Start to fill out LDAPIdentityProvider's fields and TestSupervisorLogin

- Add some fields to LDAPIdentityProvider that we will need to be able
  to search for users during login
- Enhance TestSupervisorLogin to test logging in using an upstream LDAP
  identity provider. Part of this new test is skipped for now because
  we haven't written the corresponding production code to make it
  pass yet.
- Some refactoring and enhancement to env.go and the corresponding env
  vars to support the new upstream LDAP provider integration tests.
- Use docker.io/bitnami/openldap for our test LDAP server instead of our
  own fork now that they have fixed the bug that we reported.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
This commit is contained in:
Ryan Richard 2021-04-07 12:56:09 -07:00 committed by Andrew Keesler
parent 2b6859b161
commit 1c55c857f4
28 changed files with 1537 additions and 88 deletions

View File

@ -28,11 +28,69 @@ type LDAPIdentityProviderStatus struct {
Phase LDAPIdentityProviderPhase `json:"phase,omitempty"` Phase LDAPIdentityProviderPhase `json:"phase,omitempty"`
} }
type LDAPIdentityProviderTLSSpec struct {
// X.509 Certificate Authority (base64-encoded PEM bundle) to trust when connecting to the LDAP provider.
// If omitted, a default set of system roots will be trusted.
// +optional
CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
}
type LDAPIdentityProviderBindSpec struct {
// SecretName contains the name of a namespace-local Secret object that provides the username and
// password for an LDAP bind user. This account will be used to perform LDAP searches. The Secret should be
// of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value
// should be the full DN of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com".
// +kubebuilder:validation:MinLength=1
SecretName string `json:"secretName"`
}
type LDAPIdentityProviderUserSearchAttributesSpec struct {
// Username specifies the name of attribute in the LDAP entry which whose value shall become the username
// of the user after a successful authentication. This would typically be the same attribute name used in
// the user search filter. E.g. "mail" or "uid" or "userPrincipalName".
// +kubebuilder:validation:MinLength=1
Username string `json:"username,omitempty"`
// UniqueID specifies the name of the attribute in the LDAP entry which whose value shall be used to uniquely
// identify the user within this LDAP provider after a successful authentication. E.g. "uidNumber" or "objectGUID".
// +kubebuilder:validation:MinLength=1
UniqueID string `json:"uniqueID,omitempty"`
}
type LDAPIdentityProviderUserSearchSpec struct {
// Base is the DN that should be used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com".
// +kubebuilder:validation:MinLength=1
Base string `json:"base,omitempty"`
// Filter is the LDAP search filter which should be applied when searching for users. The pattern "{}" must occur
// in the filter and will be dynamically replaced by the username for which the search is being run. E.g. "mail={}"
// or "&(objectClass=person)(uid={})". For more information about LDAP filters, see https://ldap.com/ldap-filters.
// Optional. When not specified, the default will act as if the Filter were specified as the value from
// Attributes.Username appended by "={}".
// +optional
Filter string `json:"filter,omitempty"`
// Attributes specifies how the user's information should be read from the LDAP entry which was found as
// the result of the user search.
// +optional
Attributes LDAPIdentityProviderUserSearchAttributesSpec `json:"attributes,omitempty"`
}
// Spec for configuring an LDAP identity provider. // Spec for configuring an LDAP identity provider.
type LDAPIdentityProviderSpec struct { type LDAPIdentityProviderSpec struct {
// Host is the hostname of this LDAP identity provider, i.e., where to connect. For example: ldap.example.com:636. // Host is the hostname of this LDAP identity provider, i.e., where to connect. For example: ldap.example.com:636.
// +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MinLength=1
Host string `json:"host"` Host string `json:"host"`
// TLS contains the connection settings for how to establish the connection to the Host.
TLS *LDAPIdentityProviderTLSSpec `json:"tls,omitempty"`
// Bind contains the configuration for how to provide access credentials during an initial bind to the LDAP server
// to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt.
Bind LDAPIdentityProviderBindSpec `json:"bind,omitempty"`
// UserSearch contains the configuration for searching for a user by name in the LDAP provider.
UserSearch LDAPIdentityProviderUserSearchSpec `json:"userSearch,omitempty"`
} }
// LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access // LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access

View File

@ -51,11 +51,80 @@ spec:
spec: spec:
description: Spec for configuring the identity provider. description: Spec for configuring the identity provider.
properties: properties:
bind:
description: Bind contains the configuration for how to provide access
credentials during an initial bind to the LDAP server to be allowed
to perform searches and binds to validate a user's credentials during
a user's authentication attempt.
properties:
secretName:
description: SecretName contains the name of a namespace-local
Secret object that provides the username and password for an
LDAP bind user. This account will be used to perform LDAP searches.
The Secret should be of type "kubernetes.io/basic-auth" which
includes "username" and "password" keys. The username value
should be the full DN of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com".
minLength: 1
type: string
required:
- secretName
type: object
host: host:
description: 'Host is the hostname of this LDAP identity provider, description: 'Host is the hostname of this LDAP identity provider,
i.e., where to connect. For example: ldap.example.com:636.' i.e., where to connect. For example: ldap.example.com:636.'
minLength: 1 minLength: 1
type: string type: string
tls:
description: TLS contains the connection settings for how to establish
the connection to the Host.
properties:
certificateAuthorityData:
description: X.509 Certificate Authority (base64-encoded PEM bundle)
to trust when connecting to the LDAP provider. If omitted, a
default set of system roots will be trusted.
type: string
type: object
userSearch:
description: UserSearch contains the configuration for searching for
a user by name in the LDAP provider.
properties:
attributes:
description: Attributes specifies how the user's information should
be read from the LDAP entry which was found as the result of
the user search.
properties:
uniqueID:
description: UniqueID specifies the name of the attribute
in the LDAP entry which whose value shall be used to uniquely
identify the user within this LDAP provider after a successful
authentication. E.g. "uidNumber" or "objectGUID".
minLength: 1
type: string
username:
description: Username specifies the name of attribute in the
LDAP entry which whose value shall become the username of
the user after a successful authentication. This would typically
be the same attribute name used in the user search filter.
E.g. "mail" or "uid" or "userPrincipalName".
minLength: 1
type: string
type: object
base:
description: Base is the DN that should be used as the search
base when searching for users. E.g. "ou=users,dc=example,dc=com".
minLength: 1
type: string
filter:
description: Filter is the LDAP search filter which should be
applied when searching for users. The pattern "{}" must occur
in the filter and will be dynamically replaced by the username
for which the search is being run. E.g. "mail={}" or "&(objectClass=person)(uid={})".
For more information about LDAP filters, see https://ldap.com/ldap-filters.
Optional. When not specified, the default will act as if the
Filter were specified as the value from Attributes.Username
appended by "={}".
type: string
type: object
required: required:
- host - host
type: object type: object

View File

@ -708,6 +708,23 @@ LDAPIdentityProvider describes the configuration of an upstream Lightweight Dire
|=== |===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-ldapidentityproviderbindspec"]
==== LDAPIdentityProviderBindSpec
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-ldapidentityproviderspec[$$LDAPIdentityProviderSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the username and password for an LDAP bind user. This account will be used to perform LDAP searches. The Secret should be of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value should be the full DN of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com".
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-ldapidentityproviderspec"] [id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-ldapidentityproviderspec"]
@ -724,6 +741,9 @@ Spec for configuring an LDAP identity provider.
|=== |===
| Field | Description | Field | Description
| *`host`* __string__ | Host is the hostname of this LDAP identity provider, i.e., where to connect. For example: ldap.example.com:636. | *`host`* __string__ | Host is the hostname of this LDAP identity provider, i.e., where to connect. For example: ldap.example.com:636.
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-ldapidentityprovidertlsspec[$$LDAPIdentityProviderTLSSpec$$]__ | TLS contains the connection settings for how to establish the connection to the Host.
| *`bind`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-ldapidentityproviderbindspec[$$LDAPIdentityProviderBindSpec$$]__ | Bind contains the configuration for how to provide access credentials during an initial bind to the LDAP server to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt.
| *`userSearch`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-ldapidentityproviderusersearchspec[$$LDAPIdentityProviderUserSearchSpec$$]__ | UserSearch contains the configuration for searching for a user by name in the LDAP provider.
|=== |===
@ -744,6 +764,60 @@ Status of an LDAP identity provider.
|=== |===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-ldapidentityprovidertlsspec"]
==== LDAPIdentityProviderTLSSpec
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-ldapidentityproviderspec[$$LDAPIdentityProviderSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle) to trust when connecting to the LDAP provider. If omitted, a default set of system roots will be trusted.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-ldapidentityproviderusersearchattributesspec"]
==== LDAPIdentityProviderUserSearchAttributesSpec
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-ldapidentityproviderusersearchspec[$$LDAPIdentityProviderUserSearchSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`username`* __string__ | Username specifies the name of attribute in the LDAP entry which whose value shall become the username of the user after a successful authentication. This would typically be the same attribute name used in the user search filter. E.g. "mail" or "uid" or "userPrincipalName".
| *`uniqueID`* __string__ | UniqueID specifies the name of the attribute in the LDAP entry which whose value shall be used to uniquely identify the user within this LDAP provider after a successful authentication. E.g. "uidNumber" or "objectGUID".
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-ldapidentityproviderusersearchspec"]
==== LDAPIdentityProviderUserSearchSpec
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-ldapidentityproviderspec[$$LDAPIdentityProviderSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`base`* __string__ | Base is the DN that should be used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com".
| *`filter`* __string__ | Filter is the LDAP search filter which should be applied when searching for users. The pattern "{}" must occur in the filter and will be dynamically replaced by the username for which the search is being run. E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see https://ldap.com/ldap-filters. Optional. When not specified, the default will act as if the Filter were specified as the value from Attributes.Username appended by "={}".
| *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-ldapidentityproviderusersearchattributesspec[$$LDAPIdentityProviderUserSearchAttributesSpec$$]__ | Attributes specifies how the user's information should be read from the LDAP entry which was found as the result of the user search.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-oidcauthorizationconfig"] [id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-oidcauthorizationconfig"]
==== OIDCAuthorizationConfig ==== OIDCAuthorizationConfig

View File

@ -28,11 +28,69 @@ type LDAPIdentityProviderStatus struct {
Phase LDAPIdentityProviderPhase `json:"phase,omitempty"` Phase LDAPIdentityProviderPhase `json:"phase,omitempty"`
} }
type LDAPIdentityProviderTLSSpec struct {
// X.509 Certificate Authority (base64-encoded PEM bundle) to trust when connecting to the LDAP provider.
// If omitted, a default set of system roots will be trusted.
// +optional
CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
}
type LDAPIdentityProviderBindSpec struct {
// SecretName contains the name of a namespace-local Secret object that provides the username and
// password for an LDAP bind user. This account will be used to perform LDAP searches. The Secret should be
// of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value
// should be the full DN of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com".
// +kubebuilder:validation:MinLength=1
SecretName string `json:"secretName"`
}
type LDAPIdentityProviderUserSearchAttributesSpec struct {
// Username specifies the name of attribute in the LDAP entry which whose value shall become the username
// of the user after a successful authentication. This would typically be the same attribute name used in
// the user search filter. E.g. "mail" or "uid" or "userPrincipalName".
// +kubebuilder:validation:MinLength=1
Username string `json:"username,omitempty"`
// UniqueID specifies the name of the attribute in the LDAP entry which whose value shall be used to uniquely
// identify the user within this LDAP provider after a successful authentication. E.g. "uidNumber" or "objectGUID".
// +kubebuilder:validation:MinLength=1
UniqueID string `json:"uniqueID,omitempty"`
}
type LDAPIdentityProviderUserSearchSpec struct {
// Base is the DN that should be used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com".
// +kubebuilder:validation:MinLength=1
Base string `json:"base,omitempty"`
// Filter is the LDAP search filter which should be applied when searching for users. The pattern "{}" must occur
// in the filter and will be dynamically replaced by the username for which the search is being run. E.g. "mail={}"
// or "&(objectClass=person)(uid={})". For more information about LDAP filters, see https://ldap.com/ldap-filters.
// Optional. When not specified, the default will act as if the Filter were specified as the value from
// Attributes.Username appended by "={}".
// +optional
Filter string `json:"filter,omitempty"`
// Attributes specifies how the user's information should be read from the LDAP entry which was found as
// the result of the user search.
// +optional
Attributes LDAPIdentityProviderUserSearchAttributesSpec `json:"attributes,omitempty"`
}
// Spec for configuring an LDAP identity provider. // Spec for configuring an LDAP identity provider.
type LDAPIdentityProviderSpec struct { type LDAPIdentityProviderSpec struct {
// Host is the hostname of this LDAP identity provider, i.e., where to connect. For example: ldap.example.com:636. // Host is the hostname of this LDAP identity provider, i.e., where to connect. For example: ldap.example.com:636.
// +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MinLength=1
Host string `json:"host"` Host string `json:"host"`
// TLS contains the connection settings for how to establish the connection to the Host.
TLS *LDAPIdentityProviderTLSSpec `json:"tls,omitempty"`
// Bind contains the configuration for how to provide access credentials during an initial bind to the LDAP server
// to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt.
Bind LDAPIdentityProviderBindSpec `json:"bind,omitempty"`
// UserSearch contains the configuration for searching for a user by name in the LDAP provider.
UserSearch LDAPIdentityProviderUserSearchSpec `json:"userSearch,omitempty"`
} }
// LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access // LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access

