Merge branch 'main' into typed-secrets
This commit is contained in:
commit
3a4405659e
@ -15,7 +15,6 @@ COPY generated ./generated
|
||||
COPY cmd ./cmd
|
||||
COPY pkg ./pkg
|
||||
COPY internal ./internal
|
||||
COPY tools ./tools
|
||||
COPY hack ./hack
|
||||
|
||||
# Build the executable binary (CGO_ENABLED=0 means static linking)
|
||||
|
@ -8,11 +8,7 @@ import (
|
||||
)
|
||||
|
||||
//nolint: gochecknoglobals
|
||||
var getCmd = &cobra.Command{
|
||||
Use: "get",
|
||||
Short: "get",
|
||||
SilenceUsage: true, // do not print usage message when commands fail
|
||||
}
|
||||
var getCmd = &cobra.Command{Use: "get", Short: "get"}
|
||||
|
||||
//nolint: gochecknoinits
|
||||
func init() {
|
||||
|
@ -81,7 +81,7 @@ func TestGetKubeconfig(t *testing.T) {
|
||||
args: []string{},
|
||||
getPathToSelfErr: fmt.Errorf("some OS error"),
|
||||
wantError: true,
|
||||
wantStdout: here.Doc(`
|
||||
wantStderr: here.Doc(`
|
||||
Error: could not determine the Pinniped executable path: some OS error
|
||||
`),
|
||||
},
|
||||
@ -91,7 +91,7 @@ func TestGetKubeconfig(t *testing.T) {
|
||||
"--oidc-ca-bundle", "./does/not/exist",
|
||||
},
|
||||
wantError: true,
|
||||
wantStdout: here.Doc(`
|
||||
wantStderr: here.Doc(`
|
||||
Error: could not read --oidc-ca-bundle: open ./does/not/exist: no such file or directory
|
||||
`),
|
||||
},
|
||||
@ -101,7 +101,7 @@ func TestGetKubeconfig(t *testing.T) {
|
||||
"--kubeconfig", "./does/not/exist",
|
||||
},
|
||||
wantError: true,
|
||||
wantStdout: here.Doc(`
|
||||
wantStderr: here.Doc(`
|
||||
Error: could not load --kubeconfig: stat ./does/not/exist: no such file or directory
|
||||
`),
|
||||
},
|
||||
@ -112,7 +112,7 @@ func TestGetKubeconfig(t *testing.T) {
|
||||
"--kubeconfig-context", "invalid",
|
||||
},
|
||||
wantError: true,
|
||||
wantStdout: here.Doc(`
|
||||
wantStderr: here.Doc(`
|
||||
Error: could not load --kubeconfig/--kubeconfig-context: no such context "invalid"
|
||||
`),
|
||||
},
|
||||
@ -123,7 +123,7 @@ func TestGetKubeconfig(t *testing.T) {
|
||||
},
|
||||
getClientsetErr: fmt.Errorf("some kube error"),
|
||||
wantError: true,
|
||||
wantStdout: here.Doc(`
|
||||
wantStderr: here.Doc(`
|
||||
Error: could not configure Kubernetes client: some kube error
|
||||
`),
|
||||
},
|
||||
@ -135,7 +135,7 @@ func TestGetKubeconfig(t *testing.T) {
|
||||
"--concierge-authenticator-name", "test-authenticator",
|
||||
},
|
||||
wantError: true,
|
||||
wantStdout: here.Doc(`
|
||||
wantStderr: here.Doc(`
|
||||
Error: webhookauthenticators.authentication.concierge.pinniped.dev "test-authenticator" not found
|
||||
`),
|
||||
},
|
||||
@ -147,7 +147,7 @@ func TestGetKubeconfig(t *testing.T) {
|
||||
"--concierge-authenticator-name", "test-authenticator",
|
||||
},
|
||||
wantError: true,
|
||||
wantStdout: here.Doc(`
|
||||
wantStderr: here.Doc(`
|
||||
Error: jwtauthenticators.authentication.concierge.pinniped.dev "test-authenticator" not found
|
||||
`),
|
||||
},
|
||||
@ -159,7 +159,7 @@ func TestGetKubeconfig(t *testing.T) {
|
||||
"--concierge-authenticator-name", "test-authenticator",
|
||||
},
|
||||
wantError: true,
|
||||
wantStdout: here.Doc(`
|
||||
wantStderr: here.Doc(`
|
||||
Error: invalid authenticator type "invalid", supported values are "webhook" and "jwt"
|
||||
`),
|
||||
},
|
||||
@ -178,7 +178,7 @@ func TestGetKubeconfig(t *testing.T) {
|
||||
},
|
||||
},
|
||||
wantError: true,
|
||||
wantStdout: here.Doc(`
|
||||
wantStderr: here.Doc(`
|
||||
Error: failed to list JWTAuthenticator objects for autodiscovery: some list error
|
||||
`),
|
||||
},
|
||||
@ -197,7 +197,7 @@ func TestGetKubeconfig(t *testing.T) {
|
||||
},
|
||||
},
|
||||
wantError: true,
|
||||
wantStdout: here.Doc(`
|
||||
wantStderr: here.Doc(`
|
||||
Error: failed to list WebhookAuthenticator objects for autodiscovery: some list error
|
||||
`),
|
||||
},
|
||||
@ -207,7 +207,7 @@ func TestGetKubeconfig(t *testing.T) {
|
||||
"--kubeconfig", "./testdata/kubeconfig.yaml",
|
||||
},
|
||||
wantError: true,
|
||||
wantStdout: here.Doc(`
|
||||
wantStderr: here.Doc(`
|
||||
Error: no authenticators were found in namespace "pinniped-concierge" (try setting --concierge-namespace)
|
||||
`),
|
||||
},
|
||||
@ -224,7 +224,7 @@ func TestGetKubeconfig(t *testing.T) {
|
||||
&conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator-4", Namespace: "test-namespace"}},
|
||||
},
|
||||
wantError: true,
|
||||
wantStdout: here.Doc(`
|
||||
wantStderr: here.Doc(`
|
||||
Error: multiple authenticators were found in namespace "test-namespace", so the --concierge-authenticator-type/--concierge-authenticator-name flags must be specified
|
||||
`),
|
||||
},
|
||||
@ -238,7 +238,7 @@ func TestGetKubeconfig(t *testing.T) {
|
||||
&conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator", Namespace: "test-namespace"}},
|
||||
},
|
||||
wantError: true,
|
||||
wantStdout: here.Doc(`
|
||||
wantStderr: here.Doc(`
|
||||
Error: could not autodiscover --oidc-issuer, and none was provided
|
||||
`),
|
||||
},
|
||||
@ -259,7 +259,7 @@ func TestGetKubeconfig(t *testing.T) {
|
||||
},
|
||||
},
|
||||
wantError: true,
|
||||
wantStdout: here.Doc(`
|
||||
wantStderr: here.Doc(`
|
||||
Error: tried to autodiscover --oidc-ca-bundle, but JWTAuthenticator test-namespace/test-authenticator has invalid spec.tls.certificateAuthorityData: illegal base64 data at input byte 7
|
||||
`),
|
||||
},
|
||||
