http\"" "name"="test-name" "namespace"="test-namespace" "reason"="InvalidResponse" "type"="OIDCDiscoverySucceeded"`,
Validate that issuer url and urls returned from discovery are https and that they have no query or fragment Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-12-04 00:11:53 +00:00
},
wantResultingCache: []*oidctestutil.TestUpstreamOIDCIdentityProvider{},
wantResultingUpstreams: []v1alpha1.OIDCIdentityProvider{{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
Status: v1alpha1.OIDCIdentityProviderStatus{
Phase: "Error",
Conditions: []v1alpha1.Condition{
happyAdditionalAuthorizeParametersValidCondition,
{
Type: "ClientCredentialsValid",
Status: "True",
LastTransitionTime: now,
Reason: "Success",
Message: "loaded client credentials",
},
{
Type: "OIDCDiscoverySucceeded",
Status: "False",
LastTransitionTime: now,
Reason: "InvalidResponse",
Addressing PR feedback store issuer and subject in storage for refresh Clean up some constants Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-01-07 23:04:58 +00:00
Message: `token endpoint URL 'http://example.com/token' must have "https" scheme, not "http"`,
Validate that issuer url and urls returned from discovery are https and that they have no query or fragment Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-12-04 00:11:53 +00:00
},
},
},
}},
},
{
name: "issuer returns no token URL",
inputUpstreams: []runtime.Object{&v1alpha1.OIDCIdentityProvider{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
Spec: v1alpha1.OIDCIdentityProviderSpec{
Issuer: testIssuerURL + "/missing-token-url",
TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64},
Client: v1alpha1.OIDCClient{SecretName: testSecretName},
},
}},
inputSecrets: []runtime.Object{&corev1.Secret{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testSecretName},
Type: "secrets.pinniped.dev/oidc-client",
Data: testValidSecretData,
}},
wantErr: controllerlib.ErrSyntheticRequeue.Error(),
wantLogs: []string{
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="loaded client credentials" "reason"="Success" "status"="True" "type"="ClientCredentialsValid"`,
Addressing PR feedback store issuer and subject in storage for refresh Clean up some constants Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-01-07 23:04:58 +00:00
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="token endpoint URL '' must have \"https\" scheme, not \"\"" "reason"="InvalidResponse" "status"="False" "type"="OIDCDiscoverySucceeded"`,
Validate that issuer url and urls returned from discovery are https and that they have no query or fragment Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-12-04 00:11:53 +00:00
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="additionalAuthorizeParameters parameter names are allowed" "reason"="Success" "status"="True" "type"="AdditionalAuthorizeParametersValid"`,
Addressing PR feedback store issuer and subject in storage for refresh Clean up some constants Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-01-07 23:04:58 +00:00
`oidc-upstream-observer "msg"="found failing condition" "error"="OIDCIdentityProvider has a failing condition" "message"="token endpoint URL '' must have \"https\" scheme, not \"\"" "name"="test-name" "namespace"="test-namespace" "reason"="InvalidResponse" "type"="OIDCDiscoverySucceeded"`,
Validate that issuer url and urls returned from discovery are https and that they have no query or fragment Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-12-04 00:11:53 +00:00
},
wantResultingCache: []*oidctestutil.TestUpstreamOIDCIdentityProvider{},
wantResultingUpstreams: []v1alpha1.OIDCIdentityProvider{{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
Status: v1alpha1.OIDCIdentityProviderStatus{
Phase: "Error",
Conditions: []v1alpha1.Condition{
happyAdditionalAuthorizeParametersValidCondition,
{
Type: "ClientCredentialsValid",
Status: "True",
LastTransitionTime: now,
Reason: "Success",
Message: "loaded client credentials",
},
{
Type: "OIDCDiscoverySucceeded",
Status: "False",
LastTransitionTime: now,
Reason: "InvalidResponse",
Addressing PR feedback store issuer and subject in storage for refresh Clean up some constants Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-01-07 23:04:58 +00:00
Message: `token endpoint URL '' must have "https" scheme, not ""`,
Validate that issuer url and urls returned from discovery are https and that they have no query or fragment Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-12-04 00:11:53 +00:00
},
},
},
}},
},
{
name: "issuer returns no auth URL",
inputUpstreams: []runtime.Object{&v1alpha1.OIDCIdentityProvider{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
Spec: v1alpha1.OIDCIdentityProviderSpec{
Issuer: testIssuerURL + "/missing-auth-url",
TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64},
Client: v1alpha1.OIDCClient{SecretName: testSecretName},
},
}},
inputSecrets: []runtime.Object{&corev1.Secret{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testSecretName},
Type: "secrets.pinniped.dev/oidc-client",
Data: testValidSecretData,
}},
wantErr: controllerlib.ErrSyntheticRequeue.Error(),
wantLogs: []string{
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="loaded client credentials" "reason"="Success" "status"="True" "type"="ClientCredentialsValid"`,
Addressing PR feedback store issuer and subject in storage for refresh Clean up some constants Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-01-07 23:04:58 +00:00
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="authorization endpoint URL '' must have \"https\" scheme, not \"\"" "reason"="InvalidResponse" "status"="False" "type"="OIDCDiscoverySucceeded"`,
Validate that issuer url and urls returned from discovery are https and that they have no query or fragment Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-12-04 00:11:53 +00:00
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="additionalAuthorizeParameters parameter names are allowed" "reason"="Success" "status"="True" "type"="AdditionalAuthorizeParametersValid"`,
Addressing PR feedback store issuer and subject in storage for refresh Clean up some constants Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-01-07 23:04:58 +00:00
`oidc-upstream-observer "msg"="found failing condition" "error"="OIDCIdentityProvider has a failing condition" "message"="authorization endpoint URL '' must have \"https\" scheme, not \"\"" "name"="test-name" "namespace"="test-namespace" "reason"="InvalidResponse" "type"="OIDCDiscoverySucceeded"`,
Validate that issuer url and urls returned from discovery are https and that they have no query or fragment Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-12-04 00:11:53 +00:00
},
wantResultingCache: []*oidctestutil.TestUpstreamOIDCIdentityProvider{},
wantResultingUpstreams: []v1alpha1.OIDCIdentityProvider{{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
Status: v1alpha1.OIDCIdentityProviderStatus{
Phase: "Error",
Conditions: []v1alpha1.Condition{
happyAdditionalAuthorizeParametersValidCondition,
{
Type: "ClientCredentialsValid",
Status: "True",
LastTransitionTime: now,
Reason: "Success",
Message: "loaded client credentials",
},
{
Type: "OIDCDiscoverySucceeded",
Status: "False",
LastTransitionTime: now,
Reason: "InvalidResponse",
Addressing PR feedback store issuer and subject in storage for refresh Clean up some constants Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-01-07 23:04:58 +00:00
Message: `authorization endpoint URL '' must have "https" scheme, not ""`,
Validate that issuer url and urls returned from discovery are https and that they have no query or fragment Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-12-04 00:11:53 +00:00
},
},
},
}},
},
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
{
Optionally allow OIDC password grant for CLI-based login experience - Add `AllowPasswordGrant` boolean field to OIDCIdentityProvider's spec - The oidc upstream watcher controller copies the value of `AllowPasswordGrant` into the configuration of the cached provider - Add password grant to the UpstreamOIDCIdentityProviderI interface which is implemented by the cached provider instance for use in the authorization endpoint - Enhance the IDP discovery endpoint to return the supported "flows" for each IDP ("cli_password" and/or "browser_authcode") - Enhance `pinniped get kubeconfig` to help the user choose the desired flow for the selected IDP, and to write the flow into the resulting kubeconfg - Enhance `pinniped login oidc` to have a flow flag to tell it which client-side flow it should use for auth (CLI-based or browser-based) - In the Dex config, allow the resource owner password grant, which Dex implements to also return ID tokens, for use in integration tests - Enhance the authorize endpoint to perform password grant when requested by the incoming headers. This commit does not include unit tests for the enhancements to the authorize endpoint, which will come in the next commit - Extract some shared helpers from the callback endpoint to share the code with the authorize endpoint - Add new integration tests
2021-08-12 17:00:18 +00:00
name: "upstream with error becomes valid",
Rename off of main Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 22:27:09 +00:00
inputUpstreams: []runtime.Object{&v1alpha1.OIDCIdentityProvider{
Require refresh tokens for upstream OIDC and save more session data - Requiring refresh tokens to be returned from upstream OIDC idps - Storing refresh tokens (for oidc) and idp information (for all idps) in custom session data during authentication - Don't pass access=offline all the time
2021-10-08 22:48:21 +00:00
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: "test-name", UID: testUID},
Rename off of main Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 22:27:09 +00:00
Spec: v1alpha1.OIDCIdentityProviderSpec{
Optionally allow OIDC password grant for CLI-based login experience - Add `AllowPasswordGrant` boolean field to OIDCIdentityProvider's spec - The oidc upstream watcher controller copies the value of `AllowPasswordGrant` into the configuration of the cached provider - Add password grant to the UpstreamOIDCIdentityProviderI interface which is implemented by the cached provider instance for use in the authorization endpoint - Enhance the IDP discovery endpoint to return the supported "flows" for each IDP ("cli_password" and/or "browser_authcode") - Enhance `pinniped get kubeconfig` to help the user choose the desired flow for the selected IDP, and to write the flow into the resulting kubeconfg - Enhance `pinniped login oidc` to have a flow flag to tell it which client-side flow it should use for auth (CLI-based or browser-based) - In the Dex config, allow the resource owner password grant, which Dex implements to also return ID tokens, for use in integration tests - Enhance the authorize endpoint to perform password grant when requested by the incoming headers. This commit does not include unit tests for the enhancements to the authorize endpoint, which will come in the next commit - Extract some shared helpers from the callback endpoint to share the code with the authorize endpoint - Add new integration tests
2021-08-12 17:00:18 +00:00
Issuer: testIssuerURL,
TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64},
Client: v1alpha1.OIDCClient{SecretName: testSecretName},
AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{
Change default of additionalScopes and disallow "hd" in additionalAuthorizeParameters
2021-10-18 23:41:31 +00:00
AdditionalScopes: append(testAdditionalScopes, "xyz", "openid"), // adds openid unnecessarily
Optionally allow OIDC password grant for CLI-based login experience - Add `AllowPasswordGrant` boolean field to OIDCIdentityProvider's spec - The oidc upstream watcher controller copies the value of `AllowPasswordGrant` into the configuration of the cached provider - Add password grant to the UpstreamOIDCIdentityProviderI interface which is implemented by the cached provider instance for use in the authorization endpoint - Enhance the IDP discovery endpoint to return the supported "flows" for each IDP ("cli_password" and/or "browser_authcode") - Enhance `pinniped get kubeconfig` to help the user choose the desired flow for the selected IDP, and to write the flow into the resulting kubeconfg - Enhance `pinniped login oidc` to have a flow flag to tell it which client-side flow it should use for auth (CLI-based or browser-based) - In the Dex config, allow the resource owner password grant, which Dex implements to also return ID tokens, for use in integration tests - Enhance the authorize endpoint to perform password grant when requested by the incoming headers. This commit does not include unit tests for the enhancements to the authorize endpoint, which will come in the next commit - Extract some shared helpers from the callback endpoint to share the code with the authorize endpoint - Add new integration tests