View File

@ -33,7 +33,7 @@ func (in *LDAPIdentityProvider) DeepCopyInto(out *LDAPIdentityProvider) {
*out = *in *out = *in
out.TypeMeta = in.TypeMeta out.TypeMeta = in.TypeMeta
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
out.Spec = in.Spec in.Spec.DeepCopyInto(&out.Spec)
out.Status = in.Status out.Status = in.Status
return return
} }
@ -56,6 +56,22 @@ func (in *LDAPIdentityProvider) DeepCopyObject() runtime.Object {
return nil return nil
} }
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *LDAPIdentityProviderBindSpec) DeepCopyInto(out *LDAPIdentityProviderBindSpec) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderBindSpec.
func (in *LDAPIdentityProviderBindSpec) DeepCopy() *LDAPIdentityProviderBindSpec {
if in == nil {
return nil
}
out := new(LDAPIdentityProviderBindSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *LDAPIdentityProviderList) DeepCopyInto(out *LDAPIdentityProviderList) { func (in *LDAPIdentityProviderList) DeepCopyInto(out *LDAPIdentityProviderList) {
*out = *in *out = *in
@ -92,6 +108,13 @@ func (in *LDAPIdentityProviderList) DeepCopyObject() runtime.Object {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *LDAPIdentityProviderSpec) DeepCopyInto(out *LDAPIdentityProviderSpec) { func (in *LDAPIdentityProviderSpec) DeepCopyInto(out *LDAPIdentityProviderSpec) {
*out = *in *out = *in
if in.TLS != nil {
in, out := &in.TLS, &out.TLS
*out = new(LDAPIdentityProviderTLSSpec)
**out = **in
}
out.Bind = in.Bind
out.UserSearch = in.UserSearch
return return
} }
@ -121,6 +144,55 @@ func (in *LDAPIdentityProviderStatus) DeepCopy() *LDAPIdentityProviderStatus {
return out return out
} }
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *LDAPIdentityProviderTLSSpec) DeepCopyInto(out *LDAPIdentityProviderTLSSpec) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderTLSSpec.
func (in *LDAPIdentityProviderTLSSpec) DeepCopy() *LDAPIdentityProviderTLSSpec {
if in == nil {
return nil
}
out := new(LDAPIdentityProviderTLSSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *LDAPIdentityProviderUserSearchAttributesSpec) DeepCopyInto(out *LDAPIdentityProviderUserSearchAttributesSpec) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderUserSearchAttributesSpec.
func (in *LDAPIdentityProviderUserSearchAttributesSpec) DeepCopy() *LDAPIdentityProviderUserSearchAttributesSpec {
if in == nil {
return nil
}
out := new(LDAPIdentityProviderUserSearchAttributesSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *LDAPIdentityProviderUserSearchSpec) DeepCopyInto(out *LDAPIdentityProviderUserSearchSpec) {
*out = *in
out.Attributes = in.Attributes
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderUserSearchSpec.
func (in *LDAPIdentityProviderUserSearchSpec) DeepCopy() *LDAPIdentityProviderUserSearchSpec {
if in == nil {
return nil
}
out := new(LDAPIdentityProviderUserSearchSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *OIDCAuthorizationConfig) DeepCopyInto(out *OIDCAuthorizationConfig) { func (in *OIDCAuthorizationConfig) DeepCopyInto(out *OIDCAuthorizationConfig) {
*out = *in *out = *in

View File

@ -51,11 +51,80 @@ spec:
spec: spec:
description: Spec for configuring the identity provider. description: Spec for configuring the identity provider.
properties: properties:
bind:
description: Bind contains the configuration for how to provide access
credentials during an initial bind to the LDAP server to be allowed
to perform searches and binds to validate a user's credentials during
a user's authentication attempt.
properties:
secretName:
description: SecretName contains the name of a namespace-local
Secret object that provides the username and password for an
LDAP bind user. This account will be used to perform LDAP searches.
The Secret should be of type "kubernetes.io/basic-auth" which
includes "username" and "password" keys. The username value
should be the full DN of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com".
minLength: 1
type: string
required:
- secretName
type: object
host: host:
description: 'Host is the hostname of this LDAP identity provider, description: 'Host is the hostname of this LDAP identity provider,
i.e., where to connect. For example: ldap.example.com:636.' i.e., where to connect. For example: ldap.example.com:636.'
minLength: 1 minLength: 1
type: string type: string
tls:
description: TLS contains the connection settings for how to establish
the connection to the Host.
properties:
certificateAuthorityData:
description: X.509 Certificate Authority (base64-encoded PEM bundle)
to trust when connecting to the LDAP provider. If omitted, a
default set of system roots will be trusted.
type: string
type: object
userSearch:
description: UserSearch contains the configuration for searching for
a user by name in the LDAP provider.
properties:
attributes:
description: Attributes specifies how the user's information should
be read from the LDAP entry which was found as the result of
the user search.
properties:
uniqueID:
description: UniqueID specifies the name of the attribute
in the LDAP entry which whose value shall be used to uniquely
identify the user within this LDAP provider after a successful
authentication. E.g. "uidNumber" or "objectGUID".
minLength: 1
type: string
username:
description: Username specifies the name of attribute in the
LDAP entry which whose value shall become the username of
the user after a successful authentication. This would typically
be the same attribute name used in the user search filter.
E.g. "mail" or "uid" or "userPrincipalName".
minLength: 1
type: string
type: object
base:
description: Base is the DN that should be used as the search
base when searching for users. E.g. "ou=users,dc=example,dc=com".
minLength: 1
type: string
filter:
description: Filter is the LDAP search filter which should be
applied when searching for users. The pattern "{}" must occur
in the filter and will be dynamically replaced by the username
for which the search is being run. E.g. "mail={}" or "&(objectClass=person)(uid={})".
For more information about LDAP filters, see https://ldap.com/ldap-filters.
Optional. When not specified, the default will act as if the
Filter were specified as the value from Attributes.Username
appended by "={}".
type: string
type: object
required: required:
- host - host
type: object type: object

View File

@ -708,6 +708,23 @@ LDAPIdentityProvider describes the configuration of an upstream Lightweight Dire
|=== |===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-ldapidentityproviderbindspec"]
==== LDAPIdentityProviderBindSpec
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-ldapidentityproviderspec[$$LDAPIdentityProviderSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the username and password for an LDAP bind user. This account will be used to perform LDAP searches. The Secret should be of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value should be the full DN of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com".
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-ldapidentityproviderspec"] [id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-ldapidentityproviderspec"]
@ -724,6 +741,9 @@ Spec for configuring an LDAP identity provider.
|=== |===
| Field | Description | Field | Description
| *`host`* __string__ | Host is the hostname of this LDAP identity provider, i.e., where to connect. For example: ldap.example.com:636. | *`host`* __string__ | Host is the hostname of this LDAP identity provider, i.e., where to connect. For example: ldap.example.com:636.
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-ldapidentityprovidertlsspec[$$LDAPIdentityProviderTLSSpec$$]__ | TLS contains the connection settings for how to establish the connection to the Host.
| *`bind`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-ldapidentityproviderbindspec[$$LDAPIdentityProviderBindSpec$$]__ | Bind contains the configuration for how to provide access credentials during an initial bind to the LDAP server to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt.
| *`userSearch`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-ldapidentityproviderusersearchspec[$$LDAPIdentityProviderUserSearchSpec$$]__ | UserSearch contains the configuration for searching for a user by name in the LDAP provider.
|=== |===
@ -744,6 +764,60 @@ Status of an LDAP identity provider.
|=== |===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-ldapidentityprovidertlsspec"]
==== LDAPIdentityProviderTLSSpec
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-ldapidentityproviderspec[$$LDAPIdentityProviderSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle) to trust when connecting to the LDAP provider. If omitted, a default set of system roots will be trusted.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-ldapidentityproviderusersearchattributesspec"]
==== LDAPIdentityProviderUserSearchAttributesSpec
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-ldapidentityproviderusersearchspec[$$LDAPIdentityProviderUserSearchSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`username`* __string__ | Username specifies the name of attribute in the LDAP entry which whose value shall become the username of the user after a successful authentication. This would typically be the same attribute name used in the user search filter. E.g. "mail" or "uid" or "userPrincipalName".
| *`uniqueID`* __string__ | UniqueID specifies the name of the attribute in the LDAP entry which whose value shall be used to uniquely identify the user within this LDAP provider after a successful authentication. E.g. "uidNumber" or "objectGUID".
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-ldapidentityproviderusersearchspec"]
==== LDAPIdentityProviderUserSearchSpec
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-ldapidentityproviderspec[$$LDAPIdentityProviderSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`base`* __string__ | Base is the DN that should be used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com".
| *`filter`* __string__ | Filter is the LDAP search filter which should be applied when searching for users. The pattern "{}" must occur in the filter and will be dynamically replaced by the username for which the search is being run. E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see https://ldap.com/ldap-filters. Optional. When not specified, the default will act as if the Filter were specified as the value from Attributes.Username appended by "={}".
| *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-ldapidentityproviderusersearchattributesspec[$$LDAPIdentityProviderUserSearchAttributesSpec$$]__ | Attributes specifies how the user's information should be read from the LDAP entry which was found as the result of the user search.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-oidcauthorizationconfig"] [id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-oidcauthorizationconfig"]
==== OIDCAuthorizationConfig ==== OIDCAuthorizationConfig

View File

@ -28,11 +28,69 @@ type LDAPIdentityProviderStatus struct {
Phase LDAPIdentityProviderPhase `json:"phase,omitempty"` Phase LDAPIdentityProviderPhase `json:"phase,omitempty"`
} }
type LDAPIdentityProviderTLSSpec struct {
// X.509 Certificate Authority (base64-encoded PEM bundle) to trust when connecting to the LDAP provider.
// If omitted, a default set of system roots will be trusted.
// +optional
CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
}
type LDAPIdentityProviderBindSpec struct {
// SecretName contains the name of a namespace-local Secret object that provides the username and
// password for an LDAP bind user. This account will be used to perform LDAP searches. The Secret should be
// of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value
// should be the full DN of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com".
// +kubebuilder:validation:MinLength=1
SecretName string `json:"secretName"`
}
type LDAPIdentityProviderUserSearchAttributesSpec struct {
// Username specifies the name of attribute in the LDAP entry which whose value shall become the username
// of the user after a successful authentication. This would typically be the same attribute name used in
// the user search filter. E.g. "mail" or "uid" or "userPrincipalName".
// +kubebuilder:validation:MinLength=1
Username string `json:"username,omitempty"`
// UniqueID specifies the name of the attribute in the LDAP entry which whose value shall be used to uniquely
// identify the user within this LDAP provider after a successful authentication. E.g. "uidNumber" or "objectGUID".
// +kubebuilder:validation:MinLength=1
UniqueID string `json:"uniqueID,omitempty"`
}
type LDAPIdentityProviderUserSearchSpec struct {
// Base is the DN that should be used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com".
// +kubebuilder:validation:MinLength=1
Base string `json:"base,omitempty"`
// Filter is the LDAP search filter which should be applied when searching for users. The pattern "{}" must occur
// in the filter and will be dynamically replaced by the username for which the search is being run. E.g. "mail={}"
// or "&(objectClass=person)(uid={})". For more information about LDAP filters, see https://ldap.com/ldap-filters.
// Optional. When not specified, the default will act as if the Filter were specified as the value from
// Attributes.Username appended by "={}".
// +optional
Filter string `json:"filter,omitempty"`
// Attributes specifies how the user's information should be read from the LDAP entry which was found as
// the result of the user search.
// +optional
Attributes LDAPIdentityProviderUserSearchAttributesSpec `json:"attributes,omitempty"`
}
// Spec for configuring an LDAP identity provider. // Spec for configuring an LDAP identity provider.
type LDAPIdentityProviderSpec struct { type LDAPIdentityProviderSpec struct {
// Host is the hostname of this LDAP identity provider, i.e., where to connect. For example: ldap.example.com:636. // Host is the hostname of this LDAP identity provider, i.e., where to connect. For example: ldap.example.com:636.
// +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MinLength=1
Host string `json:"host"` Host string `json:"host"`
// TLS contains the connection settings for how to establish the connection to the Host.
TLS *LDAPIdentityProviderTLSSpec `json:"tls,omitempty"`
// Bind contains the configuration for how to provide access credentials during an initial bind to the LDAP server
// to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt.
Bind LDAPIdentityProviderBindSpec `json:"bind,omitempty"`
// UserSearch contains the configuration for searching for a user by name in the LDAP provider.
UserSearch LDAPIdentityProviderUserSearchSpec `json:"userSearch,omitempty"`
} }
// LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access // LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access

View File

@ -33,7 +33,7 @@ func (in *LDAPIdentityProvider) DeepCopyInto(out *LDAPIdentityProvider) {
*out = *in *out = *in
out.TypeMeta = in.TypeMeta out.TypeMeta = in.TypeMeta
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
out.Spec = in.Spec in.Spec.DeepCopyInto(&out.Spec)
out.Status = in.Status out.Status = in.Status
return return
} }
@ -56,6 +56,22 @@ func (in *LDAPIdentityProvider) DeepCopyObject() runtime.Object {
return nil return nil
} }
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *LDAPIdentityProviderBindSpec) DeepCopyInto(out *LDAPIdentityProviderBindSpec) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderBindSpec.
func (in *LDAPIdentityProviderBindSpec) DeepCopy() *LDAPIdentityProviderBindSpec {
if in == nil {
return nil
}
out := new(LDAPIdentityProviderBindSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *LDAPIdentityProviderList) DeepCopyInto(out *LDAPIdentityProviderList) { func (in *LDAPIdentityProviderList) DeepCopyInto(out *LDAPIdentityProviderList) {
*out = *in *out = *in
@ -92,6 +108,13 @@ func (in *LDAPIdentityProviderList) DeepCopyObject() runtime.Object {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *LDAPIdentityProviderSpec) DeepCopyInto(out *LDAPIdentityProviderSpec) { func (in *LDAPIdentityProviderSpec) DeepCopyInto(out *LDAPIdentityProviderSpec) {
*out = *in *out = *in
if in.TLS != nil {
in, out := &in.TLS, &out.TLS
*out = new(LDAPIdentityProviderTLSSpec)
**out = **in
}
out.Bind = in.Bind
out.UserSearch = in.UserSearch
return return
} }
@ -121,6 +144,55 @@ func (in *LDAPIdentityProviderStatus) DeepCopy() *LDAPIdentityProviderStatus {
return out return out
} }
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *LDAPIdentityProviderTLSSpec) DeepCopyInto(out *LDAPIdentityProviderTLSSpec) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderTLSSpec.
func (in *LDAPIdentityProviderTLSSpec) DeepCopy() *LDAPIdentityProviderTLSSpec {
if in == nil {
return nil
}
out := new(LDAPIdentityProviderTLSSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *LDAPIdentityProviderUserSearchAttributesSpec) DeepCopyInto(out *LDAPIdentityProviderUserSearchAttributesSpec) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderUserSearchAttributesSpec.
func (in *LDAPIdentityProviderUserSearchAttributesSpec) DeepCopy() *LDAPIdentityProviderUserSearchAttributesSpec {
if in == nil {
return nil
}
out := new(LDAPIdentityProviderUserSearchAttributesSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *LDAPIdentityProviderUserSearchSpec) DeepCopyInto(out *LDAPIdentityProviderUserSearchSpec) {
*out = *in
out.Attributes = in.Attributes
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderUserSearchSpec.
func (in *LDAPIdentityProviderUserSearchSpec) DeepCopy() *LDAPIdentityProviderUserSearchSpec {
if in == nil {
return nil
}
out := new(LDAPIdentityProviderUserSearchSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *OIDCAuthorizationConfig) DeepCopyInto(out *OIDCAuthorizationConfig) { func (in *OIDCAuthorizationConfig) DeepCopyInto(out *OIDCAuthorizationConfig) {
*out = *in *out = *in