@ -275,7 +275,7 @@ func TestGetKubeconfig(t *testing.T) {
|
||||
&conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator", Namespace: "test-namespace"}},
|
||||
},
|
||||
wantError: true,
|
||||
wantStdout: here.Doc(`
|
||||
wantStderr: here.Doc(`
|
||||
Error: only one of --static-token and --static-token-env can be specified
|
||||
`),
|
||||
},
|
||||
|
@ -79,7 +79,7 @@ func TestLoginOIDCCommand(t *testing.T) {
|
||||
name: "missing required flags",
|
||||
args: []string{},
|
||||
wantError: true,
|
||||
wantStdout: here.Doc(`
|
||||
wantStderr: here.Doc(`
|
||||
Error: required flag(s) "issuer" not set
|
||||
`),
|
||||
},
|
||||
@ -91,7 +91,7 @@ func TestLoginOIDCCommand(t *testing.T) {
|
||||
"--enable-concierge",
|
||||
},
|
||||
wantError: true,
|
||||
wantStdout: here.Doc(`
|
||||
wantStderr: here.Doc(`
|
||||
Error: invalid concierge parameters: endpoint must not be empty
|
||||
`),
|
||||
},
|
||||
@ -103,7 +103,7 @@ func TestLoginOIDCCommand(t *testing.T) {
|
||||
"--ca-bundle", "./does/not/exist",
|
||||
},
|
||||
wantError: true,
|
||||
wantStdout: here.Doc(`
|
||||
wantStderr: here.Doc(`
|
||||
Error: could not read --ca-bundle: open ./does/not/exist: no such file or directory
|
||||
`),
|
||||
},
|
||||
@ -115,7 +115,7 @@ func TestLoginOIDCCommand(t *testing.T) {
|
||||
"--ca-bundle-data", "invalid-base64",
|
||||
},
|
||||
wantError: true,
|
||||
wantStdout: here.Doc(`
|
||||
wantStderr: here.Doc(`
|
||||
Error: could not read --ca-bundle-data: illegal base64 data at input byte 7
|
||||
`),
|
||||
},
|
||||
@ -128,7 +128,7 @@ func TestLoginOIDCCommand(t *testing.T) {
|
||||
loginErr: fmt.Errorf("some login error"),
|
||||
wantOptionsCount: 3,
|
||||
wantError: true,
|
||||
wantStdout: here.Doc(`
|
||||
wantStderr: here.Doc(`
|
||||
Error: could not complete Pinniped login: some login error
|
||||
`),
|
||||
},
|
||||
@ -145,7 +145,7 @@ func TestLoginOIDCCommand(t *testing.T) {
|
||||
conciergeErr: fmt.Errorf("some concierge error"),
|
||||
wantOptionsCount: 3,
|
||||
wantError: true,
|
||||
wantStdout: here.Doc(`
|
||||
wantStderr: here.Doc(`
|
||||
Error: could not complete concierge credential exchange: some concierge error
|
||||
`),
|
||||
},
|
||||
|
@ -66,7 +66,7 @@ func TestLoginStaticCommand(t *testing.T) {
|
||||
name: "missing required flags",
|
||||
args: []string{},
|
||||
wantError: true,
|
||||
wantStdout: here.Doc(`
|
||||
wantStderr: here.Doc(`
|
||||
Error: one of --token or --token-env must be set
|
||||
`),
|
||||
},
|
||||
@ -77,7 +77,7 @@ func TestLoginStaticCommand(t *testing.T) {
|
||||
"--enable-concierge",
|
||||
},
|
||||
wantError: true,
|
||||
wantStdout: here.Doc(`
|
||||
wantStderr: here.Doc(`
|
||||
Error: invalid concierge parameters: endpoint must not be empty
|
||||
`),
|
||||
},
|
||||
@ -87,7 +87,7 @@ func TestLoginStaticCommand(t *testing.T) {
|
||||
"--token-env", "TEST_TOKEN_ENV",
|
||||
},
|
||||
wantError: true,
|
||||
wantStdout: here.Doc(`
|
||||
wantStderr: here.Doc(`
|
||||
Error: --token-env variable "TEST_TOKEN_ENV" is not set
|
||||
`),
|
||||
},
|
||||
@ -100,7 +100,7 @@ func TestLoginStaticCommand(t *testing.T) {
|
||||
"TEST_TOKEN_ENV": "",
|
||||
},
|
||||
wantError: true,
|
||||
wantStdout: here.Doc(`
|
||||
wantStderr: here.Doc(`
|
||||
Error: --token-env variable "TEST_TOKEN_ENV" is empty
|
||||
`),
|
||||
},
|
||||
@ -125,7 +125,7 @@ func TestLoginStaticCommand(t *testing.T) {
|
||||
},
|
||||
conciergeErr: fmt.Errorf("some concierge error"),
|
||||
wantError: true,
|
||||
wantStdout: here.Doc(`
|
||||
wantStderr: here.Doc(`
|
||||
Error: could not complete concierge credential exchange: some concierge error
|
||||
`),
|
||||
},
|
||||
|
@ -7,6 +7,7 @@ import (
|
||||
"bytes"
|
||||
"testing"
|
||||
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
|
||||
"go.pinniped.dev/internal/here"
|
||||
@ -41,7 +42,7 @@ func TestNewVersionCmd(t *testing.T) {
|
||||
args []string
|
||||
wantError bool
|
||||
wantStdoutRegexp string
|
||||
wantStderr string
|
||||
wantStderrRegexp string
|
||||
}{
|
||||
{
|
||||
name: "no flags",
|
||||
@ -57,7 +58,8 @@ func TestNewVersionCmd(t *testing.T) {
|
||||
name: "arg passed",
|
||||
args: []string{"tuna"},
|
||||
wantError: true,
|
||||
wantStdoutRegexp: `Error: unknown command "tuna" for "version"` + "\n" + knownGoodUsageRegexpForVersion,
|
||||
wantStderrRegexp: `Error: unknown command "tuna" for "version"`,
|
||||
wantStdoutRegexp: knownGoodUsageRegexpForVersion,
|
||||
},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
@ -76,8 +78,8 @@ func TestNewVersionCmd(t *testing.T) {
|
||||
} else {
|
||||
require.NoError(t, err)
|
||||
}
|
||||
require.Regexp(t, tt.wantStdoutRegexp, stdout.String(), "unexpected stdout")
|
||||
require.Equal(t, tt.wantStderr, stderr.String(), "unexpected stderr")
|
||||
assert.Regexp(t, tt.wantStdoutRegexp, stdout.String(), "unexpected stdout")
|
||||
assert.Regexp(t, tt.wantStderrRegexp, stderr.String(), "unexpected stderr")
|
||||
})
|
||||
}
|
||||
}
|
||||
|
@ -25,7 +25,7 @@ custom_labels: {} #! e.g. {myCustomLabelName: myCustomLabelValue, otherCustomLab
|
||||
replicas: 2
|
||||
|
||||
#! Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
|
||||
image_repo: docker.io/getpinniped/pinniped-server
|
||||
image_repo: projects.registry.vmware.com/pinniped/pinniped-server
|
||||
image_digest: #! e.g. sha256:f3c4fdfd3ef865d4b97a1fd295d94acc3f0c654c46b6f27ffad5cf80216903c8
|
||||
image_tag: latest
|
||||
|
||||
|