2021-08-12 17:00:18 +00:00
AllowPasswordGrant: true,
},
Claims: v1alpha1.OIDCClaims{Groups: testGroupsClaim, Username: testUsernameClaim},
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
},
Rename off of main Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 22:27:09 +00:00
Status: v1alpha1.OIDCIdentityProviderStatus{
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
Phase: "Error",
Conditions: []v1alpha1.Condition{
{Type: "ClientCredentialsValid", Status: "False", LastTransitionTime: earlier, Reason: "SomeError1", Message: "some previous error 1"},
{Type: "OIDCDiscoverySucceeded", Status: "False", LastTransitionTime: earlier, Reason: "SomeError2", Message: "some previous error 2"},
},
},
}},
inputSecrets: []runtime.Object{&corev1.Secret{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testSecretName},
Type: "secrets.pinniped.dev/oidc-client",
Data: testValidSecretData,
}},
wantLogs: []string{
Some renames in pkg upstreamwatcher to make room for a second controller
2021-04-09 15:43:09 +00:00
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="loaded client credentials" "reason"="Success" "status"="True" "type"="ClientCredentialsValid"`,
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="discovered issuer configuration" "reason"="Success" "status"="True" "type"="OIDCDiscoverySucceeded"`,
More small updates based on PR feedback
2021-10-22 17:23:21 +00:00
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="additionalAuthorizeParameters parameter names are allowed" "reason"="Success" "status"="True" "type"="AdditionalAuthorizeParametersValid"`,
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
},
WIP towards revoking upstream refresh tokens during GC - Discover the revocation endpoint of the upstream provider in oidc_upstream_watcher.go and save it into the cache for future use by the garbage collector controller - Adds RevokeRefreshToken to UpstreamOIDCIdentityProviderI - Implements the production version of RevokeRefreshToken - Implements test doubles for RevokeRefreshToken for future use in garbage collector's unit tests - Prefactors the crud and session storage types for future use in the garbage collector controller - See remaining TODOs in garbage_collector.go
2021-10-22 21:32:26 +00:00
wantResultingCache: []*oidctestutil.TestUpstreamOIDCIdentityProvider{
{
Require refresh tokens for upstream OIDC and save more session data - Requiring refresh tokens to be returned from upstream OIDC idps - Storing refresh tokens (for oidc) and idp information (for all idps) in custom session data during authentication - Don't pass access=offline all the time
2021-10-08 22:48:21 +00:00
Name: testName,
ClientID: testClientID,
AuthorizationURL: *testIssuerAuthorizeURL,
WIP towards revoking upstream refresh tokens during GC - Discover the revocation endpoint of the upstream provider in oidc_upstream_watcher.go and save it into the cache for future use by the garbage collector controller - Adds RevokeRefreshToken to UpstreamOIDCIdentityProviderI - Implements the production version of RevokeRefreshToken - Implements test doubles for RevokeRefreshToken for future use in garbage collector's unit tests - Prefactors the crud and session storage types for future use in the garbage collector controller - See remaining TODOs in garbage_collector.go
2021-10-22 21:32:26 +00:00
RevocationURL: testIssuerRevocationURL,
Change default of additionalScopes and disallow "hd" in additionalAuthorizeParameters
2021-10-18 23:41:31 +00:00
Scopes: append(testExpectedScopes, "xyz"), // includes openid only once
Require refresh tokens for upstream OIDC and save more session data - Requiring refresh tokens to be returned from upstream OIDC idps - Storing refresh tokens (for oidc) and idp information (for all idps) in custom session data during authentication - Don't pass access=offline all the time
2021-10-08 22:48:21 +00:00
UsernameClaim: testUsernameClaim,
GroupsClaim: testGroupsClaim,
AllowPasswordGrant: true,
Add upstream refresh related config to OIDCIdentityProvider CRD Also update related docs.
2021-10-14 22:49:44 +00:00
AdditionalAuthcodeParams: map[string]string{},
Allow additional claims to map into an ID token issued by the supervisor - Specify mappings on OIDCIdentityProvider.spec.claims.additionalClaimMappings - Advertise additionalClaims in the OIDC discovery endpoint under claims_supported Co-authored-by: Ryan Richard <richardry@vmware.com> Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
2022-09-20 21:54:10 +00:00
AdditionalClaimMappings: nil, // Does not default to empty map
Require refresh tokens for upstream OIDC and save more session data - Requiring refresh tokens to be returned from upstream OIDC idps - Storing refresh tokens (for oidc) and idp information (for all idps) in custom session data during authentication - Don't pass access=offline all the time
2021-10-08 22:48:21 +00:00
ResourceUID: testUID,
Add upstreamoidc.ProviderConfig type implementing provider.UpstreamOIDCIdentityProviderI. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-30 20:54:11 +00:00
},
},
Rename off of main Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 22:27:09 +00:00
wantResultingUpstreams: []v1alpha1.OIDCIdentityProvider{{
Require refresh tokens for upstream OIDC and save more session data - Requiring refresh tokens to be returned from upstream OIDC idps - Storing refresh tokens (for oidc) and idp information (for all idps) in custom session data during authentication - Don't pass access=offline all the time
2021-10-08 22:48:21 +00:00
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, UID: testUID},
Rename off of main Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 22:27:09 +00:00
Status: v1alpha1.OIDCIdentityProviderStatus{
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
Phase: "Ready",
Conditions: []v1alpha1.Condition{
More small updates based on PR feedback
2021-10-22 17:23:21 +00:00
happyAdditionalAuthorizeParametersValidCondition,
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
{Type: "ClientCredentialsValid", Status: "True", LastTransitionTime: now, Reason: "Success", Message: "loaded client credentials"},
{Type: "OIDCDiscoverySucceeded", Status: "True", LastTransitionTime: now, Reason: "Success", Message: "discovered issuer configuration"},
},
},
}},
},
{
Change default of additionalScopes and disallow "hd" in additionalAuthorizeParameters
2021-10-18 23:41:31 +00:00
name: "existing valid upstream with default authorizationConfig",
inputUpstreams: []runtime.Object{&v1alpha1.OIDCIdentityProvider{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID},
Spec: v1alpha1.OIDCIdentityProviderSpec{
Issuer: testIssuerURL,
TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64},
Client: v1alpha1.OIDCClient{SecretName: testSecretName},
Claims: v1alpha1.OIDCClaims{Groups: testGroupsClaim, Username: testUsernameClaim},
},
Status: v1alpha1.OIDCIdentityProviderStatus{
Phase: "Ready",
Conditions: []v1alpha1.Condition{
More small updates based on PR feedback
2021-10-22 17:23:21 +00:00
happyAdditionalAuthorizeParametersValidConditionEarlier,
Change default of additionalScopes and disallow "hd" in additionalAuthorizeParameters
2021-10-18 23:41:31 +00:00
{Type: "ClientCredentialsValid", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "loaded client credentials"},
{Type: "OIDCDiscoverySucceeded", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "discovered issuer configuration"},
},
},
}},
inputSecrets: []runtime.Object{&corev1.Secret{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testSecretName},
Type: "secrets.pinniped.dev/oidc-client",
Data: testValidSecretData,
}},
wantLogs: []string{
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="loaded client credentials" "reason"="Success" "status"="True" "type"="ClientCredentialsValid"`,
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="discovered issuer configuration" "reason"="Success" "status"="True" "type"="OIDCDiscoverySucceeded"`,
More small updates based on PR feedback
2021-10-22 17:23:21 +00:00
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="additionalAuthorizeParameters parameter names are allowed" "reason"="Success" "status"="True" "type"="AdditionalAuthorizeParametersValid"`,
Change default of additionalScopes and disallow "hd" in additionalAuthorizeParameters
2021-10-18 23:41:31 +00:00
},
WIP towards revoking upstream refresh tokens during GC - Discover the revocation endpoint of the upstream provider in oidc_upstream_watcher.go and save it into the cache for future use by the garbage collector controller - Adds RevokeRefreshToken to UpstreamOIDCIdentityProviderI - Implements the production version of RevokeRefreshToken - Implements test doubles for RevokeRefreshToken for future use in garbage collector's unit tests - Prefactors the crud and session storage types for future use in the garbage collector controller - See remaining TODOs in garbage_collector.go
2021-10-22 21:32:26 +00:00
wantResultingCache: []*oidctestutil.TestUpstreamOIDCIdentityProvider{
{
Name: testName,
ClientID: testClientID,
AuthorizationURL: *testIssuerAuthorizeURL,
RevocationURL: testIssuerRevocationURL,
Scopes: testDefaultExpectedScopes,
UsernameClaim: testUsernameClaim,
GroupsClaim: testGroupsClaim,
AllowPasswordGrant: false,
AdditionalAuthcodeParams: map[string]string{},
Allow additional claims to map into an ID token issued by the supervisor - Specify mappings on OIDCIdentityProvider.spec.claims.additionalClaimMappings - Advertise additionalClaims in the OIDC discovery endpoint under claims_supported Co-authored-by: Ryan Richard <richardry@vmware.com> Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
2022-09-20 21:54:10 +00:00
AdditionalClaimMappings: nil, // Does not default to empty map
WIP towards revoking upstream refresh tokens during GC - Discover the revocation endpoint of the upstream provider in oidc_upstream_watcher.go and save it into the cache for future use by the garbage collector controller - Adds RevokeRefreshToken to UpstreamOIDCIdentityProviderI - Implements the production version of RevokeRefreshToken - Implements test doubles for RevokeRefreshToken for future use in garbage collector's unit tests - Prefactors the crud and session storage types for future use in the garbage collector controller - See remaining TODOs in garbage_collector.go
2021-10-22 21:32:26 +00:00
ResourceUID: testUID,
},
},
wantResultingUpstreams: []v1alpha1.OIDCIdentityProvider{{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID},
Status: v1alpha1.OIDCIdentityProviderStatus{
Phase: "Ready",
Conditions: []v1alpha1.Condition{
{Type: "AdditionalAuthorizeParametersValid", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "additionalAuthorizeParameters parameter names are allowed", ObservedGeneration: 1234},
{Type: "ClientCredentialsValid", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "loaded client credentials", ObservedGeneration: 1234},
{Type: "OIDCDiscoverySucceeded", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "discovered issuer configuration", ObservedGeneration: 1234},
},
},
}},
},
{
name: "existing valid upstream with no revocation endpoint in the discovery document",
inputUpstreams: []runtime.Object{&v1alpha1.OIDCIdentityProvider{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID},
Spec: v1alpha1.OIDCIdentityProviderSpec{
Issuer: testIssuerURL + "/valid-without-revocation",
TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64},
Client: v1alpha1.OIDCClient{SecretName: testSecretName},
Claims: v1alpha1.OIDCClaims{Groups: testGroupsClaim, Username: testUsernameClaim},
},
Status: v1alpha1.OIDCIdentityProviderStatus{
Phase: "Ready",
Conditions: []v1alpha1.Condition{
happyAdditionalAuthorizeParametersValidConditionEarlier,
{Type: "ClientCredentialsValid", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "loaded client credentials"},
{Type: "OIDCDiscoverySucceeded", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "discovered issuer configuration"},
},
},
}},
inputSecrets: []runtime.Object{&corev1.Secret{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testSecretName},
Type: "secrets.pinniped.dev/oidc-client",
Data: testValidSecretData,
}},
wantLogs: []string{