View File

@ -51,11 +51,80 @@ spec:
spec: spec:
description: Spec for configuring the identity provider. description: Spec for configuring the identity provider.
properties: properties:
bind:
description: Bind contains the configuration for how to provide access
credentials during an initial bind to the LDAP server to be allowed
to perform searches and binds to validate a user's credentials during
a user's authentication attempt.
properties:
secretName:
description: SecretName contains the name of a namespace-local
Secret object that provides the username and password for an
LDAP bind user. This account will be used to perform LDAP searches.
The Secret should be of type "kubernetes.io/basic-auth" which
includes "username" and "password" keys. The username value
should be the full DN of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com".
minLength: 1
type: string
required:
- secretName
type: object
host: host:
description: 'Host is the hostname of this LDAP identity provider, description: 'Host is the hostname of this LDAP identity provider,
i.e., where to connect. For example: ldap.example.com:636.' i.e., where to connect. For example: ldap.example.com:636.'
minLength: 1 minLength: 1
type: string type: string
tls:
description: TLS contains the connection settings for how to establish
the connection to the Host.
properties:
certificateAuthorityData:
description: X.509 Certificate Authority (base64-encoded PEM bundle)
to trust when connecting to the LDAP provider. If omitted, a
default set of system roots will be trusted.
type: string
type: object
userSearch:
description: UserSearch contains the configuration for searching for
a user by name in the LDAP provider.
properties:
attributes:
description: Attributes specifies how the user's information should
be read from the LDAP entry which was found as the result of
the user search.
properties:
uniqueID:
description: UniqueID specifies the name of the attribute
in the LDAP entry which whose value shall be used to uniquely
identify the user within this LDAP provider after a successful
authentication. E.g. "uidNumber" or "objectGUID".
minLength: 1
type: string
username:
description: Username specifies the name of attribute in the
LDAP entry which whose value shall become the username of
the user after a successful authentication. This would typically
be the same attribute name used in the user search filter.
E.g. "mail" or "uid" or "userPrincipalName".
minLength: 1
type: string
type: object
base:
description: Base is the DN that should be used as the search
base when searching for users. E.g. "ou=users,dc=example,dc=com".
minLength: 1
type: string
filter:
description: Filter is the LDAP search filter which should be
applied when searching for users. The pattern "{}" must occur
in the filter and will be dynamically replaced by the username
for which the search is being run. E.g. "mail={}" or "&(objectClass=person)(uid={})".
For more information about LDAP filters, see https://ldap.com/ldap-filters.
Optional. When not specified, the default will act as if the
Filter were specified as the value from Attributes.Username
appended by "={}".
type: string
type: object
required: required:
- host - host
type: object type: object

View File

@ -708,6 +708,23 @@ LDAPIdentityProvider describes the configuration of an upstream Lightweight Dire
|=== |===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-ldapidentityproviderbindspec"]
==== LDAPIdentityProviderBindSpec
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-ldapidentityproviderspec[$$LDAPIdentityProviderSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the username and password for an LDAP bind user. This account will be used to perform LDAP searches. The Secret should be of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value should be the full DN of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com".
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-ldapidentityproviderspec"] [id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-ldapidentityproviderspec"]
@ -724,6 +741,9 @@ Spec for configuring an LDAP identity provider.
|=== |===
| Field | Description | Field | Description
| *`host`* __string__ | Host is the hostname of this LDAP identity provider, i.e., where to connect. For example: ldap.example.com:636. | *`host`* __string__ | Host is the hostname of this LDAP identity provider, i.e., where to connect. For example: ldap.example.com:636.
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-ldapidentityprovidertlsspec[$$LDAPIdentityProviderTLSSpec$$]__ | TLS contains the connection settings for how to establish the connection to the Host.
| *`bind`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-ldapidentityproviderbindspec[$$LDAPIdentityProviderBindSpec$$]__ | Bind contains the configuration for how to provide access credentials during an initial bind to the LDAP server to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt.
| *`userSearch`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-ldapidentityproviderusersearchspec[$$LDAPIdentityProviderUserSearchSpec$$]__ | UserSearch contains the configuration for searching for a user by name in the LDAP provider.
|=== |===
@ -744,6 +764,60 @@ Status of an LDAP identity provider.
|=== |===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-ldapidentityprovidertlsspec"]
==== LDAPIdentityProviderTLSSpec
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-ldapidentityproviderspec[$$LDAPIdentityProviderSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle) to trust when connecting to the LDAP provider. If omitted, a default set of system roots will be trusted.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-ldapidentityproviderusersearchattributesspec"]
==== LDAPIdentityProviderUserSearchAttributesSpec
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-ldapidentityproviderusersearchspec[$$LDAPIdentityProviderUserSearchSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`username`* __string__ | Username specifies the name of attribute in the LDAP entry which whose value shall become the username of the user after a successful authentication. This would typically be the same attribute name used in the user search filter. E.g. "mail" or "uid" or "userPrincipalName".
| *`uniqueID`* __string__ | UniqueID specifies the name of the attribute in the LDAP entry which whose value shall be used to uniquely identify the user within this LDAP provider after a successful authentication. E.g. "uidNumber" or "objectGUID".
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-ldapidentityproviderusersearchspec"]
==== LDAPIdentityProviderUserSearchSpec
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-ldapidentityproviderspec[$$LDAPIdentityProviderSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`base`* __string__ | Base is the DN that should be used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com".
| *`filter`* __string__ | Filter is the LDAP search filter which should be applied when searching for users. The pattern "{}" must occur in the filter and will be dynamically replaced by the username for which the search is being run. E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see https://ldap.com/ldap-filters. Optional. When not specified, the default will act as if the Filter were specified as the value from Attributes.Username appended by "={}".
| *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-ldapidentityproviderusersearchattributesspec[$$LDAPIdentityProviderUserSearchAttributesSpec$$]__ | Attributes specifies how the user's information should be read from the LDAP entry which was found as the result of the user search.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-oidcauthorizationconfig"] [id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-oidcauthorizationconfig"]
==== OIDCAuthorizationConfig ==== OIDCAuthorizationConfig

View File

@ -28,11 +28,69 @@ type LDAPIdentityProviderStatus struct {
Phase LDAPIdentityProviderPhase `json:"phase,omitempty"` Phase LDAPIdentityProviderPhase `json:"phase,omitempty"`
} }
type LDAPIdentityProviderTLSSpec struct {
// X.509 Certificate Authority (base64-encoded PEM bundle) to trust when connecting to the LDAP provider.
// If omitted, a default set of system roots will be trusted.
// +optional
CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
}
type LDAPIdentityProviderBindSpec struct {
// SecretName contains the name of a namespace-local Secret object that provides the username and
// password for an LDAP bind user. This account will be used to perform LDAP searches. The Secret should be
// of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value
// should be the full DN of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com".
// +kubebuilder:validation:MinLength=1
SecretName string `json:"secretName"`
}
type LDAPIdentityProviderUserSearchAttributesSpec struct {
// Username specifies the name of attribute in the LDAP entry which whose value shall become the username
// of the user after a successful authentication. This would typically be the same attribute name used in
// the user search filter. E.g. "mail" or "uid" or "userPrincipalName".
// +kubebuilder:validation:MinLength=1
Username string `json:"username,omitempty"`
// UniqueID specifies the name of the attribute in the LDAP entry which whose value shall be used to uniquely
// identify the user within this LDAP provider after a successful authentication. E.g. "uidNumber" or "objectGUID".
// +kubebuilder:validation:MinLength=1
UniqueID string `json:"uniqueID,omitempty"`
}
type LDAPIdentityProviderUserSearchSpec struct {
// Base is the DN that should be used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com".
// +kubebuilder:validation:MinLength=1
Base string `json:"base,omitempty"`
// Filter is the LDAP search filter which should be applied when searching for users. The pattern "{}" must occur
// in the filter and will be dynamically replaced by the username for which the search is being run. E.g. "mail={}"
// or "&(objectClass=person)(uid={})". For more information about LDAP filters, see https://ldap.com/ldap-filters.
// Optional. When not specified, the default will act as if the Filter were specified as the value from
// Attributes.Username appended by "={}".
// +optional
Filter string `json:"filter,omitempty"`
// Attributes specifies how the user's information should be read from the LDAP entry which was found as
// the result of the user search.
// +optional
Attributes LDAPIdentityProviderUserSearchAttributesSpec `json:"attributes,omitempty"`
}
// Spec for configuring an LDAP identity provider. // Spec for configuring an LDAP identity provider.
type LDAPIdentityProviderSpec struct { type LDAPIdentityProviderSpec struct {
// Host is the hostname of this LDAP identity provider, i.e., where to connect. For example: ldap.example.com:636. // Host is the hostname of this LDAP identity provider, i.e., where to connect. For example: ldap.example.com:636.
// +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MinLength=1
Host string `json:"host"` Host string `json:"host"`
// TLS contains the connection settings for how to establish the connection to the Host.
TLS *LDAPIdentityProviderTLSSpec `json:"tls,omitempty"`
// Bind contains the configuration for how to provide access credentials during an initial bind to the LDAP server
// to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt.
Bind LDAPIdentityProviderBindSpec `json:"bind,omitempty"`
// UserSearch contains the configuration for searching for a user by name in the LDAP provider.
UserSearch LDAPIdentityProviderUserSearchSpec `json:"userSearch,omitempty"`
} }
// LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access // LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access

View File

@ -33,7 +33,7 @@ func (in *LDAPIdentityProvider) DeepCopyInto(out *LDAPIdentityProvider) {
*out = *in *out = *in
out.TypeMeta = in.TypeMeta out.TypeMeta = in.TypeMeta
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
out.Spec = in.Spec in.Spec.DeepCopyInto(&out.Spec)
out.Status = in.Status out.Status = in.Status
return return
} }
@ -56,6 +56,22 @@ func (in *LDAPIdentityProvider) DeepCopyObject() runtime.Object {
return nil return nil
} }
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *LDAPIdentityProviderBindSpec) DeepCopyInto(out *LDAPIdentityProviderBindSpec) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderBindSpec.
func (in *LDAPIdentityProviderBindSpec) DeepCopy() *LDAPIdentityProviderBindSpec {
if in == nil {
return nil
}
out := new(LDAPIdentityProviderBindSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *LDAPIdentityProviderList) DeepCopyInto(out *LDAPIdentityProviderList) { func (in *LDAPIdentityProviderList) DeepCopyInto(out *LDAPIdentityProviderList) {
*out = *in *out = *in
@ -92,6 +108,13 @@ func (in *LDAPIdentityProviderList) DeepCopyObject() runtime.Object {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *LDAPIdentityProviderSpec) DeepCopyInto(out *LDAPIdentityProviderSpec) { func (in *LDAPIdentityProviderSpec) DeepCopyInto(out *LDAPIdentityProviderSpec) {
*out = *in *out = *in
if in.TLS != nil {
in, out := &in.TLS, &out.TLS
*out = new(LDAPIdentityProviderTLSSpec)
**out = **in
}
out.Bind = in.Bind
out.UserSearch = in.UserSearch
return return
} }
@ -121,6 +144,55 @@ func (in *LDAPIdentityProviderStatus) DeepCopy() *LDAPIdentityProviderStatus {
return out return out
} }
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *LDAPIdentityProviderTLSSpec) DeepCopyInto(out *LDAPIdentityProviderTLSSpec) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderTLSSpec.
func (in *LDAPIdentityProviderTLSSpec) DeepCopy() *LDAPIdentityProviderTLSSpec {
if in == nil {
return nil
}
out := new(LDAPIdentityProviderTLSSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *LDAPIdentityProviderUserSearchAttributesSpec) DeepCopyInto(out *LDAPIdentityProviderUserSearchAttributesSpec) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderUserSearchAttributesSpec.
func (in *LDAPIdentityProviderUserSearchAttributesSpec) DeepCopy() *LDAPIdentityProviderUserSearchAttributesSpec {
if in == nil {
return nil
}
out := new(LDAPIdentityProviderUserSearchAttributesSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *LDAPIdentityProviderUserSearchSpec) DeepCopyInto(out *LDAPIdentityProviderUserSearchSpec) {
*out = *in
out.Attributes = in.Attributes
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderUserSearchSpec.
func (in *LDAPIdentityProviderUserSearchSpec) DeepCopy() *LDAPIdentityProviderUserSearchSpec {
if in == nil {
return nil
}
out := new(LDAPIdentityProviderUserSearchSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *OIDCAuthorizationConfig) DeepCopyInto(out *OIDCAuthorizationConfig) { func (in *OIDCAuthorizationConfig) DeepCopyInto(out *OIDCAuthorizationConfig) {
*out = *in *out = *in