@ -5,7 +5,7 @@
|
||||
---
|
||||
|
||||
#! Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
|
||||
image_repo: docker.io/getpinniped/pinniped-server
|
||||
image_repo: projects.registry.vmware.com/pinniped/pinniped-server
|
||||
image_digest: #! e.g. sha256:f3c4fdfd3ef865d4b97a1fd295d94acc3f0c654c46b6f27ffad5cf80216903c8
|
||||
image_tag: latest
|
||||
|
||||
|
@ -25,7 +25,7 @@ custom_labels: {} #! e.g. {myCustomLabelName: myCustomLabelValue, otherCustomLab
|
||||
replicas: 2
|
||||
|
||||
#! Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
|
||||
image_repo: docker.io/getpinniped/pinniped-server
|
||||
image_repo: projects.registry.vmware.com/pinniped/pinniped-server
|
||||
image_digest: #! e.g. sha256:f3c4fdfd3ef865d4b97a1fd295d94acc3f0c654c46b6f27ffad5cf80216903c8
|
||||
image_tag: latest
|
||||
|
||||
|
4
generated/1.19/apis/go.mod
generated
4
generated/1.19/apis/go.mod
generated
@ -4,6 +4,6 @@ module go.pinniped.dev/generated/1.19/apis
|
||||
go 1.13
|
||||
|
||||
require (
|
||||
k8s.io/api v0.19.2
|
||||
k8s.io/apimachinery v0.19.2
|
||||
k8s.io/api v0.19.5
|
||||
k8s.io/apimachinery v0.19.5
|
||||
)
|
||||
|
17
generated/1.19/apis/go.sum
generated
17
generated/1.19/apis/go.sum
generated
@ -101,8 +101,8 @@ golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73r
|
||||
golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
|
||||
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
|
||||
golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
|
||||
golang.org/x/net v0.0.0-20200707034311-ab3426394381 h1:VXak5I6aEWmAXeQjA+QSZzlgNrpq9mjcfDemuexIKsU=
|
||||
golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
|
||||
golang.org/x/net v0.0.0-20201110031124-69a78807bb2b h1:uwuIcX0g4Yl1NC5XAz37xsr2lTtcqevgzYNVt49waME=
|
||||
golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
|
||||
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
|
||||
golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||
golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||
@ -113,8 +113,9 @@ golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5h
|
||||
golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20200622214017-ed371f2e16b4 h1:5/PjkGUjvEU5Gl6BxmvKRPpqo2uNMv4rcHBMwzk/st8=
|
||||
golang.org/x/sys v0.0.0-20200622214017-ed371f2e16b4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20201112073958-5cba982894dd h1:5CtCZbICpIOFdgO940moixOPjc0178IU44m4EjOO5IY=
|
||||
golang.org/x/sys v0.0.0-20201112073958-5cba982894dd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
|
||||
golang.org/x/text v0.3.3 h1:cokOdA+Jmi5PJGXLlLllQSgYigAEfHXJAERHVMaCc2k=
|
||||
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
|
||||
@ -157,10 +158,10 @@ gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
|
||||
gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
||||
honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
|
||||
honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
|
||||
k8s.io/api v0.19.2 h1:q+/krnHWKsL7OBZg/rxnycsl9569Pud76UJ77MvKXms=
|
||||
k8s.io/api v0.19.2/go.mod h1:IQpK0zFQ1xc5iNIQPqzgoOwuFugaYHK4iCknlAQP9nI=
|
||||
k8s.io/apimachinery v0.19.2 h1:5Gy9vQpAGTKHPVOh5c4plE274X8D/6cuEiTO2zve7tc=
|
||||
k8s.io/apimachinery v0.19.2/go.mod h1:DnPGDnARWFvYa3pMHgSxtbZb7gpzzAZ1pTfaUNDVlmA=
|
||||
k8s.io/api v0.19.5 h1:p0MRzyhokJ9Kn5jcJAHNup0s+COMBPfn1mTasls6mMg=
|
||||
k8s.io/api v0.19.5/go.mod h1:yGZReuNa0vj56op6eT+NLrXJne0R0u9ktexZ8jdJzpc=
|
||||
k8s.io/apimachinery v0.19.5 h1:Yvz6dOE0WbVE+FXBEFqc9lSvo87VPtq6mCSsrtC95HI=
|
||||
k8s.io/apimachinery v0.19.5/go.mod h1:6sRbGRAVY5DOCuZwB5XkqguBqpqLU6q/kOaOdk29z6Q=
|
||||
k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
|
||||
k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
|
||||
k8s.io/klog/v2 v2.2.0 h1:XRvcwJozkgZ1UQJmfMGpvRthQHOvihEhYtDfAaxMz/A=
|
||||
|
4
generated/1.19/client/go.mod
generated
4
generated/1.19/client/go.mod
generated
@ -6,8 +6,8 @@ go 1.13
|
||||
require (
|
||||
github.com/go-openapi/spec v0.19.9
|
||||
go.pinniped.dev/generated/1.19/apis v0.0.0-00010101000000-000000000000
|
||||
k8s.io/apimachinery v0.19.2
|
||||
k8s.io/client-go v0.19.2
|
||||
k8s.io/apimachinery v0.19.5
|
||||
k8s.io/client-go v0.19.5
|
||||
k8s.io/kube-openapi v0.0.0-20200805222855-6aeccd4b50c6
|
||||
)
|
||||
|
||||
|
21
generated/1.19/client/go.sum
generated
21
generated/1.19/client/go.sum
generated
@ -209,8 +209,8 @@ golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLL
|
||||
golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
|
||||
golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
|
||||
golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
|
||||
golang.org/x/net v0.0.0-20200707034311-ab3426394381 h1:VXak5I6aEWmAXeQjA+QSZzlgNrpq9mjcfDemuexIKsU=
|
||||
golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
|
||||
golang.org/x/net v0.0.0-20201110031124-69a78807bb2b h1:uwuIcX0g4Yl1NC5XAz37xsr2lTtcqevgzYNVt49waME=
|
||||
golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
|
||||
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
|
||||
golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
|
||||
golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
|
||||
@ -235,8 +235,9 @@ golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7w
|
||||
golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20200622214017-ed371f2e16b4 h1:5/PjkGUjvEU5Gl6BxmvKRPpqo2uNMv4rcHBMwzk/st8=
|
||||