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="loaded client credentials" "reason"="Success" "status"="True" "type"="ClientCredentialsValid"`,
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="discovered issuer configuration" "reason"="Success" "status"="True" "type"="OIDCDiscoverySucceeded"`,
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="additionalAuthorizeParameters parameter names are allowed" "reason"="Success" "status"="True" "type"="AdditionalAuthorizeParametersValid"`,
},
wantResultingCache: []*oidctestutil.TestUpstreamOIDCIdentityProvider{
{
Change default of additionalScopes and disallow "hd" in additionalAuthorizeParameters
2021-10-18 23:41:31 +00:00
Name: testName,
ClientID: testClientID,
AuthorizationURL: *testIssuerAuthorizeURL,
WIP towards revoking upstream refresh tokens during GC - Discover the revocation endpoint of the upstream provider in oidc_upstream_watcher.go and save it into the cache for future use by the garbage collector controller - Adds RevokeRefreshToken to UpstreamOIDCIdentityProviderI - Implements the production version of RevokeRefreshToken - Implements test doubles for RevokeRefreshToken for future use in garbage collector's unit tests - Prefactors the crud and session storage types for future use in the garbage collector controller - See remaining TODOs in garbage_collector.go
2021-10-22 21:32:26 +00:00
RevocationURL: nil, // no revocation URL is set in the cached provider because none was returned by discovery
Change default of additionalScopes and disallow "hd" in additionalAuthorizeParameters
2021-10-18 23:41:31 +00:00
Scopes: testDefaultExpectedScopes,
UsernameClaim: testUsernameClaim,
GroupsClaim: testGroupsClaim,
AllowPasswordGrant: false,
AdditionalAuthcodeParams: map[string]string{},
Allow additional claims to map into an ID token issued by the supervisor - Specify mappings on OIDCIdentityProvider.spec.claims.additionalClaimMappings - Advertise additionalClaims in the OIDC discovery endpoint under claims_supported Co-authored-by: Ryan Richard <richardry@vmware.com> Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
2022-09-20 21:54:10 +00:00
AdditionalClaimMappings: nil, // Does not default to empty map
Change default of additionalScopes and disallow "hd" in additionalAuthorizeParameters
2021-10-18 23:41:31 +00:00
ResourceUID: testUID,
},
},
wantResultingUpstreams: []v1alpha1.OIDCIdentityProvider{{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID},
Status: v1alpha1.OIDCIdentityProviderStatus{
Phase: "Ready",
Conditions: []v1alpha1.Condition{
More small updates based on PR feedback
2021-10-22 17:23:21 +00:00
{Type: "AdditionalAuthorizeParametersValid", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "additionalAuthorizeParameters parameter names are allowed", ObservedGeneration: 1234},
Change default of additionalScopes and disallow "hd" in additionalAuthorizeParameters
2021-10-18 23:41:31 +00:00
{Type: "ClientCredentialsValid", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "loaded client credentials", ObservedGeneration: 1234},
{Type: "OIDCDiscoverySucceeded", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "discovered issuer configuration", ObservedGeneration: 1234},
},
},
}},
},
{
name: "existing valid upstream with additionalScopes set to override the default",
Rename off of main Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 22:27:09 +00:00
inputUpstreams: []runtime.Object{&v1alpha1.OIDCIdentityProvider{
Require refresh tokens for upstream OIDC and save more session data - Requiring refresh tokens to be returned from upstream OIDC idps - Storing refresh tokens (for oidc) and idp information (for all idps) in custom session data during authentication - Don't pass access=offline all the time
2021-10-08 22:48:21 +00:00
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID},
Rename off of main Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 22:27:09 +00:00
Spec: v1alpha1.OIDCIdentityProviderSpec{
Optionally allow OIDC password grant for CLI-based login experience - Add `AllowPasswordGrant` boolean field to OIDCIdentityProvider's spec - The oidc upstream watcher controller copies the value of `AllowPasswordGrant` into the configuration of the cached provider - Add password grant to the UpstreamOIDCIdentityProviderI interface which is implemented by the cached provider instance for use in the authorization endpoint - Enhance the IDP discovery endpoint to return the supported "flows" for each IDP ("cli_password" and/or "browser_authcode") - Enhance `pinniped get kubeconfig` to help the user choose the desired flow for the selected IDP, and to write the flow into the resulting kubeconfg - Enhance `pinniped login oidc` to have a flow flag to tell it which client-side flow it should use for auth (CLI-based or browser-based) - In the Dex config, allow the resource owner password grant, which Dex implements to also return ID tokens, for use in integration tests - Enhance the authorize endpoint to perform password grant when requested by the incoming headers. This commit does not include unit tests for the enhancements to the authorize endpoint, which will come in the next commit - Extract some shared helpers from the callback endpoint to share the code with the authorize endpoint - Add new integration tests
2021-08-12 17:00:18 +00:00
Issuer: testIssuerURL,
TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64},
Client: v1alpha1.OIDCClient{SecretName: testSecretName},
Add upstream refresh related config to OIDCIdentityProvider CRD Also update related docs.
2021-10-14 22:49:44 +00:00
Claims: v1alpha1.OIDCClaims{Groups: testGroupsClaim, Username: testUsernameClaim},
Optionally allow OIDC password grant for CLI-based login experience - Add `AllowPasswordGrant` boolean field to OIDCIdentityProvider's spec - The oidc upstream watcher controller copies the value of `AllowPasswordGrant` into the configuration of the cached provider - Add password grant to the UpstreamOIDCIdentityProviderI interface which is implemented by the cached provider instance for use in the authorization endpoint - Enhance the IDP discovery endpoint to return the supported "flows" for each IDP ("cli_password" and/or "browser_authcode") - Enhance `pinniped get kubeconfig` to help the user choose the desired flow for the selected IDP, and to write the flow into the resulting kubeconfg - Enhance `pinniped login oidc` to have a flow flag to tell it which client-side flow it should use for auth (CLI-based or browser-based) - In the Dex config, allow the resource owner password grant, which Dex implements to also return ID tokens, for use in integration tests - Enhance the authorize endpoint to perform password grant when requested by the incoming headers. This commit does not include unit tests for the enhancements to the authorize endpoint, which will come in the next commit - Extract some shared helpers from the callback endpoint to share the code with the authorize endpoint - Add new integration tests
2021-08-12 17:00:18 +00:00
AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{
Change default of additionalScopes and disallow "hd" in additionalAuthorizeParameters
2021-10-18 23:41:31 +00:00
AdditionalScopes: testAdditionalScopes,
Optionally allow OIDC password grant for CLI-based login experience - Add `AllowPasswordGrant` boolean field to OIDCIdentityProvider's spec - The oidc upstream watcher controller copies the value of `AllowPasswordGrant` into the configuration of the cached provider - Add password grant to the UpstreamOIDCIdentityProviderI interface which is implemented by the cached provider instance for use in the authorization endpoint - Enhance the IDP discovery endpoint to return the supported "flows" for each IDP ("cli_password" and/or "browser_authcode") - Enhance `pinniped get kubeconfig` to help the user choose the desired flow for the selected IDP, and to write the flow into the resulting kubeconfg - Enhance `pinniped login oidc` to have a flow flag to tell it which client-side flow it should use for auth (CLI-based or browser-based) - In the Dex config, allow the resource owner password grant, which Dex implements to also return ID tokens, for use in integration tests - Enhance the authorize endpoint to perform password grant when requested by the incoming headers. This commit does not include unit tests for the enhancements to the authorize endpoint, which will come in the next commit - Extract some shared helpers from the callback endpoint to share the code with the authorize endpoint - Add new integration tests
2021-08-12 17:00:18 +00:00
},
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
},
Rename off of main Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 22:27:09 +00:00
Status: v1alpha1.OIDCIdentityProviderStatus{
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
Phase: "Ready",
Conditions: []v1alpha1.Condition{
More small updates based on PR feedback
2021-10-22 17:23:21 +00:00
happyAdditionalAuthorizeParametersValidConditionEarlier,
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
{Type: "ClientCredentialsValid", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "loaded client credentials"},
{Type: "OIDCDiscoverySucceeded", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "discovered issuer configuration"},
},
},
}},
inputSecrets: []runtime.Object{&corev1.Secret{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testSecretName},
Type: "secrets.pinniped.dev/oidc-client",
Data: testValidSecretData,
}},
wantLogs: []string{
Some renames in pkg upstreamwatcher to make room for a second controller
2021-04-09 15:43:09 +00:00
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="loaded client credentials" "reason"="Success" "status"="True" "type"="ClientCredentialsValid"`,
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="discovered issuer configuration" "reason"="Success" "status"="True" "type"="OIDCDiscoverySucceeded"`,
More small updates based on PR feedback
2021-10-22 17:23:21 +00:00
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="additionalAuthorizeParameters parameter names are allowed" "reason"="Success" "status"="True" "type"="AdditionalAuthorizeParametersValid"`,
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
},
WIP towards revoking upstream refresh tokens during GC - Discover the revocation endpoint of the upstream provider in oidc_upstream_watcher.go and save it into the cache for future use by the garbage collector controller - Adds RevokeRefreshToken to UpstreamOIDCIdentityProviderI - Implements the production version of RevokeRefreshToken - Implements test doubles for RevokeRefreshToken for future use in garbage collector's unit tests - Prefactors the crud and session storage types for future use in the garbage collector controller - See remaining TODOs in garbage_collector.go
2021-10-22 21:32:26 +00:00
wantResultingCache: []*oidctestutil.TestUpstreamOIDCIdentityProvider{
{
Require refresh tokens for upstream OIDC and save more session data - Requiring refresh tokens to be returned from upstream OIDC idps - Storing refresh tokens (for oidc) and idp information (for all idps) in custom session data during authentication - Don't pass access=offline all the time
2021-10-08 22:48:21 +00:00
Name: testName,
ClientID: testClientID,
AuthorizationURL: *testIssuerAuthorizeURL,
WIP towards revoking upstream refresh tokens during GC - Discover the revocation endpoint of the upstream provider in oidc_upstream_watcher.go and save it into the cache for future use by the garbage collector controller - Adds RevokeRefreshToken to UpstreamOIDCIdentityProviderI - Implements the production version of RevokeRefreshToken - Implements test doubles for RevokeRefreshToken for future use in garbage collector's unit tests - Prefactors the crud and session storage types for future use in the garbage collector controller - See remaining TODOs in garbage_collector.go
2021-10-22 21:32:26 +00:00
RevocationURL: testIssuerRevocationURL,
Change default of additionalScopes and disallow "hd" in additionalAuthorizeParameters
2021-10-18 23:41:31 +00:00
Scopes: testExpectedScopes,
Require refresh tokens for upstream OIDC and save more session data - Requiring refresh tokens to be returned from upstream OIDC idps - Storing refresh tokens (for oidc) and idp information (for all idps) in custom session data during authentication - Don't pass access=offline all the time
2021-10-08 22:48:21 +00:00
UsernameClaim: testUsernameClaim,
GroupsClaim: testGroupsClaim,
AllowPasswordGrant: false,
Add upstream refresh related config to OIDCIdentityProvider CRD Also update related docs.