View File

@ -51,11 +51,80 @@ spec:
spec: spec:
description: Spec for configuring the identity provider. description: Spec for configuring the identity provider.
properties: properties:
bind:
description: Bind contains the configuration for how to provide access
credentials during an initial bind to the LDAP server to be allowed
to perform searches and binds to validate a user's credentials during
a user's authentication attempt.
properties:
secretName:
description: SecretName contains the name of a namespace-local
Secret object that provides the username and password for an
LDAP bind user. This account will be used to perform LDAP searches.
The Secret should be of type "kubernetes.io/basic-auth" which
includes "username" and "password" keys. The username value
should be the full DN of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com".
minLength: 1
type: string
required:
- secretName
type: object
host: host:
description: 'Host is the hostname of this LDAP identity provider, description: 'Host is the hostname of this LDAP identity provider,
i.e., where to connect. For example: ldap.example.com:636.' i.e., where to connect. For example: ldap.example.com:636.'
minLength: 1 minLength: 1
type: string type: string
tls:
description: TLS contains the connection settings for how to establish
the connection to the Host.
properties:
certificateAuthorityData:
description: X.509 Certificate Authority (base64-encoded PEM bundle)
to trust when connecting to the LDAP provider. If omitted, a
default set of system roots will be trusted.
type: string
type: object
userSearch:
description: UserSearch contains the configuration for searching for
a user by name in the LDAP provider.
properties:
attributes:
description: Attributes specifies how the user's information should
be read from the LDAP entry which was found as the result of
the user search.
properties:
uniqueID:
description: UniqueID specifies the name of the attribute
in the LDAP entry which whose value shall be used to uniquely
identify the user within this LDAP provider after a successful
authentication. E.g. "uidNumber" or "objectGUID".
minLength: 1
type: string
username:
description: Username specifies the name of attribute in the
LDAP entry which whose value shall become the username of
the user after a successful authentication. This would typically
be the same attribute name used in the user search filter.
E.g. "mail" or "uid" or "userPrincipalName".
minLength: 1
type: string
type: object
base:
description: Base is the DN that should be used as the search
base when searching for users. E.g. "ou=users,dc=example,dc=com".
minLength: 1
type: string
filter:
description: Filter is the LDAP search filter which should be
applied when searching for users. The pattern "{}" must occur
in the filter and will be dynamically replaced by the username
for which the search is being run. E.g. "mail={}" or "&(objectClass=person)(uid={})".
For more information about LDAP filters, see https://ldap.com/ldap-filters.
Optional. When not specified, the default will act as if the
Filter were specified as the value from Attributes.Username
appended by "={}".
type: string
type: object
required: required:
- host - host
type: object type: object

View File

@ -708,6 +708,23 @@ LDAPIdentityProvider describes the configuration of an upstream Lightweight Dire
|=== |===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-idp-v1alpha1-ldapidentityproviderbindspec"]
==== LDAPIdentityProviderBindSpec
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-idp-v1alpha1-ldapidentityproviderspec[$$LDAPIdentityProviderSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the username and password for an LDAP bind user. This account will be used to perform LDAP searches. The Secret should be of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value should be the full DN of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com".
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-idp-v1alpha1-ldapidentityproviderspec"] [id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-idp-v1alpha1-ldapidentityproviderspec"]
@ -724,6 +741,9 @@ Spec for configuring an LDAP identity provider.
|=== |===
| Field | Description | Field | Description
| *`host`* __string__ | Host is the hostname of this LDAP identity provider, i.e., where to connect. For example: ldap.example.com:636. | *`host`* __string__ | Host is the hostname of this LDAP identity provider, i.e., where to connect. For example: ldap.example.com:636.
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-idp-v1alpha1-ldapidentityprovidertlsspec[$$LDAPIdentityProviderTLSSpec$$]__ | TLS contains the connection settings for how to establish the connection to the Host.
| *`bind`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-idp-v1alpha1-ldapidentityproviderbindspec[$$LDAPIdentityProviderBindSpec$$]__ | Bind contains the configuration for how to provide access credentials during an initial bind to the LDAP server to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt.
| *`userSearch`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-idp-v1alpha1-ldapidentityproviderusersearchspec[$$LDAPIdentityProviderUserSearchSpec$$]__ | UserSearch contains the configuration for searching for a user by name in the LDAP provider.
|=== |===
@ -744,6 +764,60 @@ Status of an LDAP identity provider.
|=== |===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-idp-v1alpha1-ldapidentityprovidertlsspec"]
==== LDAPIdentityProviderTLSSpec
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-idp-v1alpha1-ldapidentityproviderspec[$$LDAPIdentityProviderSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle) to trust when connecting to the LDAP provider. If omitted, a default set of system roots will be trusted.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-idp-v1alpha1-ldapidentityproviderusersearchattributesspec"]
==== LDAPIdentityProviderUserSearchAttributesSpec
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-idp-v1alpha1-ldapidentityproviderusersearchspec[$$LDAPIdentityProviderUserSearchSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`username`* __string__ | Username specifies the name of attribute in the LDAP entry which whose value shall become the username of the user after a successful authentication. This would typically be the same attribute name used in the user search filter. E.g. "mail" or "uid" or "userPrincipalName".
| *`uniqueID`* __string__ | UniqueID specifies the name of the attribute in the LDAP entry which whose value shall be used to uniquely identify the user within this LDAP provider after a successful authentication. E.g. "uidNumber" or "objectGUID".
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-idp-v1alpha1-ldapidentityproviderusersearchspec"]
==== LDAPIdentityProviderUserSearchSpec
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-idp-v1alpha1-ldapidentityproviderspec[$$LDAPIdentityProviderSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`base`* __string__ | Base is the DN that should be used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com".
| *`filter`* __string__ | Filter is the LDAP search filter which should be applied when searching for users. The pattern "{}" must occur in the filter and will be dynamically replaced by the username for which the search is being run. E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see https://ldap.com/ldap-filters. Optional. When not specified, the default will act as if the Filter were specified as the value from Attributes.Username appended by "={}".
| *`attributes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-idp-v1alpha1-ldapidentityproviderusersearchattributesspec[$$LDAPIdentityProviderUserSearchAttributesSpec$$]__ | Attributes specifies how the user's information should be read from the LDAP entry which was found as the result of the user search.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-idp-v1alpha1-oidcauthorizationconfig"] [id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-idp-v1alpha1-oidcauthorizationconfig"]
==== OIDCAuthorizationConfig ==== OIDCAuthorizationConfig

View File

@ -28,11 +28,69 @@ type LDAPIdentityProviderStatus struct {
Phase LDAPIdentityProviderPhase `json:"phase,omitempty"` Phase LDAPIdentityProviderPhase `json:"phase,omitempty"`
} }
type LDAPIdentityProviderTLSSpec struct {
// X.509 Certificate Authority (base64-encoded PEM bundle) to trust when connecting to the LDAP provider.
// If omitted, a default set of system roots will be trusted.
// +optional
CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
}
type LDAPIdentityProviderBindSpec struct {
// SecretName contains the name of a namespace-local Secret object that provides the username and
// password for an LDAP bind user. This account will be used to perform LDAP searches. The Secret should be
// of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value
// should be the full DN of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com".
// +kubebuilder:validation:MinLength=1
SecretName string `json:"secretName"`
}
type LDAPIdentityProviderUserSearchAttributesSpec struct {
// Username specifies the name of attribute in the LDAP entry which whose value shall become the username
// of the user after a successful authentication. This would typically be the same attribute name used in
// the user search filter. E.g. "mail" or "uid" or "userPrincipalName".
// +kubebuilder:validation:MinLength=1
Username string `json:"username,omitempty"`
// UniqueID specifies the name of the attribute in the LDAP entry which whose value shall be used to uniquely
// identify the user within this LDAP provider after a successful authentication. E.g. "uidNumber" or "objectGUID".
// +kubebuilder:validation:MinLength=1
UniqueID string `json:"uniqueID,omitempty"`
}
type LDAPIdentityProviderUserSearchSpec struct {
// Base is the DN that should be used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com".
// +kubebuilder:validation:MinLength=1
Base string `json:"base,omitempty"`
// Filter is the LDAP search filter which should be applied when searching for users. The pattern "{}" must occur
// in the filter and will be dynamically replaced by the username for which the search is being run. E.g. "mail={}"
// or "&(objectClass=person)(uid={})". For more information about LDAP filters, see https://ldap.com/ldap-filters.
// Optional. When not specified, the default will act as if the Filter were specified as the value from
// Attributes.Username appended by "={}".
// +optional
Filter string `json:"filter,omitempty"`
// Attributes specifies how the user's information should be read from the LDAP entry which was found as
// the result of the user search.
// +optional
Attributes LDAPIdentityProviderUserSearchAttributesSpec `json:"attributes,omitempty"`
}
// Spec for configuring an LDAP identity provider. // Spec for configuring an LDAP identity provider.
type LDAPIdentityProviderSpec struct { type LDAPIdentityProviderSpec struct {
// Host is the hostname of this LDAP identity provider, i.e., where to connect. For example: ldap.example.com:636. // Host is the hostname of this LDAP identity provider, i.e., where to connect. For example: ldap.example.com:636.
// +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MinLength=1
Host string `json:"host"` Host string `json:"host"`
// TLS contains the connection settings for how to establish the connection to the Host.
TLS *LDAPIdentityProviderTLSSpec `json:"tls,omitempty"`
// Bind contains the configuration for how to provide access credentials during an initial bind to the LDAP server
// to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt.
Bind LDAPIdentityProviderBindSpec `json:"bind,omitempty"`
// UserSearch contains the configuration for searching for a user by name in the LDAP provider.
UserSearch LDAPIdentityProviderUserSearchSpec `json:"userSearch,omitempty"`
} }
// LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access // LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access

View File

@ -33,7 +33,7 @@ func (in *LDAPIdentityProvider) DeepCopyInto(out *LDAPIdentityProvider) {
*out = *in *out = *in
out.TypeMeta = in.TypeMeta out.TypeMeta = in.TypeMeta
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
out.Spec = in.Spec in.Spec.DeepCopyInto(&out.Spec)
out.Status = in.Status out.Status = in.Status
return return
} }
@ -56,6 +56,22 @@ func (in *LDAPIdentityProvider) DeepCopyObject() runtime.Object {
return nil return nil
} }
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *LDAPIdentityProviderBindSpec) DeepCopyInto(out *LDAPIdentityProviderBindSpec) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderBindSpec.
func (in *LDAPIdentityProviderBindSpec) DeepCopy() *LDAPIdentityProviderBindSpec {
if in == nil {
return nil
}
out := new(LDAPIdentityProviderBindSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *LDAPIdentityProviderList) DeepCopyInto(out *LDAPIdentityProviderList) { func (in *LDAPIdentityProviderList) DeepCopyInto(out *LDAPIdentityProviderList) {
*out = *in *out = *in
@ -92,6 +108,13 @@ func (in *LDAPIdentityProviderList) DeepCopyObject() runtime.Object {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *LDAPIdentityProviderSpec) DeepCopyInto(out *LDAPIdentityProviderSpec) { func (in *LDAPIdentityProviderSpec) DeepCopyInto(out *LDAPIdentityProviderSpec) {
*out = *in *out = *in
if in.TLS != nil {
in, out := &in.TLS, &out.TLS
*out = new(LDAPIdentityProviderTLSSpec)
**out = **in
}
out.Bind = in.Bind
out.UserSearch = in.UserSearch
return return
} }
@ -121,6 +144,55 @@ func (in *LDAPIdentityProviderStatus) DeepCopy() *LDAPIdentityProviderStatus {
return out return out
} }
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *LDAPIdentityProviderTLSSpec) DeepCopyInto(out *LDAPIdentityProviderTLSSpec) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderTLSSpec.
func (in *LDAPIdentityProviderTLSSpec) DeepCopy() *LDAPIdentityProviderTLSSpec {
if in == nil {
return nil
}
out := new(LDAPIdentityProviderTLSSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *LDAPIdentityProviderUserSearchAttributesSpec) DeepCopyInto(out *LDAPIdentityProviderUserSearchAttributesSpec) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderUserSearchAttributesSpec.
func (in *LDAPIdentityProviderUserSearchAttributesSpec) DeepCopy() *LDAPIdentityProviderUserSearchAttributesSpec {
if in == nil {
return nil
}
out := new(LDAPIdentityProviderUserSearchAttributesSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *LDAPIdentityProviderUserSearchSpec) DeepCopyInto(out *LDAPIdentityProviderUserSearchSpec) {
*out = *in
out.Attributes = in.Attributes
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderUserSearchSpec.
func (in *LDAPIdentityProviderUserSearchSpec) DeepCopy() *LDAPIdentityProviderUserSearchSpec {
if in == nil {
return nil
}
out := new(LDAPIdentityProviderUserSearchSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *OIDCAuthorizationConfig) DeepCopyInto(out *OIDCAuthorizationConfig) { func (in *OIDCAuthorizationConfig) DeepCopyInto(out *OIDCAuthorizationConfig) {
*out = *in *out = *in

View File

@ -51,11 +51,80 @@ spec:
spec: spec:
description: Spec for configuring the identity provider. description: Spec for configuring the identity provider.
properties: properties:
bind:
description: Bind contains the configuration for how to provide access
credentials during an initial bind to the LDAP server to be allowed
to perform searches and binds to validate a user's credentials during
a user's authentication attempt.
properties:
secretName:
description: SecretName contains the name of a namespace-local
Secret object that provides the username and password for an
LDAP bind user. This account will be used to perform LDAP searches.
The Secret should be of type "kubernetes.io/basic-auth" which
includes "username" and "password" keys. The username value
should be the full DN of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com".
minLength: 1
type: string
required:
- secretName
type: object
host: host:
description: 'Host is the hostname of this LDAP identity provider, description: 'Host is the hostname of this LDAP identity provider,
i.e., where to connect. For example: ldap.example.com:636.' i.e., where to connect. For example: ldap.example.com:636.'
minLength: 1 minLength: 1
type: string type: string
tls:
description: TLS contains the connection settings for how to establish
the connection to the Host.
properties:
certificateAuthorityData:
description: X.509 Certificate Authority (base64-encoded PEM bundle)
to trust when connecting to the LDAP provider. If omitted, a
default set of system roots will be trusted.
type: string
type: object
userSearch:
description: UserSearch contains the configuration for searching for
a user by name in the LDAP provider.
properties:
attributes:
description: Attributes specifies how the user's information should
be read from the LDAP entry which was found as the result of
the user search.
properties:
uniqueID:
description: UniqueID specifies the name of the attribute
in the LDAP entry which whose value shall be used to uniquely
identify the user within this LDAP provider after a successful
authentication. E.g. "uidNumber" or "objectGUID".
minLength: 1
type: string
username:
description: Username specifies the name of attribute in the
LDAP entry which whose value shall become the username of
the user after a successful authentication. This would typically
be the same attribute name used in the user search filter.
E.g. "mail" or "uid" or "userPrincipalName".
minLength: 1
type: string
type: object
base:
description: Base is the DN that should be used as the search
base when searching for users. E.g. "ou=users,dc=example,dc=com".
minLength: 1
type: string
filter:
description: Filter is the LDAP search filter which should be
applied when searching for users. The pattern "{}" must occur
in the filter and will be dynamically replaced by the username
for which the search is being run. E.g. "mail={}" or "&(objectClass=person)(uid={})".
For more information about LDAP filters, see https://ldap.com/ldap-filters.
Optional. When not specified, the default will act as if the
Filter were specified as the value from Attributes.Username
appended by "={}".
type: string
type: object
required: required:
- host - host
type: object type: object