golang.org/x/sys v0.0.0-20200622214017-ed371f2e16b4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20201112073958-5cba982894dd h1:5CtCZbICpIOFdgO940moixOPjc0178IU44m4EjOO5IY=
|
||||
golang.org/x/sys v0.0.0-20201112073958-5cba982894dd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
|
||||
golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
|
||||
golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
|
||||
@ -327,12 +328,12 @@ honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWh
|
||||
honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
|
||||
honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
|
||||
honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
|
||||
k8s.io/api v0.19.2 h1:q+/krnHWKsL7OBZg/rxnycsl9569Pud76UJ77MvKXms=
|
||||
k8s.io/api v0.19.2/go.mod h1:IQpK0zFQ1xc5iNIQPqzgoOwuFugaYHK4iCknlAQP9nI=
|
||||
k8s.io/apimachinery v0.19.2 h1:5Gy9vQpAGTKHPVOh5c4plE274X8D/6cuEiTO2zve7tc=
|
||||
k8s.io/apimachinery v0.19.2/go.mod h1:DnPGDnARWFvYa3pMHgSxtbZb7gpzzAZ1pTfaUNDVlmA=
|
||||
k8s.io/client-go v0.19.2 h1:gMJuU3xJZs86L1oQ99R4EViAADUPMHHtS9jFshasHSc=
|
||||
k8s.io/client-go v0.19.2/go.mod h1:S5wPhCqyDNAlzM9CnEdgTGV4OqhsW3jGO1UM1epwfJA=
|
||||
k8s.io/api v0.19.5 h1:p0MRzyhokJ9Kn5jcJAHNup0s+COMBPfn1mTasls6mMg=
|
||||
k8s.io/api v0.19.5/go.mod h1:yGZReuNa0vj56op6eT+NLrXJne0R0u9ktexZ8jdJzpc=
|
||||
k8s.io/apimachinery v0.19.5 h1:Yvz6dOE0WbVE+FXBEFqc9lSvo87VPtq6mCSsrtC95HI=
|
||||
k8s.io/apimachinery v0.19.5/go.mod h1:6sRbGRAVY5DOCuZwB5XkqguBqpqLU6q/kOaOdk29z6Q=
|
||||
k8s.io/client-go v0.19.5 h1:Y7LsFwgbm9+5oVXER04KNCSPhY6TblYRgG1DQdVq+ig=
|
||||
k8s.io/client-go v0.19.5/go.mod h1:BSG3iuxI40Bs0nNDLS1JRa/7ReBQDHzf0x8nZZrK0fo=
|
||||
k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
|
||||
k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
|
||||
k8s.io/klog/v2 v2.2.0 h1:XRvcwJozkgZ1UQJmfMGpvRthQHOvihEhYtDfAaxMz/A=
|
||||
|
43
go.mod
43
go.mod
@ -3,40 +3,49 @@ module go.pinniped.dev
|
||||
go 1.14
|
||||
|
||||
require (
|
||||
cloud.google.com/go v0.60.0 // indirect
|
||||
github.com/MakeNowJust/heredoc/v2 v2.0.1
|
||||
github.com/blang/semver v3.5.1+incompatible // indirect
|
||||
github.com/coreos/go-oidc v2.2.1+incompatible
|
||||
github.com/davecgh/go-spew v1.1.1
|
||||
github.com/go-logr/logr v0.2.1
|
||||
github.com/go-logr/logr v0.3.0
|
||||
github.com/go-logr/stdr v0.2.0
|
||||
github.com/gofrs/flock v0.8.0
|
||||
github.com/golang/mock v1.4.4
|
||||
github.com/golangci/golangci-lint v1.31.0
|
||||
github.com/google/go-cmp v0.5.2
|
||||
github.com/google/gofuzz v1.1.0
|
||||
github.com/google/go-cmp v0.5.4
|
||||
github.com/google/gofuzz v1.2.0
|
||||
github.com/gorilla/securecookie v1.1.1
|
||||
github.com/ory/fosite v0.35.1
|
||||
github.com/pkg/browser v0.0.0-20180916011732-0a3d74bf9ce4
|
||||
github.com/kr/text v0.2.0 // indirect
|
||||
github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e // indirect
|
||||
github.com/onsi/ginkgo v1.13.0 // indirect
|
||||
github.com/ory/fosite v0.36.0
|
||||
github.com/pkg/browser v0.0.0-20201207095918-0426ae3fba23
|
||||
github.com/pkg/errors v0.9.1
|
||||
github.com/sclevine/agouti v3.0.0+incompatible
|
||||
github.com/sclevine/spec v1.4.0
|
||||
github.com/spf13/cobra v1.0.0
|
||||
github.com/spf13/cobra v1.1.1
|
||||
github.com/spf13/pflag v1.0.5
|
||||
github.com/stretchr/testify v1.6.1
|
||||
go.pinniped.dev/generated/1.19/apis v0.0.0-00010101000000-000000000000
|
||||
go.pinniped.dev/generated/1.19/client v0.0.0-00010101000000-000000000000
|
||||
golang.org/x/crypto v0.0.0-20200709230013-948cd5f35899
|
||||
golang.org/x/crypto v0.0.0-20201217014255-9d1352758620
|
||||
golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d
|
||||
golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208
|
||||
golang.org/x/sync v0.0.0-20201207232520-09787c993a3a
|
||||
golang.org/x/tools v0.0.0-20200825202427-b303f430e36d // indirect
|
||||
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
|
||||
google.golang.org/genproto v0.0.0-20200825200019-8632dd797987 // indirect
|
||||
gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect
|
||||
gopkg.in/square/go-jose.v2 v2.5.1
|
||||
k8s.io/api v0.19.2
|
||||
k8s.io/apimachinery v0.19.2
|
||||
k8s.io/apiserver v0.19.2
|
||||
k8s.io/client-go v0.19.2
|
||||
k8s.io/component-base v0.19.2
|
||||
k8s.io/klog/v2 v2.3.0
|
||||
k8s.io/kube-aggregator v0.19.2
|
||||
k8s.io/utils v0.0.0-20200729134348-d5654de09c73
|
||||
gopkg.in/yaml.v2 v2.4.0 // indirect
|
||||
gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776 // indirect
|
||||
k8s.io/api v0.19.5
|
||||
k8s.io/apimachinery v0.19.5
|
||||
k8s.io/apiserver v0.19.5
|
||||
k8s.io/client-go v0.19.5
|
||||
k8s.io/component-base v0.19.5
|
||||
k8s.io/klog/v2 v2.4.0
|
||||
k8s.io/kube-aggregator v0.19.5
|
||||
k8s.io/utils v0.0.0-20201110183641-67b214c5f920
|
||||
sigs.k8s.io/yaml v1.2.0
|
||||
)
|
||||
|
||||
|
@ -1,3 +1,3 @@
|
||||
1.19.2
|
||||
1.19.5
|
||||
1.18.2
|
||||
1.17.11
|
||||
|
@ -13,7 +13,7 @@ export GO111MODULE="on"
|
||||
if [[ -z "${CONTAINED:-}" ]]; then
|
||||
for kubeVersion in "${KUBE_VERSIONS[@]}"; do
|
||||
# CODEGEN_IMAGE is the container image to use when running
|
||||
CODEGEN_IMAGE="docker.io/getpinniped/k8s-code-generator-$(echo "$kubeVersion" | cut -d"." -f1-2):latest"
|
||||
CODEGEN_IMAGE="projects.registry.vmware.com/pinniped/k8s-code-generator-$(echo "$kubeVersion" | cut -d"." -f1-2):latest"
|
||||
|
||||
echo "generating code for ${kubeVersion} using ${CODEGEN_IMAGE}..."