2021-10-14 22:49:44 +00:00
AdditionalAuthcodeParams: map[string]string{},
Allow additional claims to map into an ID token issued by the supervisor - Specify mappings on OIDCIdentityProvider.spec.claims.additionalClaimMappings - Advertise additionalClaims in the OIDC discovery endpoint under claims_supported Co-authored-by: Ryan Richard <richardry@vmware.com> Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
2022-09-20 21:54:10 +00:00
AdditionalClaimMappings: nil, // Does not default to empty map
Require refresh tokens for upstream OIDC and save more session data - Requiring refresh tokens to be returned from upstream OIDC idps - Storing refresh tokens (for oidc) and idp information (for all idps) in custom session data during authentication - Don't pass access=offline all the time
2021-10-08 22:48:21 +00:00
ResourceUID: testUID,
Add upstreamoidc.ProviderConfig type implementing provider.UpstreamOIDCIdentityProviderI. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-30 20:54:11 +00:00
},
},
Rename off of main Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 22:27:09 +00:00
wantResultingUpstreams: []v1alpha1.OIDCIdentityProvider{{
Require refresh tokens for upstream OIDC and save more session data - Requiring refresh tokens to be returned from upstream OIDC idps - Storing refresh tokens (for oidc) and idp information (for all idps) in custom session data during authentication - Don't pass access=offline all the time
2021-10-08 22:48:21 +00:00
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID},
Rename off of main Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 22:27:09 +00:00
Status: v1alpha1.OIDCIdentityProviderStatus{
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
Phase: "Ready",
Conditions: []v1alpha1.Condition{
More small updates based on PR feedback
2021-10-22 17:23:21 +00:00
{Type: "AdditionalAuthorizeParametersValid", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "additionalAuthorizeParameters parameter names are allowed", ObservedGeneration: 1234},
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
{Type: "ClientCredentialsValid", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "loaded client credentials", ObservedGeneration: 1234},
{Type: "OIDCDiscoverySucceeded", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "discovered issuer configuration", ObservedGeneration: 1234},
},
},
}},
},
upstreamwatcher: do not truncate explicit oidc errors This change makes it easier to understand misconfigurations caused by issuers with extraneous trailing slashes. Signed-off-by: Mo Khan <mok@vmware.com>
2021-05-10 04:22:34 +00:00
{
Add upstream refresh related config to OIDCIdentityProvider CRD Also update related docs.
2021-10-14 22:49:44 +00:00
name: "existing valid upstream with trailing slash and more optional settings",
upstreamwatcher: do not truncate explicit oidc errors This change makes it easier to understand misconfigurations caused by issuers with extraneous trailing slashes. Signed-off-by: Mo Khan <mok@vmware.com>
2021-05-10 04:22:34 +00:00
inputUpstreams: []runtime.Object{&v1alpha1.OIDCIdentityProvider{
Require refresh tokens for upstream OIDC and save more session data - Requiring refresh tokens to be returned from upstream OIDC idps - Storing refresh tokens (for oidc) and idp information (for all idps) in custom session data during authentication - Don't pass access=offline all the time
2021-10-08 22:48:21 +00:00
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID},
upstreamwatcher: do not truncate explicit oidc errors This change makes it easier to understand misconfigurations caused by issuers with extraneous trailing slashes. Signed-off-by: Mo Khan <mok@vmware.com>
2021-05-10 04:22:34 +00:00
Spec: v1alpha1.OIDCIdentityProviderSpec{
Add upstream refresh related config to OIDCIdentityProvider CRD Also update related docs.
2021-10-14 22:49:44 +00:00
Issuer: testIssuerURL + "/ends-with-slash/",
TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64},
Client: v1alpha1.OIDCClient{SecretName: testSecretName},
AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{
AdditionalScopes: testAdditionalScopes,
AdditionalAuthorizeParameters: testAdditionalParams,
AllowPasswordGrant: true,
},
Allow additional claims to map into an ID token issued by the supervisor - Specify mappings on OIDCIdentityProvider.spec.claims.additionalClaimMappings - Advertise additionalClaims in the OIDC discovery endpoint under claims_supported Co-authored-by: Ryan Richard <richardry@vmware.com> Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
2022-09-20 21:54:10 +00:00
Claims: v1alpha1.OIDCClaims{
Groups: testGroupsClaim,
Username: testUsernameClaim,
AdditionalClaimMappings: map[string]string{
"downstream": "upstream",
},
},
upstreamwatcher: do not truncate explicit oidc errors This change makes it easier to understand misconfigurations caused by issuers with extraneous trailing slashes. Signed-off-by: Mo Khan <mok@vmware.com>
2021-05-10 04:22:34 +00:00
},
Status: v1alpha1.OIDCIdentityProviderStatus{
Phase: "Ready",
Conditions: []v1alpha1.Condition{
More small updates based on PR feedback
2021-10-22 17:23:21 +00:00
happyAdditionalAuthorizeParametersValidConditionEarlier,
upstreamwatcher: do not truncate explicit oidc errors This change makes it easier to understand misconfigurations caused by issuers with extraneous trailing slashes. Signed-off-by: Mo Khan <mok@vmware.com>
2021-05-10 04:22:34 +00:00
{Type: "ClientCredentialsValid", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "loaded client credentials"},
{Type: "OIDCDiscoverySucceeded", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "discovered issuer configuration"},
},
},
}},
inputSecrets: []runtime.Object{&corev1.Secret{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testSecretName},
Type: "secrets.pinniped.dev/oidc-client",
Data: testValidSecretData,
}},
wantLogs: []string{
Merge branch 'main' into initial_ldap
2021-05-11 18:09:37 +00:00
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="loaded client credentials" "reason"="Success" "status"="True" "type"="ClientCredentialsValid"`,
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="discovered issuer configuration" "reason"="Success" "status"="True" "type"="OIDCDiscoverySucceeded"`,
More small updates based on PR feedback
2021-10-22 17:23:21 +00:00
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="additionalAuthorizeParameters parameter names are allowed" "reason"="Success" "status"="True" "type"="AdditionalAuthorizeParametersValid"`,
upstreamwatcher: do not truncate explicit oidc errors This change makes it easier to understand misconfigurations caused by issuers with extraneous trailing slashes. Signed-off-by: Mo Khan <mok@vmware.com>
2021-05-10 04:22:34 +00:00
},
WIP towards revoking upstream refresh tokens during GC - Discover the revocation endpoint of the upstream provider in oidc_upstream_watcher.go and save it into the cache for future use by the garbage collector controller - Adds RevokeRefreshToken to UpstreamOIDCIdentityProviderI - Implements the production version of RevokeRefreshToken - Implements test doubles for RevokeRefreshToken for future use in garbage collector's unit tests - Prefactors the crud and session storage types for future use in the garbage collector controller - See remaining TODOs in garbage_collector.go
2021-10-22 21:32:26 +00:00
wantResultingCache: []*oidctestutil.TestUpstreamOIDCIdentityProvider{
{
Require refresh tokens for upstream OIDC and save more session data - Requiring refresh tokens to be returned from upstream OIDC idps - Storing refresh tokens (for oidc) and idp information (for all idps) in custom session data during authentication - Don't pass access=offline all the time
2021-10-08 22:48:21 +00:00
Name: testName,
ClientID: testClientID,
AuthorizationURL: *testIssuerAuthorizeURL,
WIP towards revoking upstream refresh tokens during GC - Discover the revocation endpoint of the upstream provider in oidc_upstream_watcher.go and save it into the cache for future use by the garbage collector controller - Adds RevokeRefreshToken to UpstreamOIDCIdentityProviderI - Implements the production version of RevokeRefreshToken - Implements test doubles for RevokeRefreshToken for future use in garbage collector's unit tests - Prefactors the crud and session storage types for future use in the garbage collector controller - See remaining TODOs in garbage_collector.go
2021-10-22 21:32:26 +00:00
RevocationURL: testIssuerRevocationURL,
Change default of additionalScopes and disallow "hd" in additionalAuthorizeParameters
2021-10-18 23:41:31 +00:00
Scopes: testExpectedScopes, // does not include the default scopes
Require refresh tokens for upstream OIDC and save more session data - Requiring refresh tokens to be returned from upstream OIDC idps - Storing refresh tokens (for oidc) and idp information (for all idps) in custom session data during authentication - Don't pass access=offline all the time
2021-10-08 22:48:21 +00:00
UsernameClaim: testUsernameClaim,
GroupsClaim: testGroupsClaim,
Add upstream refresh related config to OIDCIdentityProvider CRD Also update related docs.
2021-10-14 22:49:44 +00:00
AllowPasswordGrant: true,
Require refresh tokens for upstream OIDC and save more session data - Requiring refresh tokens to be returned from upstream OIDC idps - Storing refresh tokens (for oidc) and idp information (for all idps) in custom session data during authentication - Don't pass access=offline all the time
2021-10-08 22:48:21 +00:00
AdditionalAuthcodeParams: testExpectedAdditionalParams,
Allow additional claims to map into an ID token issued by the supervisor - Specify mappings on OIDCIdentityProvider.spec.claims.additionalClaimMappings - Advertise additionalClaims in the OIDC discovery endpoint under claims_supported Co-authored-by: Ryan Richard <richardry@vmware.com> Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
2022-09-20 21:54:10 +00:00
AdditionalClaimMappings: map[string]string{
"downstream": "upstream",
},
ResourceUID: testUID,
upstreamwatcher: do not truncate explicit oidc errors This change makes it easier to understand misconfigurations caused by issuers with extraneous trailing slashes. Signed-off-by: Mo Khan <mok@vmware.com>
2021-05-10 04:22:34 +00:00
},
},
wantResultingUpstreams: []v1alpha1.OIDCIdentityProvider{{
Require refresh tokens for upstream OIDC and save more session data - Requiring refresh tokens to be returned from upstream OIDC idps - Storing refresh tokens (for oidc) and idp information (for all idps) in custom session data during authentication - Don't pass access=offline all the time
2021-10-08 22:48:21 +00:00
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID},
upstreamwatcher: do not truncate explicit oidc errors This change makes it easier to understand misconfigurations caused by issuers with extraneous trailing slashes. Signed-off-by: Mo Khan <mok@vmware.com>
2021-05-10 04:22:34 +00:00
Status: v1alpha1.OIDCIdentityProviderStatus{
Phase: "Ready",
Conditions: []v1alpha1.Condition{
More small updates based on PR feedback
2021-10-22 17:23:21 +00:00
{Type: "AdditionalAuthorizeParametersValid", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "additionalAuthorizeParameters parameter names are allowed", ObservedGeneration: 1234},
upstreamwatcher: do not truncate explicit oidc errors This change makes it easier to understand misconfigurations caused by issuers with extraneous trailing slashes. Signed-off-by: Mo Khan <mok@vmware.com>
2021-05-10 04:22:34 +00:00
{Type: "ClientCredentialsValid", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "loaded client credentials", ObservedGeneration: 1234},
{Type: "OIDCDiscoverySucceeded", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "discovered issuer configuration", ObservedGeneration: 1234},
},
},
}},
},
Add upstream refresh related config to OIDCIdentityProvider CRD Also update related docs.