View File

@ -28,11 +28,69 @@ type LDAPIdentityProviderStatus struct {
Phase LDAPIdentityProviderPhase `json:"phase,omitempty"` Phase LDAPIdentityProviderPhase `json:"phase,omitempty"`
} }
type LDAPIdentityProviderTLSSpec struct {
// X.509 Certificate Authority (base64-encoded PEM bundle) to trust when connecting to the LDAP provider.
// If omitted, a default set of system roots will be trusted.
// +optional
CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
}
type LDAPIdentityProviderBindSpec struct {
// SecretName contains the name of a namespace-local Secret object that provides the username and
// password for an LDAP bind user. This account will be used to perform LDAP searches. The Secret should be
// of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value
// should be the full DN of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com".
// +kubebuilder:validation:MinLength=1
SecretName string `json:"secretName"`
}
type LDAPIdentityProviderUserSearchAttributesSpec struct {
// Username specifies the name of attribute in the LDAP entry which whose value shall become the username
// of the user after a successful authentication. This would typically be the same attribute name used in
// the user search filter. E.g. "mail" or "uid" or "userPrincipalName".
// +kubebuilder:validation:MinLength=1
Username string `json:"username,omitempty"`
// UniqueID specifies the name of the attribute in the LDAP entry which whose value shall be used to uniquely
// identify the user within this LDAP provider after a successful authentication. E.g. "uidNumber" or "objectGUID".
// +kubebuilder:validation:MinLength=1
UniqueID string `json:"uniqueID,omitempty"`
}
type LDAPIdentityProviderUserSearchSpec struct {
// Base is the DN that should be used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com".
// +kubebuilder:validation:MinLength=1
Base string `json:"base,omitempty"`
// Filter is the LDAP search filter which should be applied when searching for users. The pattern "{}" must occur
// in the filter and will be dynamically replaced by the username for which the search is being run. E.g. "mail={}"
// or "&(objectClass=person)(uid={})". For more information about LDAP filters, see https://ldap.com/ldap-filters.
// Optional. When not specified, the default will act as if the Filter were specified as the value from
// Attributes.Username appended by "={}".
// +optional
Filter string `json:"filter,omitempty"`
// Attributes specifies how the user's information should be read from the LDAP entry which was found as
// the result of the user search.
// +optional
Attributes LDAPIdentityProviderUserSearchAttributesSpec `json:"attributes,omitempty"`
}
// Spec for configuring an LDAP identity provider. // Spec for configuring an LDAP identity provider.
type LDAPIdentityProviderSpec struct { type LDAPIdentityProviderSpec struct {
// Host is the hostname of this LDAP identity provider, i.e., where to connect. For example: ldap.example.com:636. // Host is the hostname of this LDAP identity provider, i.e., where to connect. For example: ldap.example.com:636.
// +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MinLength=1
Host string `json:"host"` Host string `json:"host"`
// TLS contains the connection settings for how to establish the connection to the Host.
TLS *LDAPIdentityProviderTLSSpec `json:"tls,omitempty"`
// Bind contains the configuration for how to provide access credentials during an initial bind to the LDAP server
// to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt.
Bind LDAPIdentityProviderBindSpec `json:"bind,omitempty"`
// UserSearch contains the configuration for searching for a user by name in the LDAP provider.
UserSearch LDAPIdentityProviderUserSearchSpec `json:"userSearch,omitempty"`
} }
// LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access // LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access

View File

@ -33,7 +33,7 @@ func (in *LDAPIdentityProvider) DeepCopyInto(out *LDAPIdentityProvider) {
*out = *in *out = *in
out.TypeMeta = in.TypeMeta out.TypeMeta = in.TypeMeta
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
out.Spec = in.Spec in.Spec.DeepCopyInto(&out.Spec)
out.Status = in.Status out.Status = in.Status
return return
} }
@ -56,6 +56,22 @@ func (in *LDAPIdentityProvider) DeepCopyObject() runtime.Object {
return nil return nil
} }
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *LDAPIdentityProviderBindSpec) DeepCopyInto(out *LDAPIdentityProviderBindSpec) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderBindSpec.
func (in *LDAPIdentityProviderBindSpec) DeepCopy() *LDAPIdentityProviderBindSpec {
if in == nil {
return nil
}
out := new(LDAPIdentityProviderBindSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *LDAPIdentityProviderList) DeepCopyInto(out *LDAPIdentityProviderList) { func (in *LDAPIdentityProviderList) DeepCopyInto(out *LDAPIdentityProviderList) {
*out = *in *out = *in
@ -92,6 +108,13 @@ func (in *LDAPIdentityProviderList) DeepCopyObject() runtime.Object {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *LDAPIdentityProviderSpec) DeepCopyInto(out *LDAPIdentityProviderSpec) { func (in *LDAPIdentityProviderSpec) DeepCopyInto(out *LDAPIdentityProviderSpec) {
*out = *in *out = *in
if in.TLS != nil {
in, out := &in.TLS, &out.TLS
*out = new(LDAPIdentityProviderTLSSpec)
**out = **in
}
out.Bind = in.Bind
out.UserSearch = in.UserSearch
return return
} }
@ -121,6 +144,55 @@ func (in *LDAPIdentityProviderStatus) DeepCopy() *LDAPIdentityProviderStatus {
return out return out
} }
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *LDAPIdentityProviderTLSSpec) DeepCopyInto(out *LDAPIdentityProviderTLSSpec) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderTLSSpec.
func (in *LDAPIdentityProviderTLSSpec) DeepCopy() *LDAPIdentityProviderTLSSpec {
if in == nil {
return nil
}
out := new(LDAPIdentityProviderTLSSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *LDAPIdentityProviderUserSearchAttributesSpec) DeepCopyInto(out *LDAPIdentityProviderUserSearchAttributesSpec) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderUserSearchAttributesSpec.
func (in *LDAPIdentityProviderUserSearchAttributesSpec) DeepCopy() *LDAPIdentityProviderUserSearchAttributesSpec {
if in == nil {
return nil
}
out := new(LDAPIdentityProviderUserSearchAttributesSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *LDAPIdentityProviderUserSearchSpec) DeepCopyInto(out *LDAPIdentityProviderUserSearchSpec) {
*out = *in
out.Attributes = in.Attributes
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderUserSearchSpec.
func (in *LDAPIdentityProviderUserSearchSpec) DeepCopy() *LDAPIdentityProviderUserSearchSpec {
if in == nil {
return nil
}
out := new(LDAPIdentityProviderUserSearchSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *OIDCAuthorizationConfig) DeepCopyInto(out *OIDCAuthorizationConfig) { func (in *OIDCAuthorizationConfig) DeepCopyInto(out *OIDCAuthorizationConfig) {
*out = *in *out = *in

View File

@ -317,8 +317,7 @@ export PINNIPED_TEST_SUPERVISOR_CUSTOM_LABELS='${supervisor_custom_labels}'
export PINNIPED_TEST_SUPERVISOR_HTTP_ADDRESS="127.0.0.1:12345" export PINNIPED_TEST_SUPERVISOR_HTTP_ADDRESS="127.0.0.1:12345"
export PINNIPED_TEST_SUPERVISOR_HTTPS_ADDRESS="localhost:12344" export PINNIPED_TEST_SUPERVISOR_HTTPS_ADDRESS="localhost:12344"
export PINNIPED_TEST_PROXY=http://127.0.0.1:12346 export PINNIPED_TEST_PROXY=http://127.0.0.1:12346
export PINNIPED_TEST_LDAP_LDAP_URL=ldap://ldap.tools.svc.cluster.local export PINNIPED_TEST_LDAP_HOST=ldap.tools.svc.cluster.local
export PINNIPED_TEST_LDAP_LDAPS_URL=ldaps://ldap.tools.svc.cluster.local
export PINNIPED_TEST_LDAP_LDAPS_CA_BUNDLE="${test_ca_bundle_pem}" export PINNIPED_TEST_LDAP_LDAPS_CA_BUNDLE="${test_ca_bundle_pem}"
export PINNIPED_TEST_LDAP_BIND_ACCOUNT_USERNAME="cn=admin,dc=pinniped,dc=dev" export PINNIPED_TEST_LDAP_BIND_ACCOUNT_USERNAME="cn=admin,dc=pinniped,dc=dev"
export PINNIPED_TEST_LDAP_BIND_ACCOUNT_PASSWORD=password export PINNIPED_TEST_LDAP_BIND_ACCOUNT_PASSWORD=password
@ -327,6 +326,8 @@ export PINNIPED_TEST_LDAP_GROUPS_SEARCH_BASE="ou=groups,dc=pinniped,dc=dev"
export PINNIPED_TEST_LDAP_USER_DN="cn=pinny,ou=users,dc=pinniped,dc=dev" export PINNIPED_TEST_LDAP_USER_DN="cn=pinny,ou=users,dc=pinniped,dc=dev"
export PINNIPED_TEST_LDAP_USER_CN="pinny" export PINNIPED_TEST_LDAP_USER_CN="pinny"
export PINNIPED_TEST_LDAP_USER_PASSWORD=${ldap_test_password} export PINNIPED_TEST_LDAP_USER_PASSWORD=${ldap_test_password}
export PINNIPED_TEST_LDAP_USER_UNIQUE_ID_ATTRIBUTE_NAME="uidNumber"
export PINNIPED_TEST_LDAP_USER_UNIQUE_ID_ATTRIBUTE_VALUE="1000"
export PINNIPED_TEST_LDAP_USER_EMAIL_ATTRIBUTE_NAME="mail" export PINNIPED_TEST_LDAP_USER_EMAIL_ATTRIBUTE_NAME="mail"
export PINNIPED_TEST_LDAP_USER_EMAIL_ATTRIBUTE_VALUE="pinny.ldap@example.com" export PINNIPED_TEST_LDAP_USER_EMAIL_ATTRIBUTE_VALUE="pinny.ldap@example.com"
export PINNIPED_TEST_LDAP_EXPECTED_DIRECT_GROUPS_DN="cn=ball-game-players,ou=beach-groups,ou=groups,dc=pinniped,dc=dev;cn=seals,ou=groups,dc=pinniped,dc=dev" export PINNIPED_TEST_LDAP_EXPECTED_DIRECT_GROUPS_DN="cn=ball-game-players,ou=beach-groups,ou=groups,dc=pinniped,dc=dev;cn=seals,ou=groups,dc=pinniped,dc=dev"

View File

@ -140,9 +140,7 @@ spec:
spec: spec:
containers: containers:
- name: ldap - name: ldap
#! An issue was reported and will be fixed in bitnami/openldap soon. image: docker.io/bitnami/openldap
image: ghcr.io/pinniped-ci-bot/bitnami-openldap-forked:2.4.58-debian-10-r15 #! our own fork of docker.io/bitnami/openldap
#! image: docker.io/bitnami/openldap
imagePullPolicy: Always imagePullPolicy: Always
ports: ports:
- name: ldap - name: ldap
@ -182,9 +180,6 @@ spec:
value: "/var/certs/ldap-key.pem" value: "/var/certs/ldap-key.pem"
- name: LDAP_TLS_CA_FILE - name: LDAP_TLS_CA_FILE
value: "/var/certs/ca.pem" value: "/var/certs/ca.pem"
#! This env var was added in our fork to reduce slapd memory consumption from ~700 MB to ~12 MB.
- name: LDAP_ULIMIT_MAX_FILES
value: "1024"
#! Note that the custom LDIF file is only read at pod start-up time. #! Note that the custom LDIF file is only read at pod start-up time.
- name: LDAP_CUSTOM_LDIF_DIR - name: LDAP_CUSTOM_LDIF_DIR
value: "/var/ldifs" value: "/var/ldifs"