|
||||
docker run --rm \
|
||||
|
@ -12,12 +12,7 @@ function tidy_cmd() {
|
||||
}
|
||||
|
||||
function lint_cmd() {
|
||||
if [ -x "$(command -v golangci-lint)" ]; then
|
||||
cmd='golangci-lint'
|
||||
else
|
||||
cmd='go run github.com/golangci/golangci-lint/cmd/golangci-lint'
|
||||
fi
|
||||
echo "${cmd} run --modules-download-mode=readonly --timeout=10m"
|
||||
echo "golangci-lint run --modules-download-mode=readonly --timeout=10m"
|
||||
}
|
||||
|
||||
function test_cmd() {
|
||||
|
@ -130,7 +130,7 @@ if ! tilt_mode; then
|
||||
fi
|
||||
fi
|
||||
|
||||
registry="docker.io"
|
||||
registry="pinniped.local"
|
||||
repo="test/build"
|
||||
registry_repo="$registry/$repo"
|
||||
tag=$(uuidgen) # always a new tag to force K8s to reload the image on redeploy
|
||||
|
@ -86,7 +86,7 @@ func (a *accessTokenStorage) getSession(ctx context.Context, signature string) (
|
||||
rv, err := a.storage.Get(ctx, signature, session)
|
||||
|
||||
if errors.IsNotFound(err) {
|
||||
return nil, "", fosite.ErrNotFound.WithCause(err).WithDebug(err.Error())
|
||||
return nil, "", fosite.ErrNotFound.WithWrap(err).WithDebug(err.Error())
|
||||
}
|
||||
|
||||
if err != nil {
|
||||
|
@ -110,7 +110,7 @@ func (a *authorizeCodeStorage) getSession(ctx context.Context, signature string)
|
||||
rv, err := a.storage.Get(ctx, signature, session)
|
||||
|
||||
if errors.IsNotFound(err) {
|
||||
return nil, "", fosite.ErrNotFound.WithCause(err).WithDebug(err.Error())
|
||||
return nil, "", fosite.ErrNotFound.WithWrap(err).WithDebug(err.Error())
|
||||
}
|
||||
|
||||
if err != nil {
|
||||
@ -168,161 +168,161 @@ func (e *errSerializationFailureWithCause) Error() string {
|
||||
// ExpectedAuthorizeCodeSessionJSONFromFuzzing is used for round tripping tests.
|
||||
// It is exported to allow integration tests to use it.
|
||||
const ExpectedAuthorizeCodeSessionJSONFromFuzzing = `{
|
||||
"active": true,
|
||||
"request": {
|
||||
"id": "嫎l蟲aƖ啘艿",
|
||||
"active": true,
|
||||
"request": {
|
||||
"id": "曑x螠Gæ鄋楨",
|
||||
"requestedAt": "2082-11-10T18:36:11.627253638Z",
|
||||
"client": {
|
||||
"id": "!ſɄĈp[述齛ʘUȻ.5ȿE",
|
||||
"client_secret": "UQ==",
|
||||
"redirect_uris": [
|
||||
"ǣ珑 ʑ飶畛Ȳ螤Yɫüeɯ紤邥翔勋\\",
|
||||
"Bʒ;",
|
||||
"鿃攴Ųęʍ鎾ʦ©cÏN,Ġ/_"
|
||||
],
|
||||
"grant_types": [
|
||||
"憉sHĒ尥窘挼Ŀʼn"
|
||||
],
|
||||
"response_types": [
|
||||
"4",
|
||||
"ʄÔ@}i{絧遗Ū^ȝĸ谋Vʋ鱴閇T"
|
||||
],
|
||||
"scopes": [
|
||||
"R鴝順諲ŮŚ节ȭŀȋc剠鏯ɽÿ¸"
|
||||
],
|
||||
"audience": [
|
||||
"Ƥ"
|
||||
],
|
||||
"public": true,
|
||||
"jwks_uri": "BA瘪囷ɫCʄɢ雐譄uée'",
|
||||
"jwks": {
|
||||
"keys": [
|
||||
{
|
||||
"kty": "OKP",
|
||||
"crv": "Ed25519",
|
||||
"x": "nK9xgX_iN7u3u_i8YOO7ZRT_WK028Vd_nhtsUu7Eo6E",
|
||||
"x5u": {
|
||||
"Scheme": "",
|
||||
"Opaque": "",
|
||||
"User": null,
|
||||
"Host": "",
|
||||
"Path": "",
|
||||
"RawPath": "",
|
||||
"ForceQuery": false,
|
||||
"RawQuery": "",
|
||||
"Fragment": "",
|
||||
"RawFragment": ""
|
||||
}
|
||||
},
|
||||
{
|
||||
"kty": "OKP",
|
||||
"crv": "Ed25519",
|
||||
"x": "UbbswQgzWhfGCRlwQmMp6fw_HoIoqkIaKT-2XN2fuYU",
|
||||
"x5u": {
|
||||
"Scheme": "",
|
||||
"Opaque": "",
|
||||
"User": null,
|
||||
"Host": "",
|
||||
"Path": "",
|
||||
"RawPath": "",
|
||||
"ForceQuery": false,
|
||||
"RawQuery": "",
|
||||
"Fragment": "",
|
||||
"RawFragment": ""
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
"token_endpoint_auth_method": "ŚǗƳȕ暭Q0ņP羾,塐",
|
||||
"request_uris": [
|
||||
"lj翻LH^俤µDzɹ@©|\u003eɃ",
|
||||
"[:c顎疻紵D"
|
||||
],
|
||||
"request_object_signing_alg": "m1Ì恣S@T嵇LJV,Æ櫔袆鋹奘",
|
||||
"token_endpoint_auth_signing_alg": "Fãƻʚ肈ą8O+a駣"
|
||||
"id": ":NJ¸Ɣ8(黋馛ÄRɴJa¶z",
|
||||
"client_secret": "UQ==",
|
||||
"redirect_uris": [
|
||||
"ǖ枭kʍ切厦ȳ箦;¥ʊXĝ奨誷傥祩d",
|
||||
"zŇZ",
|
||||
"優蒼ĊɌț訫DŽǽeʀO2ƚ&N"
|
||||
],
|
||||
"grant_types": [
|
||||
"唐W6ɻ橩斚薛ɑƐ"