2021-10-14 22:49:44 +00:00
{
name: "has disallowed additionalAuthorizeParams keys",
inputUpstreams: []runtime.Object{&v1alpha1.OIDCIdentityProvider{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID},
Spec: v1alpha1.OIDCIdentityProviderSpec{
Issuer: testIssuerURL,
TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64},
Client: v1alpha1.OIDCClient{SecretName: testSecretName},
AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{
AdditionalAuthorizeParameters: []v1alpha1.Parameter{
{Name: "response_type", Value: "foo"},
{Name: "scope", Value: "foo"},
{Name: "client_id", Value: "foo"},
{Name: "state", Value: "foo"},
{Name: "nonce", Value: "foo"},
{Name: "code_challenge", Value: "foo"},
{Name: "code_challenge_method", Value: "foo"},
{Name: "redirect_uri", Value: "foo"},
Change default of additionalScopes and disallow "hd" in additionalAuthorizeParameters
2021-10-18 23:41:31 +00:00
{Name: "hd", Value: "foo"},
Add upstream refresh related config to OIDCIdentityProvider CRD Also update related docs.
2021-10-14 22:49:44 +00:00
{Name: "this_one_is_allowed", Value: "foo"},
},
},
},
}},
inputSecrets: []runtime.Object{&corev1.Secret{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testSecretName},
Type: "secrets.pinniped.dev/oidc-client",
Data: testValidSecretData,
}},
wantErr: controllerlib.ErrSyntheticRequeue.Error(),
wantLogs: []string{
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="loaded client credentials" "reason"="Success" "status"="True" "type"="ClientCredentialsValid"`,
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="discovered issuer configuration" "reason"="Success" "status"="True" "type"="OIDCDiscoverySucceeded"`,
Change default of additionalScopes and disallow "hd" in additionalAuthorizeParameters
2021-10-18 23:41:31 +00:00
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="the following additionalAuthorizeParameters are not allowed: response_type,scope,client_id,state,nonce,code_challenge,code_challenge_method,redirect_uri,hd" "reason"="DisallowedParameterName" "status"="False" "type"="AdditionalAuthorizeParametersValid"`,
`oidc-upstream-observer "msg"="found failing condition" "error"="OIDCIdentityProvider has a failing condition" "message"="the following additionalAuthorizeParameters are not allowed: response_type,scope,client_id,state,nonce,code_challenge,code_challenge_method,redirect_uri,hd" "name"="test-name" "namespace"="test-namespace" "reason"="DisallowedParameterName" "type"="AdditionalAuthorizeParametersValid"`,
Add upstream refresh related config to OIDCIdentityProvider CRD Also update related docs.
2021-10-14 22:49:44 +00:00
},
WIP towards revoking upstream refresh tokens during GC - Discover the revocation endpoint of the upstream provider in oidc_upstream_watcher.go and save it into the cache for future use by the garbage collector controller - Adds RevokeRefreshToken to UpstreamOIDCIdentityProviderI - Implements the production version of RevokeRefreshToken - Implements test doubles for RevokeRefreshToken for future use in garbage collector's unit tests - Prefactors the crud and session storage types for future use in the garbage collector controller - See remaining TODOs in garbage_collector.go
2021-10-22 21:32:26 +00:00
wantResultingCache: []*oidctestutil.TestUpstreamOIDCIdentityProvider{},
Add upstream refresh related config to OIDCIdentityProvider CRD Also update related docs.
2021-10-14 22:49:44 +00:00
wantResultingUpstreams: []v1alpha1.OIDCIdentityProvider{{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID},
Status: v1alpha1.OIDCIdentityProviderStatus{
Phase: "Error",
Conditions: []v1alpha1.Condition{
{Type: "AdditionalAuthorizeParametersValid", Status: "False", LastTransitionTime: now, Reason: "DisallowedParameterName",
Message: "the following additionalAuthorizeParameters are not allowed: " +
Change default of additionalScopes and disallow "hd" in additionalAuthorizeParameters
2021-10-18 23:41:31 +00:00
"response_type,scope,client_id,state,nonce,code_challenge,code_challenge_method,redirect_uri,hd", ObservedGeneration: 1234},
Add upstream refresh related config to OIDCIdentityProvider CRD Also update related docs.
2021-10-14 22:49:44 +00:00
{Type: "ClientCredentialsValid", Status: "True", LastTransitionTime: now, Reason: "Success", Message: "loaded client credentials", ObservedGeneration: 1234},
{Type: "OIDCDiscoverySucceeded", Status: "True", LastTransitionTime: now, Reason: "Success", Message: "discovered issuer configuration", ObservedGeneration: 1234},
},
},
}},
},
upstreamwatcher: do not truncate explicit oidc errors This change makes it easier to understand misconfigurations caused by issuers with extraneous trailing slashes. Signed-off-by: Mo Khan <mok@vmware.com>
2021-05-10 04:22:34 +00:00
{
Change default of additionalScopes and disallow "hd" in additionalAuthorizeParameters
2021-10-18 23:41:31 +00:00
name: "issuer is invalid URL, missing trailing slash when the OIDC discovery endpoint returns the URL with a trailing slash",
upstreamwatcher: do not truncate explicit oidc errors This change makes it easier to understand misconfigurations caused by issuers with extraneous trailing slashes. Signed-off-by: Mo Khan <mok@vmware.com>
2021-05-10 04:22:34 +00:00
inputUpstreams: []runtime.Object{&v1alpha1.OIDCIdentityProvider{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
Spec: v1alpha1.OIDCIdentityProviderSpec{
Change default of additionalScopes and disallow "hd" in additionalAuthorizeParameters
2021-10-18 23:41:31 +00:00
Issuer: testIssuerURL + "/ends-with-slash", // this does not end with slash when it should, thus this is an error case
Add upstream refresh related config to OIDCIdentityProvider CRD Also update related docs.
2021-10-14 22:49:44 +00:00
TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64},
Client: v1alpha1.OIDCClient{SecretName: testSecretName},
upstreamwatcher: do not truncate explicit oidc errors This change makes it easier to understand misconfigurations caused by issuers with extraneous trailing slashes. Signed-off-by: Mo Khan <mok@vmware.com>
2021-05-10 04:22:34 +00:00
},
}},
inputSecrets: []runtime.Object{&corev1.Secret{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testSecretName},
Type: "secrets.pinniped.dev/oidc-client",
Data: testValidSecretData,
}},
wantErr: controllerlib.ErrSyntheticRequeue.Error(),
wantLogs: []string{
Merge branch 'main' into initial_ldap
2021-05-11 18:09:37 +00:00
`oidc-upstream-observer "msg"="failed to perform OIDC discovery" "error"="oidc: issuer did not match the issuer returned by provider, expected \"` + testIssuerURL + `/ends-with-slash\" got \"` + testIssuerURL + `/ends-with-slash/\"" "issuer"="` + testIssuerURL + `/ends-with-slash" "name"="test-name" "namespace"="test-namespace"`,
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="loaded client credentials" "reason"="Success" "status"="True" "type"="ClientCredentialsValid"`,
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="failed to perform OIDC discovery against \"` + testIssuerURL + `/ends-with-slash\":\noidc: issuer did not match the issuer returned by provider, expected \"` + testIssuerURL + `/ends-with-slash\" got \"` + testIssuerURL + `/ends-with-slash/\"" "reason"="Unreachable" "status"="False" "type"="OIDCDiscoverySucceeded"`,
More small updates based on PR feedback
2021-10-22 17:23:21 +00:00
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="additionalAuthorizeParameters parameter names are allowed" "reason"="Success" "status"="True" "type"="AdditionalAuthorizeParametersValid"`,
Merge branch 'main' into initial_ldap
2021-05-11 18:09:37 +00:00
`oidc-upstream-observer "msg"="found failing condition" "error"="OIDCIdentityProvider has a failing condition" "message"="failed to perform OIDC discovery against \"` + testIssuerURL + `/ends-with-slash\":\noidc: issuer did not match the issuer returned by provider, expected \"` + testIssuerURL + `/ends-with-slash\" got \"` + testIssuerURL + `/ends-with-slash/\"" "name"="test-name" "namespace"="test-namespace" "reason"="Unreachable" "type"="OIDCDiscoverySucceeded"`,
upstreamwatcher: do not truncate explicit oidc errors This change makes it easier to understand misconfigurations caused by issuers with extraneous trailing slashes. Signed-off-by: Mo Khan <mok@vmware.com>
2021-05-10 04:22:34 +00:00
},
WIP towards revoking upstream refresh tokens during GC - Discover the revocation endpoint of the upstream provider in oidc_upstream_watcher.go and save it into the cache for future use by the garbage collector controller - Adds RevokeRefreshToken to UpstreamOIDCIdentityProviderI - Implements the production version of RevokeRefreshToken - Implements test doubles for RevokeRefreshToken for future use in garbage collector's unit tests - Prefactors the crud and session storage types for future use in the garbage collector controller - See remaining TODOs in garbage_collector.go
2021-10-22 21:32:26 +00:00
wantResultingCache: []*oidctestutil.TestUpstreamOIDCIdentityProvider{},
upstreamwatcher: do not truncate explicit oidc errors This change makes it easier to understand misconfigurations caused by issuers with extraneous trailing slashes. Signed-off-by: Mo Khan <mok@vmware.com>
2021-05-10 04:22:34 +00:00
wantResultingUpstreams: []v1alpha1.OIDCIdentityProvider{{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
Status: v1alpha1.OIDCIdentityProviderStatus{
Phase: "Error",
Conditions: []v1alpha1.Condition{
More small updates based on PR feedback
2021-10-22 17:23:21 +00:00
happyAdditionalAuthorizeParametersValidCondition,
upstreamwatcher: do not truncate explicit oidc errors This change makes it easier to understand misconfigurations caused by issuers with extraneous trailing slashes. Signed-off-by: Mo Khan <mok@vmware.com>
2021-05-10 04:22:34 +00:00
{
Type: "ClientCredentialsValid",
Status: "True",
LastTransitionTime: now,
Reason: "Success",
Message: "loaded client credentials",
},
{
Type: "OIDCDiscoverySucceeded",
Status: "False",
LastTransitionTime: now,
Reason: "Unreachable",
Message: `failed to perform OIDC discovery against "` + testIssuerURL + `/ends-with-slash":
oidc: issuer did not match the issuer returned by provider, expected "` + testIssuerURL + `/ends-with-slash" got "` + testIssuerURL + `/ends-with-slash/"`,
},
},
},
}},
},
{
name: "issuer is invalid URL, extra trailing slash",
inputUpstreams: []runtime.Object{&v1alpha1.OIDCIdentityProvider{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
Spec: v1alpha1.OIDCIdentityProviderSpec{
Add upstream refresh related config to OIDCIdentityProvider CRD Also update related docs.