View File

@ -190,9 +190,9 @@ func TestCLILoginOIDC(t *testing.T) {
require.NoError(t, err) require.NoError(t, err)
claims := map[string]interface{}{} claims := map[string]interface{}{}
require.NoError(t, json.Unmarshal(jws.UnsafePayloadWithoutVerification(), &claims)) require.NoError(t, json.Unmarshal(jws.UnsafePayloadWithoutVerification(), &claims))
require.Equal(t, env.CLITestUpstream.Issuer, claims["iss"]) require.Equal(t, env.CLIUpstreamOIDC.Issuer, claims["iss"])
require.Equal(t, env.CLITestUpstream.ClientID, claims["aud"]) require.Equal(t, env.CLIUpstreamOIDC.ClientID, claims["aud"])
require.Equal(t, env.CLITestUpstream.Username, claims["email"]) require.Equal(t, env.CLIUpstreamOIDC.Username, claims["email"])
require.NotEmpty(t, claims["nonce"]) require.NotEmpty(t, claims["nonce"])
// Run the CLI again with the same session cache and login parameters. // Run the CLI again with the same session cache and login parameters.
@ -211,10 +211,10 @@ func TestCLILoginOIDC(t *testing.T) {
t.Logf("overwriting cache to remove valid ID token") t.Logf("overwriting cache to remove valid ID token")
cache := filesession.New(sessionCachePath) cache := filesession.New(sessionCachePath)
cacheKey := oidcclient.SessionCacheKey{ cacheKey := oidcclient.SessionCacheKey{
Issuer: env.CLITestUpstream.Issuer, Issuer: env.CLIUpstreamOIDC.Issuer,
ClientID: env.CLITestUpstream.ClientID, ClientID: env.CLIUpstreamOIDC.ClientID,
Scopes: []string{"email", "offline_access", "openid", "profile"}, Scopes: []string{"email", "offline_access", "openid", "profile"},
RedirectURI: strings.ReplaceAll(env.CLITestUpstream.CallbackURL, "127.0.0.1", "localhost"), RedirectURI: strings.ReplaceAll(env.CLIUpstreamOIDC.CallbackURL, "127.0.0.1", "localhost"),
} }
cached := cache.GetToken(cacheKey) cached := cache.GetToken(cacheKey)
require.NotNil(t, cached) require.NotNil(t, cached)
@ -325,11 +325,11 @@ func runPinnipedLoginOIDC(
require.NoError(t, page.Navigate(loginURL)) require.NoError(t, page.Navigate(loginURL))
// Expect to be redirected to the upstream provider and log in. // Expect to be redirected to the upstream provider and log in.
browsertest.LoginToUpstream(t, page, env.CLITestUpstream) browsertest.LoginToUpstream(t, page, env.CLIUpstreamOIDC)
// Expect to be redirected to the localhost callback. // Expect to be redirected to the localhost callback.
t.Logf("waiting for redirect to callback") t.Logf("waiting for redirect to callback")
callbackURLPattern := regexp.MustCompile(`\A` + regexp.QuoteMeta(env.CLITestUpstream.CallbackURL) + `\?.+\z`) callbackURLPattern := regexp.MustCompile(`\A` + regexp.QuoteMeta(env.CLIUpstreamOIDC.CallbackURL) + `\?.+\z`)
browsertest.WaitForURL(t, page, callbackURLPattern) browsertest.WaitForURL(t, page, callbackURLPattern)
// Wait for the "pre" element that gets rendered for a `text/plain` page, and // Wait for the "pre" element that gets rendered for a `text/plain` page, and
@ -375,11 +375,11 @@ func spawnTestGoroutine(t *testing.T, f func() error) {
func oidcLoginCommand(ctx context.Context, t *testing.T, pinnipedExe string, sessionCachePath string) *exec.Cmd { func oidcLoginCommand(ctx context.Context, t *testing.T, pinnipedExe string, sessionCachePath string) *exec.Cmd {
env := library.IntegrationEnv(t) env := library.IntegrationEnv(t)
callbackURL, err := url.Parse(env.CLITestUpstream.CallbackURL) callbackURL, err := url.Parse(env.CLIUpstreamOIDC.CallbackURL)
require.NoError(t, err) require.NoError(t, err)
cmd := exec.CommandContext(ctx, pinnipedExe, "login", "oidc", cmd := exec.CommandContext(ctx, pinnipedExe, "login", "oidc",
"--issuer", env.CLITestUpstream.Issuer, "--issuer", env.CLIUpstreamOIDC.Issuer,
"--client-id", env.CLITestUpstream.ClientID, "--client-id", env.CLIUpstreamOIDC.ClientID,
"--scopes", "offline_access,openid,email,profile", "--scopes", "offline_access,openid,email,profile",
"--listen-port", callbackURL.Port(), "--listen-port", callbackURL.Port(),
"--session-cache", sessionCachePath, "--session-cache", sessionCachePath,
@ -387,9 +387,9 @@ func oidcLoginCommand(ctx context.Context, t *testing.T, pinnipedExe string, ses
) )
// If there is a custom CA bundle, pass it via --ca-bundle and a temporary file. // If there is a custom CA bundle, pass it via --ca-bundle and a temporary file.
if env.CLITestUpstream.CABundle != "" { if env.CLIUpstreamOIDC.CABundle != "" {
path := filepath.Join(testutil.TempDir(t), "test-ca.pem") path := filepath.Join(testutil.TempDir(t), "test-ca.pem")
require.NoError(t, ioutil.WriteFile(path, []byte(env.CLITestUpstream.CABundle), 0600)) require.NoError(t, ioutil.WriteFile(path, []byte(env.CLIUpstreamOIDC.CABundle), 0600))
cmd.Args = append(cmd.Args, "--ca-bundle", path) cmd.Args = append(cmd.Args, "--ca-bundle", path)
} }

View File

@ -53,7 +53,7 @@ func TestE2EFullIntegration(t *testing.T) {
page := browsertest.Open(t) page := browsertest.Open(t)
// Infer the downstream issuer URL from the callback associated with the upstream test client registration. // Infer the downstream issuer URL from the callback associated with the upstream test client registration.
issuerURL, err := url.Parse(env.SupervisorTestUpstream.CallbackURL) issuerURL, err := url.Parse(env.SupervisorUpstreamOIDC.CallbackURL)
require.NoError(t, err) require.NoError(t, err)
require.True(t, strings.HasSuffix(issuerURL.Path, "/callback")) require.True(t, strings.HasSuffix(issuerURL.Path, "/callback"))
issuerURL.Path = strings.TrimSuffix(issuerURL.Path, "/callback") issuerURL.Path = strings.TrimSuffix(issuerURL.Path, "/callback")
@ -66,7 +66,7 @@ func TestE2EFullIntegration(t *testing.T) {
// Save that bundle plus the one that signs the upstream issuer, for test purposes. // Save that bundle plus the one that signs the upstream issuer, for test purposes.
testCABundlePath := filepath.Join(tempDir, "test-ca.pem") testCABundlePath := filepath.Join(tempDir, "test-ca.pem")
testCABundlePEM := []byte(string(ca.Bundle()) + "\n" + env.SupervisorTestUpstream.CABundle) testCABundlePEM := []byte(string(ca.Bundle()) + "\n" + env.SupervisorUpstreamOIDC.CABundle)
testCABundleBase64 := base64.StdEncoding.EncodeToString(testCABundlePEM) testCABundleBase64 := base64.StdEncoding.EncodeToString(testCABundlePEM)
require.NoError(t, ioutil.WriteFile(testCABundlePath, testCABundlePEM, 0600)) require.NoError(t, ioutil.WriteFile(testCABundlePath, testCABundlePEM, 0600))
@ -94,19 +94,19 @@ func TestE2EFullIntegration(t *testing.T) {
// Create upstream OIDC provider and wait for it to become ready. // Create upstream OIDC provider and wait for it to become ready.
library.CreateTestOIDCIdentityProvider(t, idpv1alpha1.OIDCIdentityProviderSpec{ library.CreateTestOIDCIdentityProvider(t, idpv1alpha1.OIDCIdentityProviderSpec{
Issuer: env.SupervisorTestUpstream.Issuer, Issuer: env.SupervisorUpstreamOIDC.Issuer,
TLS: &idpv1alpha1.TLSSpec{ TLS: &idpv1alpha1.TLSSpec{
CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorTestUpstream.CABundle)), CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamOIDC.CABundle)),
}, },
AuthorizationConfig: idpv1alpha1.OIDCAuthorizationConfig{ AuthorizationConfig: idpv1alpha1.OIDCAuthorizationConfig{
AdditionalScopes: env.SupervisorTestUpstream.AdditionalScopes, AdditionalScopes: env.SupervisorUpstreamOIDC.AdditionalScopes,
}, },
Claims: idpv1alpha1.OIDCClaims{ Claims: idpv1alpha1.OIDCClaims{
Username: env.SupervisorTestUpstream.UsernameClaim, Username: env.SupervisorUpstreamOIDC.UsernameClaim,
Groups: env.SupervisorTestUpstream.GroupsClaim, Groups: env.SupervisorUpstreamOIDC.GroupsClaim,
}, },
Client: idpv1alpha1.OIDCClient{ Client: idpv1alpha1.OIDCClient{
SecretName: library.CreateClientCredsSecret(t, env.SupervisorTestUpstream.ClientID, env.SupervisorTestUpstream.ClientSecret).Name, SecretName: library.CreateClientCredsSecret(t, env.SupervisorUpstreamOIDC.ClientID, env.SupervisorUpstreamOIDC.ClientSecret).Name,
}, },
}, idpv1alpha1.PhaseReady) }, idpv1alpha1.PhaseReady)
@ -120,10 +120,10 @@ func TestE2EFullIntegration(t *testing.T) {
// Create a ClusterRoleBinding to give our test user from the upstream read-only access to the cluster. // Create a ClusterRoleBinding to give our test user from the upstream read-only access to the cluster.
library.CreateTestClusterRoleBinding(t, library.CreateTestClusterRoleBinding(t,
rbacv1.Subject{Kind: rbacv1.UserKind, APIGroup: rbacv1.GroupName, Name: env.SupervisorTestUpstream.Username}, rbacv1.Subject{Kind: rbacv1.UserKind, APIGroup: rbacv1.GroupName, Name: env.SupervisorUpstreamOIDC.Username},
rbacv1.RoleRef{Kind: "ClusterRole", APIGroup: rbacv1.GroupName, Name: "view"}, rbacv1.RoleRef{Kind: "ClusterRole", APIGroup: rbacv1.GroupName, Name: "view"},
) )
library.WaitForUserToHaveAccess(t, env.SupervisorTestUpstream.Username, []string{}, &authorizationv1.ResourceAttributes{ library.WaitForUserToHaveAccess(t, env.SupervisorUpstreamOIDC.Username, []string{}, &authorizationv1.ResourceAttributes{
Verb: "get", Verb: "get",
Group: "", Group: "",
Version: "v1", Version: "v1",
@ -240,7 +240,7 @@ func TestE2EFullIntegration(t *testing.T) {
require.NoError(t, page.Navigate(loginURL)) require.NoError(t, page.Navigate(loginURL))
// Expect to be redirected to the upstream provider and log in. // Expect to be redirected to the upstream provider and log in.
browsertest.LoginToUpstream(t, page, env.SupervisorTestUpstream) browsertest.LoginToUpstream(t, page, env.SupervisorUpstreamOIDC)
// Expect to be redirected to the localhost callback. // Expect to be redirected to the localhost callback.
t.Logf("waiting for redirect to callback") t.Logf("waiting for redirect to callback")
@ -290,11 +290,11 @@ func TestE2EFullIntegration(t *testing.T) {
require.NotNil(t, token) require.NotNil(t, token)
idTokenClaims := token.IDToken.Claims idTokenClaims := token.IDToken.Claims
require.Equal(t, env.SupervisorTestUpstream.Username, idTokenClaims[oidc.DownstreamUsernameClaim]) require.Equal(t, env.SupervisorUpstreamOIDC.Username, idTokenClaims[oidc.DownstreamUsernameClaim])
// The groups claim in the file ends up as an []interface{}, so adjust our expectation to match. // The groups claim in the file ends up as an []interface{}, so adjust our expectation to match.
expectedGroups := make([]interface{}, 0, len(env.SupervisorTestUpstream.ExpectedGroups)) expectedGroups := make([]interface{}, 0, len(env.SupervisorUpstreamOIDC.ExpectedGroups))
for _, g := range env.SupervisorTestUpstream.ExpectedGroups { for _, g := range env.SupervisorUpstreamOIDC.ExpectedGroups {
expectedGroups = append(expectedGroups, g) expectedGroups = append(expectedGroups, g)
} }
require.Equal(t, expectedGroups, idTokenClaims[oidc.DownstreamGroupsClaim]) require.Equal(t, expectedGroups, idTokenClaims[oidc.DownstreamGroupsClaim])
@ -302,7 +302,7 @@ func TestE2EFullIntegration(t *testing.T) {
// confirm we are the right user according to Kube // confirm we are the right user according to Kube
expectedYAMLGroups := func() string { expectedYAMLGroups := func() string {
var b strings.Builder var b strings.Builder
for _, g := range env.SupervisorTestUpstream.ExpectedGroups { for _, g := range env.SupervisorUpstreamOIDC.ExpectedGroups {
b.WriteString("\n") b.WriteString("\n")
b.WriteString(` - `) b.WriteString(` - `)
b.WriteString(g) b.WriteString(g)
@ -328,7 +328,7 @@ status:
user: user:
groups:`+expectedYAMLGroups+` groups:`+expectedYAMLGroups+`
- system:authenticated - system:authenticated
username: `+env.SupervisorTestUpstream.Username+` username: `+env.SupervisorUpstreamOIDC.Username+`
`, `,
string(kubectlOutput3)) string(kubectlOutput3))
@ -339,7 +339,7 @@ status:
true, true,
pinnipedExe, pinnipedExe,
kubeconfigPath, kubeconfigPath,
env.SupervisorTestUpstream.Username, env.SupervisorUpstreamOIDC.Username,
append(env.SupervisorTestUpstream.ExpectedGroups, "system:authenticated"), append(env.SupervisorUpstreamOIDC.ExpectedGroups, "system:authenticated"),
) )
} }