|
||||
],
|
||||
"response_types": [
|
||||
"w",
|
||||
"ǔŭe[u@阽羂ŷ-Ĵ½輢OÅ濲喾H"
|
||||
],
|
||||
"scopes": [
|
||||
"G螩歐湡ƙı唡ɸğƎ&胢輢Ƈĵƚ"
|
||||
],
|
||||
"audience": [
|
||||
"ě"
|
||||
],
|
||||
"public": false,
|
||||
"jwks_uri": "o*泞羅ʘ Ⱦķ瀊垰7ã\")",
|
||||
"jwks": {
|
||||
"keys": [
|
||||
{
|
||||
"kty": "OKP",
|
||||
"crv": "Ed25519",
|
||||
"x": "nK9xgX_iN7u3u_i8YOO7ZRT_WK028Vd_nhtsUu7Eo6E",
|
||||
"x5u": {
|
||||
"Scheme": "",
|
||||
"Opaque": "",
|
||||
"User": null,
|
||||
"Host": "",
|
||||
"Path": "",
|
||||
"RawPath": "",
|
||||
"ForceQuery": false,
|
||||
"RawQuery": "",
|
||||
"Fragment": "",
|
||||
"RawFragment": ""
|
||||
}
|
||||
},
|
||||
{
|
||||
"kty": "OKP",
|
||||
"crv": "Ed25519",
|
||||
"x": "UbbswQgzWhfGCRlwQmMp6fw_HoIoqkIaKT-2XN2fuYU",
|
||||
"x5u": {
|
||||
"Scheme": "",
|
||||
"Opaque": "",
|
||||
"User": null,
|
||||
"Host": "",
|
||||
"Path": "",
|
||||
"RawPath": "",
|
||||
"ForceQuery": false,
|
||||
"RawQuery": "",
|
||||
"Fragment": "",
|
||||
"RawFragment": ""
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
"token_endpoint_auth_method": "ƿʥǟȒ伉<x¹T鼓c吏",
|
||||
"request_uris": [
|
||||
"Ć捘j]=谅ʑɑɮ$Ól4Ȟ",
|
||||
",Q7钎漡臧n"
|
||||
],
|
||||
"request_object_signing_alg": "3@¡廜+v,淬Ʋ4Dʧ呩锏緍场",
|
||||
"token_endpoint_auth_signing_alg": "(ưƓǴ罷ǹ~]ea胠"
|
||||
},
|
||||
"scopes": [
|
||||
"ɼk瘸'鴵yſǮŁ±\u003eFA曎餄FxD溪",
|
||||
"綻N镪p赌h%桙dĽ"
|
||||
"ĩv絹b垇IŕĩǀŻQ'k頂箨J-a稆",
|
||||
"啶#昏Q遐*\\髎bŸ"
|
||||
],
|
||||
"grantedScopes": [
|
||||
"癗E]Ņʘʟ車s"
|
||||
"慂UFƼĮǡ鑻Z"
|
||||
],
|
||||
"form": {
|
||||
"蹬器ķ8ŷ萒寎廭#疶昄Ą-Ƃƞ轵": [
|
||||
"熞ĝƌĆ1ȇyǴ濎=Tʉȼʁŀ\u003c",
|
||||
"耡q戨稞R÷mȵg釽[ƞ@",
|
||||
"đ[嬧鱒Ȁ彆媚杨嶒ĤGÀ吧Lŷ"
|
||||
],
|
||||
"餟": [
|
||||
"蒍z\u0026(K鵢Kj ŏ9Q韉Ķ%",
|
||||
"輫ǘ(¨Ƞ亱6ě#嫀^xz ",
|
||||
"@耢ɝ^¡!犃ĹĐJí¿ō擫"
|
||||
]
|
||||
"褾攚ŝlĆ厦駳骪l拁乖¡J¿Ƈ妔": [
|
||||
"懧¥ɂĵ~Čyʊ恀c\"NJřðȿ/",
|
||||
"裢?霃谥vƘ:ƿ/濔Aʉ<",
|
||||
"ȭ$奍囀Dž悷鵱民撲ʓeŘ嬀j¤"
|
||||
],
|
||||
"诞": [
|
||||
"狲N<Cq罉ZPſĝEK郊©l",
|
||||
"餚LJ/ɷȑ潠[ĝU噤'pX ",
|
||||
"Y妶ǵ!ȁu狍ɶȳsčɦƦ诱"
|
||||
]
|
||||
},
|
||||
"session": {
|
||||
"Claims": {
|
||||
"JTI": "懫砰¿C筽娴ƓaPu镈賆ŗɰ",
|
||||
"Issuer": "皶竇瞍涘¹焕iǢǽɽĺŧ",
|
||||
"Subject": "矠M6ɡǜg炾ʙ$%o6肿Ȫ",
|
||||
"Audience": [
|
||||
"ƌÙ鯆GQơ鮫R嫁ɍUƞ9+u!Ȱ踾$"
|
||||
"Claims": {
|
||||
"JTI": "攬林Ñz焁糳¿o>Q鱙翑ȲŻ",
|
||||
"Issuer": "锰劝旣樎Ȱ鍌#ȳńƩŴȭ",
|
||||
"Subject": "绝TFNJĆw宵ɚeY48珎²",
|
||||
"Audience": [
|
||||
"éã越|j¦鲶H股ƲLŋZ-{5£踉4"
|
||||
],
|
||||
"Nonce": "5^驜Ŗ~ů崧軒q腟u尿",
|
||||
"ExpiresAt": "2065-11-30T13:47:03.613000626Z",
|
||||
"IssuedAt": "1976-02-22T09:57:20.479850437Z",
|
||||
"RequestedAt": "2016-04-13T04:18:53.648949323Z",
|
||||
"AuthTime": "2098-07-12T04:38:54.034043015Z",
|
||||
"AccessTokenHash": "嫯R",
|
||||
"AuthenticationContextClassReference": "¤'+ʣ",
|
||||
"AuthenticationMethodsReference": "L&ɽ艄ʬʏ",
|
||||
"CodeHash": "ğǫ\\aȊ4ț髄Al",
|
||||
"Extra": {
|
||||
"PƢ曰": {
|
||||
"ĸŴB岺Ð嫹Sx镯荫ő": [
|
||||
843216989
|
||||
],
|
||||
"Nonce": "us旸Ť/Õ薝隧;綡,鼞",
|
||||
"ExpiresAt": "2065-11-30T13:47:03.613000626Z",
|
||||
"IssuedAt": "1976-02-22T09:57:20.479850437Z",
|
||||
"RequestedAt": "2016-04-13T04:18:53.648949323Z",
|
||||
"AuthTime": "2098-07-12T04:38:54.034043015Z",
|
||||
"AccessTokenHash": "滮]",
|
||||
"AuthenticationContextClassReference": "°3\u003eÙ",
|
||||
"AuthenticationMethodsReference": "k?µ鱔ǤÂ",
|
||||
"CodeHash": "Țƒ1v¸KĶ跭};",
|
||||
"Extra": {
|
||||
"=ſ氆": {
|
||||
"Ƿī,廖ʡ彑V\\廳蟕Ț": [
|
||||
843216989
|
||||
],
|
||||
"蔯ʠ浵Ī": {
|
||||
"H\"nǕ=rlƆ褡{ǏSȳŅ": {
|
||||
"Žg": false
|
||||
},
|
||||
"枱鰧ɛ鸁A渇": null
|
||||
}
|
||||
},
|
||||
"斻遟a衪荖舃9闄岈锘肺ńʥƕU}j%": 2520197933
|
||||
"疂ư墫ɓ": {
|
||||
"\\BRë_g\"ʎ啴SƇMǃļ": {
|
||||
"ʦ4": false
|
||||
},
|
||||
"鶡萷ɵ啜s攦": null
|
||||
}
|
||||
},
|
||||
"Headers": {
|
||||
"Extra": {
|
||||
"熒ɘȏıȒ諃龟ŴŠ'耐Ƭ扵ƹ玄ɕwL": {
|
||||
"ýÏʥZq7烱藌\\捀¿őŧQ": {
|
||||
"微'X焌襱ǭɕņ殥!_": null,
|
||||
"荇届UȚ?戋璖$9\u00269舋": {
|
||||
"ɕ餦ÑEǰ哤癨浦浏1Rk頓ć§蚲6": true