2021-10-14 22:49:44 +00:00
Issuer: testIssuerURL + "/",
TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64},
Client: v1alpha1.OIDCClient{SecretName: testSecretName},
upstreamwatcher: do not truncate explicit oidc errors This change makes it easier to understand misconfigurations caused by issuers with extraneous trailing slashes. Signed-off-by: Mo Khan <mok@vmware.com>
2021-05-10 04:22:34 +00:00
},
}},
inputSecrets: []runtime.Object{&corev1.Secret{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testSecretName},
Type: "secrets.pinniped.dev/oidc-client",
Data: testValidSecretData,
}},
wantErr: controllerlib.ErrSyntheticRequeue.Error(),
wantLogs: []string{
Merge branch 'main' into initial_ldap
2021-05-11 18:09:37 +00:00
`oidc-upstream-observer "msg"="failed to perform OIDC discovery" "error"="oidc: issuer did not match the issuer returned by provider, expected \"` + testIssuerURL + `/\" got \"` + testIssuerURL + `\"" "issuer"="` + testIssuerURL + `/" "name"="test-name" "namespace"="test-namespace"`,
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="loaded client credentials" "reason"="Success" "status"="True" "type"="ClientCredentialsValid"`,
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="failed to perform OIDC discovery against \"` + testIssuerURL + `/\":\noidc: issuer did not match the issuer returned by provider, expected \"` + testIssuerURL + `/\" got \"` + testIssuerURL + `\"" "reason"="Unreachable" "status"="False" "type"="OIDCDiscoverySucceeded"`,
More small updates based on PR feedback
2021-10-22 17:23:21 +00:00
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="additionalAuthorizeParameters parameter names are allowed" "reason"="Success" "status"="True" "type"="AdditionalAuthorizeParametersValid"`,
Merge branch 'main' into initial_ldap
2021-05-11 18:09:37 +00:00
`oidc-upstream-observer "msg"="found failing condition" "error"="OIDCIdentityProvider has a failing condition" "message"="failed to perform OIDC discovery against \"` + testIssuerURL + `/\":\noidc: issuer did not match the issuer returned by provider, expected \"` + testIssuerURL + `/\" got \"` + testIssuerURL + `\"" "name"="test-name" "namespace"="test-namespace" "reason"="Unreachable" "type"="OIDCDiscoverySucceeded"`,
upstreamwatcher: do not truncate explicit oidc errors This change makes it easier to understand misconfigurations caused by issuers with extraneous trailing slashes. Signed-off-by: Mo Khan <mok@vmware.com>
2021-05-10 04:22:34 +00:00
},
WIP towards revoking upstream refresh tokens during GC - Discover the revocation endpoint of the upstream provider in oidc_upstream_watcher.go and save it into the cache for future use by the garbage collector controller - Adds RevokeRefreshToken to UpstreamOIDCIdentityProviderI - Implements the production version of RevokeRefreshToken - Implements test doubles for RevokeRefreshToken for future use in garbage collector's unit tests - Prefactors the crud and session storage types for future use in the garbage collector controller - See remaining TODOs in garbage_collector.go
2021-10-22 21:32:26 +00:00
wantResultingCache: []*oidctestutil.TestUpstreamOIDCIdentityProvider{},
upstreamwatcher: do not truncate explicit oidc errors This change makes it easier to understand misconfigurations caused by issuers with extraneous trailing slashes. Signed-off-by: Mo Khan <mok@vmware.com>
2021-05-10 04:22:34 +00:00
wantResultingUpstreams: []v1alpha1.OIDCIdentityProvider{{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
Status: v1alpha1.OIDCIdentityProviderStatus{
Phase: "Error",
Conditions: []v1alpha1.Condition{
More small updates based on PR feedback
2021-10-22 17:23:21 +00:00
happyAdditionalAuthorizeParametersValidCondition,
upstreamwatcher: do not truncate explicit oidc errors This change makes it easier to understand misconfigurations caused by issuers with extraneous trailing slashes. Signed-off-by: Mo Khan <mok@vmware.com>
2021-05-10 04:22:34 +00:00
{
Type: "ClientCredentialsValid",
Status: "True",
LastTransitionTime: now,
Reason: "Success",
Message: "loaded client credentials",
},
{
Type: "OIDCDiscoverySucceeded",
Status: "False",
LastTransitionTime: now,
Reason: "Unreachable",
Message: `failed to perform OIDC discovery against "` + testIssuerURL + `/":
oidc: issuer did not match the issuer returned by provider, expected "` + testIssuerURL + `/" got "` + testIssuerURL + `"`,
},
},
},
}},
},
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
}
for _, tt := range tests {
tt := tt
t.Run(tt.name, func(t *testing.T) {
t.Parallel()
fakePinnipedClient := pinnipedfake.NewSimpleClientset(tt.inputUpstreams...)
pinnipedInformers := pinnipedinformers.NewSharedInformerFactory(fakePinnipedClient, 0)
fakeKubeClient := fake.NewSimpleClientset(tt.inputSecrets...)
kubeInformers := informers.NewSharedInformerFactory(fakeKubeClient, 0)
Upgrade the linter and fix all new linter warnings Also fix some tests that were broken by bumping golang and dependencies in the previous commits. Note that in addition to changes made to satisfy the linter which do not impact the behavior of the code, this commit also adds ReadHeaderTimeout to all usages of http.Server to satisfy the linter (and because it seemed like a good suggestion).
2022-08-24 21:45:55 +00:00
testLog := testlogger.NewLegacy(t) //nolint:staticcheck // old test with lots of log statements
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
cache := provider.NewDynamicUpstreamIDPProvider()
Supervisor pre-factor to make room for upstream LDAP identity providers
2021-04-07 23:12:13 +00:00
cache.SetOIDCIdentityProviders([]provider.UpstreamOIDCIdentityProviderI{
Add upstreamoidc.ProviderConfig type implementing provider.UpstreamOIDCIdentityProviderI. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-30 20:54:11 +00:00
&upstreamoidc.ProviderConfig{Name: "initial-entry"},
})
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
Split package upstreamwatchers into four packages
2021-05-12 21:00:39 +00:00
controller := New(
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
cache,
fakePinnipedClient,
Rename off of main Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 22:27:09 +00:00
pinnipedInformers.IDP().V1alpha1().OIDCIdentityProviders(),
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
kubeInformers.Core().V1().Secrets(),
Update all deps to latest where possible, bump Kube deps to v0.23.1 Highlights from this dep bump: 1. Made a copy of the v0.4.0 github.com/go-logr/stdr implementation for use in tests. We must bump this dep as Kube code uses a newer version now. We would have to rewrite hundreds of test log assertions without this copy. 2. Use github.com/felixge/httpsnoop to undo the changes made by ory/fosite#636 for CLI based login flows. This is required for backwards compatibility with older versions of our CLI. A separate change after this will update the CLI to be more flexible (it is purposefully not part of this change to confirm that we did not break anything). For all browser login flows, we now redirect using http.StatusSeeOther instead of http.StatusFound. 3. Drop plog.RemoveKlogGlobalFlags as klog no longer mutates global process flags 4. Only bump github.com/ory/x to v0.0.297 instead of the latest v0.0.321 because v0.0.298+ pulls in a newer version of go.opentelemetry.io/otel/semconv which breaks k8s.io/apiserver. We should update k8s.io/apiserver to use the newer code. 5. Migrate all code from k8s.io/apimachinery/pkg/util/clock to k8s.io/utils/clock and k8s.io/utils/clock/testing 6. Delete testutil.NewDeleteOptionsRecorder and migrate to the new kubetesting.NewDeleteActionWithOptions 7. Updated ExpectedAuthorizeCodeSessionJSONFromFuzzing caused by fosite's new rotated_secrets OAuth client field. This new field is currently not relevant to us as we have no private clients. Signed-off-by: Monis Khan <mok@vmware.com>
2021-12-10 22:22:36 +00:00
testLog.Logger,
Upstream Watcher Controller Syncs less often by adjusting its filters - Only watches Secrets of type "secrets.pinniped.dev/oidc-client" Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-18 23:41:07 +00:00
controllerlib.WithInformer,
)
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
All controller unit tests should not cancel context until test is over All controller unit tests were accidentally using a timeout context for the informers, instead of a cancel context which stays alive until each test is completely finished. There is no reason to risk unpredictable behavior of a timeout being reached during an individual test, even though with the previous 3 second timeout it could only be reached on a machine which is running orders of magnitude slower than usual, since each test usually runs in about 100-300 ms. Unfortunately, sometimes our CI workers might get that slow. This sparked a review of other usages of timeout contexts in other tests, and all of them were increased to a minimum value of 1 minute, under the rule of thumb that our tests will be more reliable on slow machines if they "pass fast and fail slow".
2021-03-05 01:25:43 +00:00
ctx, cancel := context.WithCancel(context.Background())
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
defer cancel()
pinnipedInformers.Start(ctx.Done())
kubeInformers.Start(ctx.Done())
controllerlib.TestRunSynchronously(t, controller)
syncCtx := controllerlib.Context{Context: ctx, Key: controllerlib.Key{}}
if err := controllerlib.TestSync(t, controller, syncCtx); tt.wantErr != "" {
require.EqualError(t, err, tt.wantErr)
} else {
require.NoError(t, err)
}
require.Equal(t, strings.Join(tt.wantLogs, "\n"), strings.Join(testLog.Lines(), "\n"))
Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider Because we want it to implement an AuthcodeExchanger interface and do it in a way that will be more unit test-friendly than the underlying library that we intend to use inside its implementation.
2020-11-18 21:38:13 +00:00
Supervisor pre-factor to make room for upstream LDAP identity providers
2021-04-07 23:12:13 +00:00
actualIDPList := cache.GetOIDCIdentityProviders()
Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider Because we want it to implement an AuthcodeExchanger interface and do it in a way that will be more unit test-friendly than the underlying library that we intend to use inside its implementation.