View File

@ -9,6 +9,7 @@ import (
"encoding/base64" "encoding/base64"
"encoding/json" "encoding/json"
"fmt" "fmt"
"io/ioutil"
"net/http" "net/http"
"net/http/httptest" "net/http/httptest"
"net/url" "net/url"
@ -36,43 +37,89 @@ import (
) )
func TestSupervisorLogin(t *testing.T) { func TestSupervisorLogin(t *testing.T) {
env := library.IntegrationEnv(t)
tests := []struct { tests := []struct {
name string name string
createIDP func(t *testing.T) createIDP func(t *testing.T)
requestAuthorization func(t *testing.T, downstreamAuthorizeURL, downstreamCallbackURL string) requestAuthorization func(t *testing.T, downstreamAuthorizeURL, downstreamCallbackURL string, httpClient *http.Client)
wantDownstreamIDTokenSubjectToMatch string
wantDownstreamIDTokenUsernameToMatch string
}{ }{
{ {
name: "oidc", name: "oidc",
createIDP: func(t *testing.T) { createIDP: func(t *testing.T) {
t.Helper() t.Helper()
env := library.IntegrationEnv(t)
library.CreateTestOIDCIdentityProvider(t, idpv1alpha1.OIDCIdentityProviderSpec{ library.CreateTestOIDCIdentityProvider(t, idpv1alpha1.OIDCIdentityProviderSpec{
Issuer: env.SupervisorTestUpstream.Issuer, Issuer: env.SupervisorUpstreamOIDC.Issuer,
TLS: &idpv1alpha1.TLSSpec{ TLS: &idpv1alpha1.TLSSpec{
CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorTestUpstream.CABundle)), CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamOIDC.CABundle)),
}, },
Client: idpv1alpha1.OIDCClient{ Client: idpv1alpha1.OIDCClient{
SecretName: library.CreateClientCredsSecret(t, env.SupervisorTestUpstream.ClientID, env.SupervisorTestUpstream.ClientSecret).Name, SecretName: library.CreateClientCredsSecret(t, env.SupervisorUpstreamOIDC.ClientID, env.SupervisorUpstreamOIDC.ClientSecret).Name,
}, },
}, idpv1alpha1.PhaseReady) }, idpv1alpha1.PhaseReady)
}, },
requestAuthorization: requestAuthorizationUsingOIDCIdentityProvider, requestAuthorization: requestAuthorizationUsingOIDCIdentityProvider,
// the ID token Subject should include the upstream user ID after the upstream issuer name
wantDownstreamIDTokenSubjectToMatch: regexp.QuoteMeta(env.SupervisorUpstreamOIDC.Issuer+"?sub=") + ".+",
// the ID token Username should include the upstream user ID after the upstream issuer name
wantDownstreamIDTokenUsernameToMatch: regexp.QuoteMeta(env.SupervisorUpstreamOIDC.Issuer+"?sub=") + ".+",
}, },
// TODO add more variations of this LDAP test to try using different user search filters and attributes
{ {
name: "ldap", name: "ldap",
createIDP: func(t *testing.T) { createIDP: func(t *testing.T) {
t.Helper() t.Helper()
secret := library.CreateTestSecret(t, env.SupervisorNamespace, "ldap-service-account", v1.SecretTypeBasicAuth,
map[string]string{
v1.BasicAuthUsernameKey: env.SupervisorUpstreamLDAP.BindUsername,
v1.BasicAuthPasswordKey: env.SupervisorUpstreamLDAP.BindPassword,
},
)
library.CreateTestLDAPIdentityProvider(t, idpv1alpha1.LDAPIdentityProviderSpec{ library.CreateTestLDAPIdentityProvider(t, idpv1alpha1.LDAPIdentityProviderSpec{
Host: "something", Host: env.SupervisorUpstreamLDAP.Host,
}, "") // TODO: this should be Ready! TLS: &idpv1alpha1.LDAPIdentityProviderTLSSpec{
CertificateAuthorityData: env.SupervisorUpstreamLDAP.CABundle,
},
Bind: idpv1alpha1.LDAPIdentityProviderBindSpec{
SecretName: secret.Name,
},
UserSearch: idpv1alpha1.LDAPIdentityProviderUserSearchSpec{
Base: env.SupervisorUpstreamLDAP.UserSearchBase,
Filter: "",
Attributes: idpv1alpha1.LDAPIdentityProviderUserSearchAttributesSpec{
Username: env.SupervisorUpstreamLDAP.TestUserMailAttributeName,
UniqueID: env.SupervisorUpstreamLDAP.TestUserUniqueIDAttributeName,
},
},
}, "") // TODO: this should be idpv1alpha1.LDAPPhaseReady once we have a controller
}, },
requestAuthorization: requestAuthorizationUsingLDAPIdentityProvider, requestAuthorization: func(t *testing.T, downstreamAuthorizeURL, _ string, httpClient *http.Client) {
requestAuthorizationUsingLDAPIdentityProvider(t,
downstreamAuthorizeURL,
env.SupervisorUpstreamLDAP.TestUserMailAttributeValue, // username to present to server during login
env.SupervisorUpstreamLDAP.TestUserPassword, // password to present to server during login
httpClient,
)
},
// the ID token Subject should be the Host URL plus the value pulled from the requested UserSearch.Attributes.UID attribute
wantDownstreamIDTokenSubjectToMatch: regexp.QuoteMeta(
"ldaps://" + env.SupervisorUpstreamLDAP.Host + "?sub=" + env.SupervisorUpstreamLDAP.TestUserUniqueIDAttributeValue,
),
// the ID token Username should have been pulled from the requested UserSearch.Attributes.Username attribute
wantDownstreamIDTokenUsernameToMatch: regexp.QuoteMeta(env.SupervisorUpstreamLDAP.TestUserMailAttributeValue),
}, },
} }
for _, test := range tests { for _, test := range tests {
test := test test := test
t.Run(test.name, func(t *testing.T) { t.Run(test.name, func(t *testing.T) {
testSupervisorLogin(t, test.createIDP, test.requestAuthorization) testSupervisorLogin(t,
test.createIDP,
test.requestAuthorization,
test.wantDownstreamIDTokenSubjectToMatch,
test.wantDownstreamIDTokenUsernameToMatch,
)
}) })
} }
} }
@ -80,7 +127,8 @@ func TestSupervisorLogin(t *testing.T) {
func testSupervisorLogin( func testSupervisorLogin(
t *testing.T, t *testing.T,
createIDP func(t *testing.T), createIDP func(t *testing.T),
requestAuthorization func(t *testing.T, downstreamAuthorizeURL, downstreamCallbackURL string), requestAuthorization func(t *testing.T, downstreamAuthorizeURL, downstreamCallbackURL string, httpClient *http.Client),
wantDownstreamIDTokenSubjectToMatch, wantDownstreamIDTokenUsernameToMatch string,
) { ) {
env := library.IntegrationEnv(t) env := library.IntegrationEnv(t)
@ -88,7 +136,7 @@ func testSupervisorLogin(
defer cancel() defer cancel()
// Infer the downstream issuer URL from the callback associated with the upstream test client registration. // Infer the downstream issuer URL from the callback associated with the upstream test client registration.
issuerURL, err := url.Parse(env.SupervisorTestUpstream.CallbackURL) issuerURL, err := url.Parse(env.SupervisorUpstreamOIDC.CallbackURL)
require.NoError(t, err) require.NoError(t, err)
require.True(t, strings.HasSuffix(issuerURL.Path, "/callback")) require.True(t, strings.HasSuffix(issuerURL.Path, "/callback"))
issuerURL.Path = strings.TrimSuffix(issuerURL.Path, "/callback") issuerURL.Path = strings.TrimSuffix(issuerURL.Path, "/callback")
@ -201,7 +249,7 @@ func testSupervisorLogin(
pkceParam.Method(), pkceParam.Method(),
) )
// Make the authorize request one "manually" so we can check its response headers. // Make the authorize request once "manually" so we can check its response security headers.
authorizeRequest, err := http.NewRequestWithContext(ctx, http.MethodGet, downstreamAuthorizeURL, nil) authorizeRequest, err := http.NewRequestWithContext(ctx, http.MethodGet, downstreamAuthorizeURL, nil)
require.NoError(t, err) require.NoError(t, err)
authorizeResp, err := httpClient.Do(authorizeRequest) authorizeResp, err := httpClient.Do(authorizeRequest)
@ -210,7 +258,7 @@ func testSupervisorLogin(
expectSecurityHeaders(t, authorizeResp) expectSecurityHeaders(t, authorizeResp)
// Perform parameterized auth code acquisition. // Perform parameterized auth code acquisition.
requestAuthorization(t, downstreamAuthorizeURL, localCallbackServer.URL) requestAuthorization(t, downstreamAuthorizeURL, localCallbackServer.URL, httpClient)
// Expect that our callback handler was invoked. // Expect that our callback handler was invoked.
callback := localCallbackServer.waitForCallback(10 * time.Second) callback := localCallbackServer.waitForCallback(10 * time.Second)
@ -225,7 +273,9 @@ func testSupervisorLogin(
require.NoError(t, err) require.NoError(t, err)
expectedIDTokenClaims := []string{"iss", "exp", "sub", "aud", "auth_time", "iat", "jti", "nonce", "rat", "username", "groups"} expectedIDTokenClaims := []string{"iss", "exp", "sub", "aud", "auth_time", "iat", "jti", "nonce", "rat", "username", "groups"}
verifyTokenResponse(t, tokenResponse, discovery, downstreamOAuth2Config, env.SupervisorTestUpstream.Issuer, nonceParam, expectedIDTokenClaims) verifyTokenResponse(t,
tokenResponse, discovery, downstreamOAuth2Config, nonceParam,
expectedIDTokenClaims, wantDownstreamIDTokenSubjectToMatch, wantDownstreamIDTokenUsernameToMatch)
// token exchange on the original token // token exchange on the original token
doTokenExchange(t, &downstreamOAuth2Config, tokenResponse, httpClient, discovery) doTokenExchange(t, &downstreamOAuth2Config, tokenResponse, httpClient, discovery)
@ -236,7 +286,9 @@ func testSupervisorLogin(
require.NoError(t, err) require.NoError(t, err)
expectedIDTokenClaims = append(expectedIDTokenClaims, "at_hash") expectedIDTokenClaims = append(expectedIDTokenClaims, "at_hash")
verifyTokenResponse(t, refreshedTokenResponse, discovery, downstreamOAuth2Config, env.SupervisorTestUpstream.Issuer, "", expectedIDTokenClaims) verifyTokenResponse(t,
refreshedTokenResponse, discovery, downstreamOAuth2Config, "",
expectedIDTokenClaims, wantDownstreamIDTokenSubjectToMatch, wantDownstreamIDTokenUsernameToMatch)
require.NotEqual(t, tokenResponse.AccessToken, refreshedTokenResponse.AccessToken) require.NotEqual(t, tokenResponse.AccessToken, refreshedTokenResponse.AccessToken)
require.NotEqual(t, tokenResponse.RefreshToken, refreshedTokenResponse.RefreshToken) require.NotEqual(t, tokenResponse.RefreshToken, refreshedTokenResponse.RefreshToken)
@ -251,9 +303,9 @@ func verifyTokenResponse(
tokenResponse *oauth2.Token, tokenResponse *oauth2.Token,
discovery *coreosoidc.Provider, discovery *coreosoidc.Provider,
downstreamOAuth2Config oauth2.Config, downstreamOAuth2Config oauth2.Config,
upstreamIssuerName string,
nonceParam nonce.Nonce, nonceParam nonce.Nonce,
expectedIDTokenClaims []string, expectedIDTokenClaims []string,
wantDownstreamIDTokenSubjectToMatch, wantDownstreamIDTokenUsernameToMatch string,
) { ) {
ctx, cancel := context.WithTimeout(context.Background(), time.Minute) ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
defer cancel() defer cancel()
@ -265,14 +317,17 @@ func verifyTokenResponse(
idToken, err := verifier.Verify(ctx, rawIDToken) idToken, err := verifier.Verify(ctx, rawIDToken)
require.NoError(t, err) require.NoError(t, err)
// Check the claims of the ID token. // Check the sub claim of the ID token.
expectedSubjectPrefix := upstreamIssuerName + "?sub=" require.Regexp(t, wantDownstreamIDTokenSubjectToMatch, idToken.Subject)
require.True(t, strings.HasPrefix(idToken.Subject, expectedSubjectPrefix))
require.Greater(t, len(idToken.Subject), len(expectedSubjectPrefix), // Check the nonce claim of the ID token.
"the ID token Subject should include the upstream user ID after the upstream issuer name")
require.NoError(t, nonceParam.Validate(idToken)) require.NoError(t, nonceParam.Validate(idToken))
// Check the exp claim of the ID token.
expectedIDTokenLifetime := oidc.DefaultOIDCTimeoutsConfiguration().IDTokenLifespan expectedIDTokenLifetime := oidc.DefaultOIDCTimeoutsConfiguration().IDTokenLifespan
testutil.RequireTimeInDelta(t, time.Now().UTC().Add(expectedIDTokenLifetime), idToken.Expiry, time.Second*30) testutil.RequireTimeInDelta(t, time.Now().UTC().Add(expectedIDTokenLifetime), idToken.Expiry, time.Second*30)
// Check the full list of claim names of the ID token.
idTokenClaims := map[string]interface{}{} idTokenClaims := map[string]interface{}{}
err = idToken.Claims(&idTokenClaims) err = idToken.Claims(&idTokenClaims)
require.NoError(t, err) require.NoError(t, err)
@ -281,10 +336,9 @@ func verifyTokenResponse(
idTokenClaimNames = append(idTokenClaimNames, k) idTokenClaimNames = append(idTokenClaimNames, k)
} }
require.ElementsMatch(t, expectedIDTokenClaims, idTokenClaimNames) require.ElementsMatch(t, expectedIDTokenClaims, idTokenClaimNames)
expectedUsernamePrefix := upstreamIssuerName + "?sub="
require.True(t, strings.HasPrefix(idTokenClaims["username"].(string), expectedUsernamePrefix)) // Check username claim of the ID token.
require.Greater(t, len(idTokenClaims["username"].(string)), len(expectedUsernamePrefix), require.Regexp(t, wantDownstreamIDTokenUsernameToMatch, idTokenClaims["username"].(string))
"the ID token Username should include the upstream user ID after the upstream issuer name")
// Some light verification of the other tokens that were returned. // Some light verification of the other tokens that were returned.
require.NotEmpty(t, tokenResponse.AccessToken) require.NotEmpty(t, tokenResponse.AccessToken)
@ -296,7 +350,7 @@ func verifyTokenResponse(
require.NotEmpty(t, tokenResponse.RefreshToken) require.NotEmpty(t, tokenResponse.RefreshToken)
} }
func requestAuthorizationUsingOIDCIdentityProvider(t *testing.T, downstreamAuthorizeURL, downstreamCallbackURL string) { func requestAuthorizationUsingOIDCIdentityProvider(t *testing.T, downstreamAuthorizeURL, downstreamCallbackURL string, _ *http.Client) {
t.Helper() t.Helper()
env := library.IntegrationEnv(t) env := library.IntegrationEnv(t)
@ -306,7 +360,7 @@ func requestAuthorizationUsingOIDCIdentityProvider(t *testing.T, downstreamAutho
require.NoError(t, page.Navigate(downstreamAuthorizeURL)) require.NoError(t, page.Navigate(downstreamAuthorizeURL))
// Expect to be redirected to the upstream provider and log in. // Expect to be redirected to the upstream provider and log in.
browsertest.LoginToUpstream(t, page, env.SupervisorTestUpstream) browsertest.LoginToUpstream(t, page, env.SupervisorUpstreamOIDC)
// Wait for the login to happen and us be redirected back to a localhost callback. // Wait for the login to happen and us be redirected back to a localhost callback.
t.Logf("waiting for redirect to callback") t.Logf("waiting for redirect to callback")
@ -314,9 +368,29 @@ func requestAuthorizationUsingOIDCIdentityProvider(t *testing.T, downstreamAutho
browsertest.WaitForURL(t, page, callbackURLPattern) browsertest.WaitForURL(t, page, callbackURLPattern)
} }
func requestAuthorizationUsingLDAPIdentityProvider(t *testing.T, downstreamAuthorizeURL, downstreamCallbackURL string) { func requestAuthorizationUsingLDAPIdentityProvider(t *testing.T, downstreamAuthorizeURL, upstreamUsername, upstreamPassword string, httpClient *http.Client) {
t.Helper() t.Helper()
t.Skip("implement me!")
ctx, cancelFunc := context.WithTimeout(context.Background(), time.Minute)
defer cancelFunc()
authRequest, err := http.NewRequestWithContext(ctx, http.MethodGet, downstreamAuthorizeURL, nil)
require.NoError(t, err)
// Set the custom username/password headers for the LDAP authorize request.
authRequest.Header.Set("X-Pinniped-Upstream-Username", upstreamUsername)
authRequest.Header.Set("X-Pinniped-Upstream-Password", upstreamPassword)
// The authorize request is supposed to redirect to this test's callback handler, which in turn is supposed to return 200 OK.
authResponse, err := httpClient.Do(authRequest)
require.NoError(t, err)
responseBody, err := ioutil.ReadAll(authResponse.Body)
defer authResponse.Body.Close()
require.NoError(t, err)
t.Skip("The rest of this test will not work until we implement the corresponding production code.") // TODO remove this skip
require.Equalf(t, http.StatusOK, authResponse.StatusCode, "response body was: %s", string(responseBody))
} }
func startLocalCallbackServer(t *testing.T) *localCallbackServer { func startLocalCallbackServer(t *testing.T) *localCallbackServer {