|
||||
}
|
||||
},
|
||||
"鲒鿮禗O暒aJP鐜?ĮV嫎h譭ȉ]DĘ": [
|
||||
954647573
|
||||
]
|
||||
},
|
||||
"皩Ƭ}Ɇ.雬Ɨ´唁": 1572524915
|
||||
}
|
||||
},
|
||||
"ExpiresAt": {
|
||||
"\u003cqċ譈8ŪɎP绿MÅ": "2031-10-18T22:07:34.950803105Z",
|
||||
"ȸěaʜD捛?½ʀ+Ċ偢镳ʬÍɷȓ\u003c": "2049-05-13T15:27:20.968432454Z"
|
||||
},
|
||||
"Username": "1藍殙菥趏酱Nʎ\u0026^横懋ƶ峦Fïȫƅw",
|
||||
"Subject": "檾ĩĆ爨4犹|v炩f柏ʒ鴙*鸆偡"
|
||||
},
|
||||
"曓蓳n匟鯘磹*金爃鶴滱ůĮǐ_c3#": 2520197933
|
||||
}
|
||||
},
|
||||
"Headers": {
|
||||
"Extra": {
|
||||
"寱ĊƑ÷Ƒ螞费Ďğ~劰û橸ɽ銐ƭ?}": {
|
||||
"ȜʁɁ;Bd謺錳4帳ŅǃĊd": {
|
||||
"翢砜Fȏl鐉诳DT=3骜": {
|
||||
"ų厷ɁOƪ穋嶿鳈恱va|载ǰɱ汶C": false
|
||||
},
|
||||
"鸨EJ毕懴řĬń戹%c": null
|
||||
},
|
||||
"室癑勦e骲v0H晦XŘO溪V蔓Ȍ+~ē": [
|
||||
954647573
|
||||
]
|
||||
},
|
||||
"麈ƵDǀ\\郂üţ垂": 1572524915
|
||||
}
|
||||
},
|
||||
"ExpiresAt": {
|
||||
"'=ĸ闒NȢȰ.醋fʜ": "2031-10-18T22:07:34.950803105Z",
|
||||
"ɦüHêQ仏1őƖ2Ė暮唍ǞʜƢú4": "2049-05-13T15:27:20.968432454Z"
|
||||
},
|
||||
"Username": "+韁臯氃妪婝rȤ\"h丬鎒ơ娻}ɼƟȥE",
|
||||
"Subject": "龳ǽÙ龦O亾EW莛8嘶×姮c恭企"
|
||||
},
|
||||
"requestedAudience": [
|
||||
"肯Ûx穞Ƀ",
|
||||
"ź蕴3ǐ薝Ƅ腲=ʐ诂鱰屾Ê窢ɋ鄊qɠ谫"
|
||||
"邖ɐ5檄¬",
|
||||
"Ĭ葜SŦ餧Ĭ倏4ĵ嶼仒篻ɥ闣ʬ橳(ý綃"
|
||||
],
|
||||
"grantedAudience": [
|
||||
"ǵƕ牀1鞊\\ȹ)}鉍商OɄƣ圔,xĪ",
|
||||
"悾xn冏裻摼0Ʈ蚵Ȼ塕»£#稏扟X"
|
||||
"ʚƟ覣k眐4ĈtC嵽痊w©Ź榨Q|ô",
|
||||
"猊Ia瓕巈環_ɑ彨ƍ蛊ʚ£:設虝2"
|
||||
]
|
||||
},
|
||||
"version": "1"
|
||||
}`
|
||||
},
|
||||
"version": "1"
|
||||
}`
|
||||
|
@ -391,5 +391,5 @@ func TestFuzzAndJSONNewValidEmptyAuthorizeCodeSession(t *testing.T) {
|
||||
// while the fuzzer will panic if AuthorizeRequest changes in a way that cannot be fuzzed,
|
||||
// if it adds a new field that can be fuzzed, this check will fail
|
||||
// thus if AuthorizeRequest changes, we will detect it here (though we could possibly miss an omitempty field)
|
||||
require.Equal(t, ExpectedAuthorizeCodeSessionJSONFromFuzzing, authorizeCodeSessionJSONFromFuzzing)
|
||||
require.JSONEq(t, ExpectedAuthorizeCodeSessionJSONFromFuzzing, authorizeCodeSessionJSONFromFuzzing)
|
||||
}
|
||||
|
@ -88,7 +88,7 @@ func (a *openIDConnectRequestStorage) getSession(ctx context.Context, signature
|
||||
rv, err := a.storage.Get(ctx, signature, session)
|
||||
|
||||
if errors.IsNotFound(err) {
|
||||
return nil, "", fosite.ErrNotFound.WithCause(err).WithDebug(err.Error())
|
||||
return nil, "", fosite.ErrNotFound.WithWrap(err).WithDebug(err.Error())
|
||||
}
|
||||
|
||||
if err != nil {
|
||||
|
@ -72,7 +72,7 @@ func (a *pkceStorage) getSession(ctx context.Context, signature string) (*sessio
|
||||
rv, err := a.storage.Get(ctx, signature, session)
|
||||
|
||||
if errors.IsNotFound(err) {
|
||||
return nil, "", fosite.ErrNotFound.WithCause(err).WithDebug(err.Error())
|
||||
return nil, "", fosite.ErrNotFound.WithWrap(err).WithDebug(err.Error())
|
||||
}
|
||||
|
||||
if err != nil {
|
||||
|
@ -86,7 +86,7 @@ func (a *refreshTokenStorage) getSession(ctx context.Context, signature string)
|
||||
rv, err := a.storage.Get(ctx, signature, session)
|
||||
|
||||
if errors.IsNotFound(err) {
|
||||
return nil, "", fosite.ErrNotFound.WithCause(err).WithDebug(err.Error())
|
||||
return nil, "", fosite.ErrNotFound.WithWrap(err).WithDebug(err.Error())
|
||||
}
|
||||
|
||||
if err != nil {
|
||||
|
@ -41,76 +41,62 @@ func TestAuthorizationEndpoint(t *testing.T) {
|
||||
fositeInvalidClientErrorBody = here.Doc(`
|
||||
{
|
||||
"error": "invalid_client",
|
||||
"error_verbose": "Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)",
|
||||
"error_description": "Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)\n\nThe requested OAuth 2.0 Client does not exist.",
|
||||
"error_hint": "The requested OAuth 2.0 Client does not exist.",
|
||||
"status_code": 401
|
||||
"error_description": "Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method). The requested OAuth 2.0 Client does not exist."