2020-11-18 21:38:13 +00:00
require.Equal(t, len(tt.wantResultingCache), len(actualIDPList))
for i := range actualIDPList {
Add upstreamoidc.ProviderConfig type implementing provider.UpstreamOIDCIdentityProviderI. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-30 20:54:11 +00:00
actualIDP := actualIDPList[i].(*upstreamoidc.ProviderConfig)
require.Equal(t, tt.wantResultingCache[i].GetName(), actualIDP.GetName())
require.Equal(t, tt.wantResultingCache[i].GetClientID(), actualIDP.GetClientID())
require.Equal(t, tt.wantResultingCache[i].GetAuthorizationURL().String(), actualIDP.GetAuthorizationURL().String())
require.Equal(t, tt.wantResultingCache[i].GetUsernameClaim(), actualIDP.GetUsernameClaim())
require.Equal(t, tt.wantResultingCache[i].GetGroupsClaim(), actualIDP.GetGroupsClaim())
Optionally allow OIDC password grant for CLI-based login experience - Add `AllowPasswordGrant` boolean field to OIDCIdentityProvider's spec - The oidc upstream watcher controller copies the value of `AllowPasswordGrant` into the configuration of the cached provider - Add password grant to the UpstreamOIDCIdentityProviderI interface which is implemented by the cached provider instance for use in the authorization endpoint - Enhance the IDP discovery endpoint to return the supported "flows" for each IDP ("cli_password" and/or "browser_authcode") - Enhance `pinniped get kubeconfig` to help the user choose the desired flow for the selected IDP, and to write the flow into the resulting kubeconfg - Enhance `pinniped login oidc` to have a flow flag to tell it which client-side flow it should use for auth (CLI-based or browser-based) - In the Dex config, allow the resource owner password grant, which Dex implements to also return ID tokens, for use in integration tests - Enhance the authorize endpoint to perform password grant when requested by the incoming headers. This commit does not include unit tests for the enhancements to the authorize endpoint, which will come in the next commit - Extract some shared helpers from the callback endpoint to share the code with the authorize endpoint - Add new integration tests
2021-08-12 17:00:18 +00:00
require.Equal(t, tt.wantResultingCache[i].AllowsPasswordGrant(), actualIDP.AllowsPasswordGrant())
Require refresh tokens for upstream OIDC and save more session data - Requiring refresh tokens to be returned from upstream OIDC idps - Storing refresh tokens (for oidc) and idp information (for all idps) in custom session data during authentication - Don't pass access=offline all the time
2021-10-08 22:48:21 +00:00
require.Equal(t, tt.wantResultingCache[i].GetAdditionalAuthcodeParams(), actualIDP.GetAdditionalAuthcodeParams())
Allow additional claims to map into an ID token issued by the supervisor - Specify mappings on OIDCIdentityProvider.spec.claims.additionalClaimMappings - Advertise additionalClaims in the OIDC discovery endpoint under claims_supported Co-authored-by: Ryan Richard <richardry@vmware.com> Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
2022-09-20 21:54:10 +00:00
require.Equal(t, tt.wantResultingCache[i].GetAdditionalClaimMappings(), actualIDP.GetAdditionalClaimMappings())
Require refresh tokens for upstream OIDC and save more session data - Requiring refresh tokens to be returned from upstream OIDC idps - Storing refresh tokens (for oidc) and idp information (for all idps) in custom session data during authentication - Don't pass access=offline all the time
2021-10-08 22:48:21 +00:00
require.Equal(t, tt.wantResultingCache[i].GetResourceUID(), actualIDP.GetResourceUID())
WIP towards revoking upstream refresh tokens during GC - Discover the revocation endpoint of the upstream provider in oidc_upstream_watcher.go and save it into the cache for future use by the garbage collector controller - Adds RevokeRefreshToken to UpstreamOIDCIdentityProviderI - Implements the production version of RevokeRefreshToken - Implements test doubles for RevokeRefreshToken for future use in garbage collector's unit tests - Prefactors the crud and session storage types for future use in the garbage collector controller - See remaining TODOs in garbage_collector.go
2021-10-22 21:32:26 +00:00
require.Equal(t, tt.wantResultingCache[i].GetRevocationURL(), actualIDP.GetRevocationURL())
Add upstreamoidc.ProviderConfig type implementing provider.UpstreamOIDCIdentityProviderI. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-30 20:54:11 +00:00
require.ElementsMatch(t, tt.wantResultingCache[i].GetScopes(), actualIDP.GetScopes())
Add `https_proxy` and `no_proxy` settings for the Supervisor - Add new optional ytt params for the Supervisor deployment. - When the Supervisor is making calls to an upstream OIDC provider, use these variables if they were provided. - These settings are integration tested in the main CI pipeline by sometimes setting them on deployments in certain cases, and then letting the existing integration tests (e.g. TestE2EFullIntegration) provide the coverage, so there are no explicit changes to the integration tests themselves in this commit.
2021-07-07 19:50:13 +00:00
// We always want to use the proxy from env on these clients, so although the following assertions
// are a little hacky, this is a cheap way to test that we are using it.
Force the use of secure TLS config This change updates the TLS config used by all pinniped components. There are no configuration knobs associated with this change. Thus this change tightens our static defaults. There are four TLS config levels: 1. Secure (TLS 1.3 only) 2. Default (TLS 1.2+ best ciphers that are well supported) 3. Default LDAP (TLS 1.2+ with less good ciphers) 4. Legacy (currently unused, TLS 1.2+ with all non-broken ciphers) Highlights per component: 1. pinniped CLI - uses "secure" config against KAS - uses "default" for all other connections 2. concierge - uses "secure" config as an aggregated API server - uses "default" config as a impersonation proxy API server - uses "secure" config against KAS - uses "default" config for JWT authenticater (mostly, see code) - no changes to webhook authenticater (see code) 3. supervisor - uses "default" config as a server - uses "secure" config against KAS - uses "default" config against OIDC IDPs - uses "default LDAP" config against LDAP IDPs Signed-off-by: Monis Khan <mok@vmware.com>
2021-10-20 11:59:24 +00:00
actualTransport := unwrapTransport(t, actualIDP.Client.Transport)
Add `https_proxy` and `no_proxy` settings for the Supervisor - Add new optional ytt params for the Supervisor deployment. - When the Supervisor is making calls to an upstream OIDC provider, use these variables if they were provided. - These settings are integration tested in the main CI pipeline by sometimes setting them on deployments in certain cases, and then letting the existing integration tests (e.g. TestE2EFullIntegration) provide the coverage, so there are no explicit changes to the integration tests themselves in this commit.
2021-07-07 19:50:13 +00:00
httpProxyFromEnvFunction := reflect.ValueOf(http.ProxyFromEnvironment).Pointer()
actualTransportProxyFunction := reflect.ValueOf(actualTransport.Proxy).Pointer()
require.Equal(t, httpProxyFromEnvFunction, actualTransportProxyFunction,
"Transport should have used http.ProxyFromEnvironment as its Proxy func")
Add unit test assertion for new OIDC client request timeout
2021-07-08 18:47:49 +00:00
// We also want a reasonable timeout on each request/response cycle for OIDC discovery and JWKS.
require.Equal(t, time.Minute, actualIDP.Client.Timeout)
Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider Because we want it to implement an AuthcodeExchanger interface and do it in a way that will be more unit test-friendly than the underlying library that we intend to use inside its implementation.
2020-11-18 21:38:13 +00:00
}
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
Rename off of main Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 22:27:09 +00:00
actualUpstreams, err := fakePinnipedClient.IDPV1alpha1().OIDCIdentityProviders(testNamespace).List(ctx, metav1.ListOptions{})
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
require.NoError(t, err)
Add Conditions to LDAPIdentityProvider's Status and start to fill them - The ldap_upstream_watcher.go controller validates the bind secret and uses the Conditions to report errors. Shares some condition reporting logic with its sibling controller oidc_upstream_watcher.go, to the extent which is convenient without generics in golang.
2021-04-12 20:53:21 +00:00
// Assert on the expected Status of the upstreams. Preprocess the upstreams a bit so that they're easier to assert against.
require.ElementsMatch(t, tt.wantResultingUpstreams, normalizeOIDCUpstreams(actualUpstreams.Items, now))
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
// Running the sync() a second time should be idempotent except for logs, and should return the same error.
// This also helps exercise code paths where the OIDC provider discovery hits cache.
if err := controllerlib.TestSync(t, controller, syncCtx); tt.wantErr != "" {
require.EqualError(t, err, tt.wantErr)
} else {
require.NoError(t, err)
}
})
}
}
Force the use of secure TLS config This change updates the TLS config used by all pinniped components. There are no configuration knobs associated with this change. Thus this change tightens our static defaults. There are four TLS config levels: 1. Secure (TLS 1.3 only) 2. Default (TLS 1.2+ best ciphers that are well supported) 3. Default LDAP (TLS 1.2+ with less good ciphers) 4. Legacy (currently unused, TLS 1.2+ with all non-broken ciphers) Highlights per component: 1. pinniped CLI - uses "secure" config against KAS - uses "default" for all other connections 2. concierge - uses "secure" config as an aggregated API server - uses "default" config as a impersonation proxy API server - uses "secure" config against KAS - uses "default" config for JWT authenticater (mostly, see code) - no changes to webhook authenticater (see code) 3. supervisor - uses "default" config as a server - uses "secure" config against KAS - uses "default" config against OIDC IDPs - uses "default LDAP" config against LDAP IDPs Signed-off-by: Monis Khan <mok@vmware.com>
2021-10-20 11:59:24 +00:00
func unwrapTransport(t *testing.T, rt http.RoundTripper) *http.Transport {
t.Helper()
switch baseRT := rt.(type) {
case *http.Transport:
return baseRT
case net.RoundTripperWrapper:
return unwrapTransport(t, baseRT.WrappedRoundTripper())
default:
t.Fatalf("expected cached provider to have client with Transport of type *http.Transport, got: %T", baseRT)
return nil // unreachable
}
}
Add Conditions to LDAPIdentityProvider's Status and start to fill them - The ldap_upstream_watcher.go controller validates the bind secret and uses the Conditions to report errors. Shares some condition reporting logic with its sibling controller oidc_upstream_watcher.go, to the extent which is convenient without generics in golang.
2021-04-12 20:53:21 +00:00
func normalizeOIDCUpstreams(upstreams []v1alpha1.OIDCIdentityProvider, now metav1.Time) []v1alpha1.OIDCIdentityProvider {
Rename off of main Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 22:27:09 +00:00
result := make([]v1alpha1.OIDCIdentityProvider, 0, len(upstreams))
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
for _, u := range upstreams {
normalized := u.DeepCopy()
// We're only interested in comparing the status, so zero out the spec.