View File

@ -45,9 +45,9 @@ func TestSupervisorUpstreamOIDCDiscovery(t *testing.T) {
t.Run("valid", func(t *testing.T) { t.Run("valid", func(t *testing.T) {
t.Parallel() t.Parallel()
spec := v1alpha1.OIDCIdentityProviderSpec{ spec := v1alpha1.OIDCIdentityProviderSpec{
Issuer: env.SupervisorTestUpstream.Issuer, Issuer: env.SupervisorUpstreamOIDC.Issuer,
TLS: &v1alpha1.TLSSpec{ TLS: &v1alpha1.TLSSpec{
CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorTestUpstream.CABundle)), CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamOIDC.CABundle)),
}, },
AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{ AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{
AdditionalScopes: []string{"email", "profile"}, AdditionalScopes: []string{"email", "profile"},

View File

@ -190,13 +190,13 @@ func CreateTestWebhookAuthenticator(ctx context.Context, t *testing.T) corev1.Ty
// test's lifetime. It returns a corev1.TypedLocalObjectReference which describes the test JWT // test's lifetime. It returns a corev1.TypedLocalObjectReference which describes the test JWT
// authenticator within the test namespace. // authenticator within the test namespace.
// //
// CreateTestJWTAuthenticatorForCLIUpstream gets the OIDC issuer info from IntegrationEnv().CLITestUpstream. // CreateTestJWTAuthenticatorForCLIUpstream gets the OIDC issuer info from IntegrationEnv().CLIUpstreamOIDC.
func CreateTestJWTAuthenticatorForCLIUpstream(ctx context.Context, t *testing.T) corev1.TypedLocalObjectReference { func CreateTestJWTAuthenticatorForCLIUpstream(ctx context.Context, t *testing.T) corev1.TypedLocalObjectReference {
t.Helper() t.Helper()
testEnv := IntegrationEnv(t) testEnv := IntegrationEnv(t)
spec := auth1alpha1.JWTAuthenticatorSpec{ spec := auth1alpha1.JWTAuthenticatorSpec{
Issuer: testEnv.CLITestUpstream.Issuer, Issuer: testEnv.CLIUpstreamOIDC.Issuer,
Audience: testEnv.CLITestUpstream.ClientID, Audience: testEnv.CLIUpstreamOIDC.ClientID,
// The default UsernameClaim is "username" but the upstreams that we use for // The default UsernameClaim is "username" but the upstreams that we use for
// integration tests won't necessarily have that claim, so use "sub" here. // integration tests won't necessarily have that claim, so use "sub" here.
Claims: auth1alpha1.JWTTokenClaims{Username: "sub"}, Claims: auth1alpha1.JWTTokenClaims{Username: "sub"},
@ -204,9 +204,9 @@ func CreateTestJWTAuthenticatorForCLIUpstream(ctx context.Context, t *testing.T)
// If the test upstream does not have a CA bundle specified, then don't configure one in the // If the test upstream does not have a CA bundle specified, then don't configure one in the
// JWTAuthenticator. Leaving TLSSpec set to nil will result in OIDC discovery using the OS's root // JWTAuthenticator. Leaving TLSSpec set to nil will result in OIDC discovery using the OS's root
// CA store. // CA store.
if testEnv.CLITestUpstream.CABundle != "" { if testEnv.CLIUpstreamOIDC.CABundle != "" {
spec.TLS = &auth1alpha1.TLSSpec{ spec.TLS = &auth1alpha1.TLSSpec{
CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(testEnv.CLITestUpstream.CABundle)), CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(testEnv.CLIUpstreamOIDC.CABundle)),
} }
} }
return CreateTestJWTAuthenticator(ctx, t, spec) return CreateTestJWTAuthenticator(ctx, t, spec)
@ -250,8 +250,7 @@ func CreateTestJWTAuthenticator(ctx context.Context, t *testing.T, spec auth1alp
// CreateTestFederationDomain creates and returns a test FederationDomain in // CreateTestFederationDomain creates and returns a test FederationDomain in
// $PINNIPED_TEST_SUPERVISOR_NAMESPACE, which will be automatically deleted at the end of the // $PINNIPED_TEST_SUPERVISOR_NAMESPACE, which will be automatically deleted at the end of the
// current test's lifetime. It generates a random, valid, issuer for the FederationDomain. // current test's lifetime.
//
// If the provided issuer is not the empty string, then it will be used for the // If the provided issuer is not the empty string, then it will be used for the
// FederationDomain.Spec.Issuer field. Else, a random issuer will be generated. // FederationDomain.Spec.Issuer field. Else, a random issuer will be generated.
func CreateTestFederationDomain(ctx context.Context, t *testing.T, issuer string, certSecretName string, expectStatus configv1alpha1.FederationDomainStatusCondition) *configv1alpha1.FederationDomain { func CreateTestFederationDomain(ctx context.Context, t *testing.T, issuer string, certSecretName string, expectStatus configv1alpha1.FederationDomainStatusCondition) *configv1alpha1.FederationDomain {

View File

@ -49,8 +49,9 @@ type TestEnv struct {
ExpectedGroups []string `json:"expectedGroups"` ExpectedGroups []string `json:"expectedGroups"`
} `json:"testUser"` } `json:"testUser"`
CLITestUpstream TestOIDCUpstream `json:"cliOIDCUpstream"` CLIUpstreamOIDC TestOIDCUpstream `json:"cliOIDCUpstream"`
SupervisorTestUpstream TestOIDCUpstream `json:"supervisorOIDCUpstream"` SupervisorUpstreamOIDC TestOIDCUpstream `json:"supervisorOIDCUpstream"`
SupervisorUpstreamLDAP TestLDAPUpstream `json:"supervisorLDAPUpstream"`
} }
type TestOIDCUpstream struct { type TestOIDCUpstream struct {
@ -67,6 +68,21 @@ type TestOIDCUpstream struct {
ExpectedGroups []string `json:"expectedGroups"` ExpectedGroups []string `json:"expectedGroups"`
} }
type TestLDAPUpstream struct {
Host string `json:"host"`
CABundle string `json:"caBundle"`
BindUsername string `json:"bindUsername"`
BindPassword string `json:"bindPassword"`
UserSearchBase string `json:"userSearchBase"`
TestUserDN string `json:"testUserDN"`
TestUserCN string `json:"testUserCN"`
TestUserPassword string `json:"testUserPassword"`
TestUserMailAttributeName string `json:"testUserMailAttributeName"`
TestUserMailAttributeValue string `json:"testUserMailAttributeValue"`
TestUserUniqueIDAttributeName string `json:"testUserUniqueIDAttributeName"`
TestUserUniqueIDAttributeValue string `json:"testUserUniqueIDAttributeValue"`
}
// ProxyEnv returns a set of environment variable strings (e.g., to combine with os.Environ()) which set up the configured test HTTP proxy. // ProxyEnv returns a set of environment variable strings (e.g., to combine with os.Environ()) which set up the configured test HTTP proxy.
func (e *TestEnv) ProxyEnv() []string { func (e *TestEnv) ProxyEnv() []string {
if e.Proxy == "" { if e.Proxy == "" {
@ -180,7 +196,7 @@ func loadEnvVars(t *testing.T, result *TestEnv) {
result.Proxy = os.Getenv("PINNIPED_TEST_PROXY") result.Proxy = os.Getenv("PINNIPED_TEST_PROXY")
result.APIGroupSuffix = wantEnv("PINNIPED_TEST_API_GROUP_SUFFIX", "pinniped.dev") result.APIGroupSuffix = wantEnv("PINNIPED_TEST_API_GROUP_SUFFIX", "pinniped.dev")
result.CLITestUpstream = TestOIDCUpstream{ result.CLIUpstreamOIDC = TestOIDCUpstream{
Issuer: needEnv(t, "PINNIPED_TEST_CLI_OIDC_ISSUER"), Issuer: needEnv(t, "PINNIPED_TEST_CLI_OIDC_ISSUER"),
CABundle: os.Getenv("PINNIPED_TEST_CLI_OIDC_ISSUER_CA_BUNDLE"), CABundle: os.Getenv("PINNIPED_TEST_CLI_OIDC_ISSUER_CA_BUNDLE"),
ClientID: needEnv(t, "PINNIPED_TEST_CLI_OIDC_CLIENT_ID"), ClientID: needEnv(t, "PINNIPED_TEST_CLI_OIDC_CLIENT_ID"),
@ -189,7 +205,7 @@ func loadEnvVars(t *testing.T, result *TestEnv) {
Password: needEnv(t, "PINNIPED_TEST_CLI_OIDC_PASSWORD"), Password: needEnv(t, "PINNIPED_TEST_CLI_OIDC_PASSWORD"),
} }
result.SupervisorTestUpstream = TestOIDCUpstream{ result.SupervisorUpstreamOIDC = TestOIDCUpstream{
Issuer: needEnv(t, "PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_ISSUER"), Issuer: needEnv(t, "PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_ISSUER"),
CABundle: os.Getenv("PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_ISSUER_CA_BUNDLE"), CABundle: os.Getenv("PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_ISSUER_CA_BUNDLE"),
AdditionalScopes: strings.Fields(os.Getenv("PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_ADDITIONAL_SCOPES")), AdditionalScopes: strings.Fields(os.Getenv("PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_ADDITIONAL_SCOPES")),
@ -202,6 +218,21 @@ func loadEnvVars(t *testing.T, result *TestEnv) {
Password: needEnv(t, "PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_PASSWORD"), Password: needEnv(t, "PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_PASSWORD"),
ExpectedGroups: filterEmpty(strings.Split(strings.ReplaceAll(os.Getenv("PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_EXPECTED_GROUPS"), " ", ""), ",")), ExpectedGroups: filterEmpty(strings.Split(strings.ReplaceAll(os.Getenv("PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_EXPECTED_GROUPS"), " ", ""), ",")),
} }
result.SupervisorUpstreamLDAP = TestLDAPUpstream{
Host: needEnv(t, "PINNIPED_TEST_LDAP_HOST"),
CABundle: needEnv(t, "PINNIPED_TEST_LDAP_LDAPS_CA_BUNDLE"),
BindUsername: needEnv(t, "PINNIPED_TEST_LDAP_BIND_ACCOUNT_USERNAME"),
BindPassword: needEnv(t, "PINNIPED_TEST_LDAP_BIND_ACCOUNT_PASSWORD"),
UserSearchBase: needEnv(t, "PINNIPED_TEST_LDAP_USERS_SEARCH_BASE"),
TestUserDN: needEnv(t, "PINNIPED_TEST_LDAP_USER_DN"),
TestUserCN: needEnv(t, "PINNIPED_TEST_LDAP_USER_CN"),
TestUserUniqueIDAttributeName: needEnv(t, "PINNIPED_TEST_LDAP_USER_UNIQUE_ID_ATTRIBUTE_NAME"),
TestUserUniqueIDAttributeValue: needEnv(t, "PINNIPED_TEST_LDAP_USER_UNIQUE_ID_ATTRIBUTE_VALUE"),
TestUserMailAttributeName: needEnv(t, "PINNIPED_TEST_LDAP_USER_EMAIL_ATTRIBUTE_NAME"),
TestUserMailAttributeValue: needEnv(t, "PINNIPED_TEST_LDAP_USER_EMAIL_ATTRIBUTE_VALUE"),
TestUserPassword: needEnv(t, "PINNIPED_TEST_LDAP_USER_PASSWORD"),
}
} }
func (e *TestEnv) HasCapability(cap Capability) bool { func (e *TestEnv) HasCapability(cap Capability) bool {