Rename off of main Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 22:27:09 +00:00
normalized.Spec = v1alpha1.OIDCIdentityProviderSpec{}
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
// Round down the LastTransitionTime values to `now` if they were just updated. This makes
// it much easier to encode assertions about the expected timestamps.
for i := range normalized.Status.Conditions {
if time.Since(normalized.Status.Conditions[i].LastTransitionTime.Time) < 5*time.Second {
normalized.Status.Conditions[i].LastTransitionTime = now
}
}
result = append(result, *normalized)
}
return result
}
Add controller support for spec.tls field. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-17 00:15:58 +00:00
func newTestIssuer(t *testing.T) (string, string) {
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
mux := http.NewServeMux()
Add controller support for spec.tls field. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-17 00:15:58 +00:00
caBundlePEM, testURL := testutil.TLSTestServer(t, mux.ServeHTTP)
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
type providerJSON struct {
WIP towards revoking upstream refresh tokens during GC - Discover the revocation endpoint of the upstream provider in oidc_upstream_watcher.go and save it into the cache for future use by the garbage collector controller - Adds RevokeRefreshToken to UpstreamOIDCIdentityProviderI - Implements the production version of RevokeRefreshToken - Implements test doubles for RevokeRefreshToken for future use in garbage collector's unit tests - Prefactors the crud and session storage types for future use in the garbage collector controller - See remaining TODOs in garbage_collector.go
2021-10-22 21:32:26 +00:00
Issuer string `json:"issuer"`
AuthURL string `json:"authorization_endpoint"`
TokenURL string `json:"token_endpoint"`
RevocationURL string `json:"revocation_endpoint,omitempty"`
JWKSURL string `json:"jwks_uri"`
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
}
// At the root of the server, serve an issuer with a valid discovery response.
mux.HandleFunc("/.well-known/openid-configuration", func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("content-type", "application/json")
_ = json.NewEncoder(w).Encode(&providerJSON{
WIP towards revoking upstream refresh tokens during GC - Discover the revocation endpoint of the upstream provider in oidc_upstream_watcher.go and save it into the cache for future use by the garbage collector controller - Adds RevokeRefreshToken to UpstreamOIDCIdentityProviderI - Implements the production version of RevokeRefreshToken - Implements test doubles for RevokeRefreshToken for future use in garbage collector's unit tests - Prefactors the crud and session storage types for future use in the garbage collector controller - See remaining TODOs in garbage_collector.go
2021-10-22 21:32:26 +00:00
Issuer: testURL,
AuthURL: "https://example.com/authorize",
RevocationURL: "https://example.com/revoke",
Validate that issuer url and urls returned from discovery are https and that they have no query or fragment Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-12-04 00:11:53 +00:00
TokenURL: "https://example.com/token",
WIP towards revoking upstream refresh tokens during GC - Discover the revocation endpoint of the upstream provider in oidc_upstream_watcher.go and save it into the cache for future use by the garbage collector controller - Adds RevokeRefreshToken to UpstreamOIDCIdentityProviderI - Implements the production version of RevokeRefreshToken - Implements test doubles for RevokeRefreshToken for future use in garbage collector's unit tests - Prefactors the crud and session storage types for future use in the garbage collector controller - See remaining TODOs in garbage_collector.go
2021-10-22 21:32:26 +00:00
})
})
// At "/valid-without-revocation", serve an issuer with a valid discovery response which does not have a revocation endpoint.
mux.HandleFunc("/valid-without-revocation/.well-known/openid-configuration", func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("content-type", "application/json")
_ = json.NewEncoder(w).Encode(&providerJSON{
Issuer: testURL + "/valid-without-revocation",
AuthURL: "https://example.com/authorize",
RevocationURL: "", // none
Validate that issuer url and urls returned from discovery are https and that they have no query or fragment Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-12-04 00:11:53 +00:00
TokenURL: "https://example.com/token",
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
})
})
// At "/invalid", serve an issuer that returns an invalid authorization URL (not parseable).
mux.HandleFunc("/invalid/.well-known/openid-configuration", func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("content-type", "application/json")
_ = json.NewEncoder(w).Encode(&providerJSON{
Validate that issuer url and urls returned from discovery are https and that they have no query or fragment Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-12-04 00:11:53 +00:00
Issuer: testURL + "/invalid",
AuthURL: "%",
TokenURL: "https://example.com/token",
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
})
})
WIP towards revoking upstream refresh tokens during GC - Discover the revocation endpoint of the upstream provider in oidc_upstream_watcher.go and save it into the cache for future use by the garbage collector controller - Adds RevokeRefreshToken to UpstreamOIDCIdentityProviderI - Implements the production version of RevokeRefreshToken - Implements test doubles for RevokeRefreshToken for future use in garbage collector's unit tests - Prefactors the crud and session storage types for future use in the garbage collector controller - See remaining TODOs in garbage_collector.go
2021-10-22 21:32:26 +00:00
// At "/invalid-revocation-url", serve an issuer that returns an invalid revocation URL (not parseable).
mux.HandleFunc("/invalid-revocation-url/.well-known/openid-configuration", func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("content-type", "application/json")
_ = json.NewEncoder(w).Encode(&providerJSON{
Issuer: testURL + "/invalid-revocation-url",
AuthURL: "https://example.com/authorize",
RevocationURL: "%",
Validate that issuer url and urls returned from discovery are https and that they have no query or fragment Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-12-04 00:11:53 +00:00
TokenURL: "https://example.com/token",
WIP towards revoking upstream refresh tokens during GC - Discover the revocation endpoint of the upstream provider in oidc_upstream_watcher.go and save it into the cache for future use by the garbage collector controller - Adds RevokeRefreshToken to UpstreamOIDCIdentityProviderI - Implements the production version of RevokeRefreshToken - Implements test doubles for RevokeRefreshToken for future use in garbage collector's unit tests - Prefactors the crud and session storage types for future use in the garbage collector controller - See remaining TODOs in garbage_collector.go
2021-10-22 21:32:26 +00:00
})
})
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
// At "/insecure", serve an issuer that returns an insecure authorization URL (not https://).
mux.HandleFunc("/insecure/.well-known/openid-configuration", func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("content-type", "application/json")
_ = json.NewEncoder(w).Encode(&providerJSON{
Validate that issuer url and urls returned from discovery are https and that they have no query or fragment Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-12-04 00:11:53 +00:00
Issuer: testURL + "/insecure",
AuthURL: "http://example.com/authorize",
TokenURL: "https://example.com/token",
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
})
})
Validate that issuer url and urls returned from discovery are https and that they have no query or fragment Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-12-04 00:11:53 +00:00
// At "/insecure-revocation-url", serve an issuer that returns an insecure revocation URL (not https://).
WIP towards revoking upstream refresh tokens during GC - Discover the revocation endpoint of the upstream provider in oidc_upstream_watcher.go and save it into the cache for future use by the garbage collector controller - Adds RevokeRefreshToken to UpstreamOIDCIdentityProviderI - Implements the production version of RevokeRefreshToken - Implements test doubles for RevokeRefreshToken for future use in garbage collector's unit tests - Prefactors the crud and session storage types for future use in the garbage collector controller - See remaining TODOs in garbage_collector.go
2021-10-22 21:32:26 +00:00
mux.HandleFunc("/insecure-revocation-url/.well-known/openid-configuration", func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("content-type", "application/json")
_ = json.NewEncoder(w).Encode(&providerJSON{
Issuer: testURL + "/insecure-revocation-url",
AuthURL: "https://example.com/authorize",
RevocationURL: "http://example.com/revoke",
Validate that issuer url and urls returned from discovery are https and that they have no query or fragment Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-12-04 00:11:53 +00:00
TokenURL: "https://example.com/token",
})
})
// At "/insecure-token-url", serve an issuer that returns an insecure token URL (not https://).
mux.HandleFunc("/insecure-token-url/.well-known/openid-configuration", func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("content-type", "application/json")
_ = json.NewEncoder(w).Encode(&providerJSON{
Issuer: testURL + "/insecure-token-url",
AuthURL: "https://example.com/authorize",
RevocationURL: "https://example.com/revoke",
TokenURL: "http://example.com/token",
})
})
// At "/missing-token-url", serve an issuer that returns no token URL (is required by the spec unless it's an idp which only supports
// implicit flow, which we don't support). So for our purposes we need to always get a token url
mux.HandleFunc("/missing-token-url/.well-known/openid-configuration", func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("content-type", "application/json")
_ = json.NewEncoder(w).Encode(&providerJSON{
Issuer: testURL + "/missing-token-url",
AuthURL: "https://example.com/authorize",
RevocationURL: "https://example.com/revoke",
})
})
// At "/missing-auth-url", serve an issuer that returns no auth URL, which is required by the spec.
mux.HandleFunc("/missing-auth-url/.well-known/openid-configuration", func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("content-type", "application/json")
_ = json.NewEncoder(w).Encode(&providerJSON{
Issuer: testURL + "/missing-auth-url",
RevocationURL: "https://example.com/revoke",
TokenURL: "https://example.com/token",
WIP towards revoking upstream refresh tokens during GC - Discover the revocation endpoint of the upstream provider in oidc_upstream_watcher.go and save it into the cache for future use by the garbage collector controller - Adds RevokeRefreshToken to UpstreamOIDCIdentityProviderI - Implements the production version of RevokeRefreshToken - Implements test doubles for RevokeRefreshToken for future use in garbage collector's unit tests - Prefactors the crud and session storage types for future use in the garbage collector controller - See remaining TODOs in garbage_collector.go
2021-10-22 21:32:26 +00:00
})
})
upstreamwatcher: do not truncate explicit oidc errors This change makes it easier to understand misconfigurations caused by issuers with extraneous trailing slashes. Signed-off-by: Mo Khan <mok@vmware.com>
2021-05-10 04:22:34 +00:00
// handle the four issuer with trailing slash configs
// valid case in= out=
// handled above at the root of testURL
// valid case in=/ out=/
mux.HandleFunc("/ends-with-slash/.well-known/openid-configuration", func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("content-type", "application/json")
_ = json.NewEncoder(w).Encode(&providerJSON{
WIP towards revoking upstream refresh tokens during GC - Discover the revocation endpoint of the upstream provider in oidc_upstream_watcher.go and save it into the cache for future use by the garbage collector controller - Adds RevokeRefreshToken to UpstreamOIDCIdentityProviderI - Implements the production version of RevokeRefreshToken - Implements test doubles for RevokeRefreshToken for future use in garbage collector's unit tests - Prefactors the crud and session storage types for future use in the garbage collector controller - See remaining TODOs in garbage_collector.go
2021-10-22 21:32:26 +00:00
Issuer: testURL + "/ends-with-slash/",
AuthURL: "https://example.com/authorize",
RevocationURL: "https://example.com/revoke",
Validate that issuer url and urls returned from discovery are https and that they have no query or fragment Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-12-04 00:11:53 +00:00
TokenURL: "https://example.com/token",
upstreamwatcher: do not truncate explicit oidc errors This change makes it easier to understand misconfigurations caused by issuers with extraneous trailing slashes. Signed-off-by: Mo Khan <mok@vmware.com>
2021-05-10 04:22:34 +00:00
})
})
// invalid case in= out=/
// can be tested using /ends-with-slash/ endpoint
// invalid case in=/ out=
// can be tested using root endpoint
Add controller support for spec.tls field. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-17 00:15:58 +00:00
return caBundlePEM, testURL
Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-11 23:10:06 +00:00
}