|
||||
}
|
||||
`)
|
||||
|
||||
fositeInvalidRedirectURIErrorBody = here.Doc(`
|
||||
{
|
||||
"error": "invalid_request",
|
||||
"error_verbose": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed",
|
||||
"error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed\n\nThe \"redirect_uri\" parameter does not match any of the OAuth 2.0 Client's pre-registered redirect urls.",
|
||||
"error_hint": "The \"redirect_uri\" parameter does not match any of the OAuth 2.0 Client's pre-registered redirect urls.",
|
||||
"status_code": 400
|
||||
"error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. The 'redirect_uri' parameter does not match any of the OAuth 2.0 Client's pre-registered redirect urls."
|
||||
}
|
||||
`)
|
||||
|
||||
fositePromptHasNoneAndOtherValueErrorQuery = map[string]string{
|
||||
"error": "invalid_request",
|
||||
"error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed\n\nParameter \"prompt\" was set to \"none\", but contains other values as well which is not allowed.",
|
||||
"error_hint": "Parameter \"prompt\" was set to \"none\", but contains other values as well which is not allowed.",
|
||||
"error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Parameter 'prompt' was set to 'none', but contains other values as well which is not allowed.",
|
||||
"state": happyState,
|
||||
}
|
||||
|
||||
fositeMissingCodeChallengeErrorQuery = map[string]string{
|
||||
"error": "invalid_request",
|
||||
"error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed\n\nClients must include a code_challenge when performing the authorize code flow, but it is missing.",
|
||||
"error_hint": "Clients must include a code_challenge when performing the authorize code flow, but it is missing.",
|
||||
"error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Clients must include a code_challenge when performing the authorize code flow, but it is missing.",
|
||||
"state": happyState,
|
||||
}
|
||||
|
||||
fositeMissingCodeChallengeMethodErrorQuery = map[string]string{
|
||||
"error": "invalid_request",
|
||||
"error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed\n\nClients must use code_challenge_method=S256, plain is not allowed.",
|
||||
"error_hint": "Clients must use code_challenge_method=S256, plain is not allowed.",
|
||||
"error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Clients must use code_challenge_method=S256, plain is not allowed.",
|
||||
"state": happyState,
|
||||
}
|
||||
|
||||
fositeInvalidCodeChallengeErrorQuery = map[string]string{
|
||||
"error": "invalid_request",
|
||||
"error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed\n\nThe code_challenge_method is not supported, use S256 instead.",
|
||||
"error_hint": "The code_challenge_method is not supported, use S256 instead.",
|
||||
"error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. The code_challenge_method is not supported, use S256 instead.",
|
||||
"state": happyState,
|
||||
}
|
||||
|
||||
fositeUnsupportedResponseTypeErrorQuery = map[string]string{
|
||||
"error": "unsupported_response_type",
|
||||
"error_description": "The authorization server does not support obtaining a token using this method\n\nThe client is not allowed to request response_type \"unsupported\".",
|
||||
"error_hint": `The client is not allowed to request response_type "unsupported".`,
|
||||
"error_description": "The authorization server does not support obtaining a token using this method. The client is not allowed to request response_type 'unsupported'.",
|
||||
"state": happyState,
|
||||
}
|
||||
|
||||
fositeInvalidScopeErrorQuery = map[string]string{
|
||||
"error": "invalid_scope",
|
||||
"error_description": "The requested scope is invalid, unknown, or malformed\n\nThe OAuth 2.0 Client is not allowed to request scope \"tuna\".",
|
||||
"error_hint": `The OAuth 2.0 Client is not allowed to request scope "tuna".`,
|
||||
"error_description": "The requested scope is invalid, unknown, or malformed. The OAuth 2.0 Client is not allowed to request scope 'tuna'.",
|
||||
"state": happyState,
|
||||
}
|
||||
|
||||
fositeInvalidStateErrorQuery = map[string]string{
|
||||
"error": "invalid_state",
|
||||
"error_description": "The state is missing or does not have enough characters and is therefore considered too weak\n\nRequest parameter \"state\" must be at least be 8 characters long to ensure sufficient entropy.",
|
||||
"error_hint": `Request parameter "state" must be at least be 8 characters long to ensure sufficient entropy.`,
|
||||
"error_description": "The state is missing or does not have enough characters and is therefore considered too weak. Request parameter 'state' must be at least be 8 characters long to ensure sufficient entropy.",
|
||||
"state": "short",
|
||||
}
|
||||
|
||||
fositeMissingResponseTypeErrorQuery = map[string]string{
|
||||
"error": "unsupported_response_type",
|
||||
"error_description": "The authorization server does not support obtaining a token using this method\n\nThe request is missing the \"response_type\"\" parameter.",
|
||||
"error_hint": `The request is missing the "response_type"" parameter.`,
|
||||
"error_description": "The authorization server does not support obtaining a token using this method. `The request is missing the 'response_type' parameter.",
|
||||
"state": happyState,
|
||||
}
|
||||
)
|
||||
|
@ -356,7 +356,7 @@ func TestCallbackEndpoint(t *testing.T) {
|
||||
).String(),
|
||||
csrfCookie: happyCSRFCookie,
|
||||
wantStatus: http.StatusFound,
|
||||
wantRedirectLocationRegexp: downstreamRedirectURI + `\?code=([^&]+)&scope=openid%20offline_access&state=` + happyDownstreamState,
|
||||
wantRedirectLocationRegexp: downstreamRedirectURI + `\?code=([^&]+)&scope=openid\+offline_access&state=` + happyDownstreamState,
|
||||
wantDownstreamIDTokenUsername: upstreamUsername,
|
||||
wantDownstreamIDTokenSubject: upstreamIssuer + "?sub=" + upstreamSubject,
|
||||
wantDownstreamRequestedScopes: []string{"openid", "offline_access"},
|
||||
|
@ -50,7 +50,7 @@ func (s *dynamicOpenIDConnectECDSAStrategy) GenerateIDToken(
|
||||
_, activeJwk := s.jwksProvider.GetJWKS(s.fositeConfig.IDTokenIssuer)
|
||||
if activeJwk == nil {
|
||||
plog.Debug("no JWK found for issuer", "issuer", s.fositeConfig.IDTokenIssuer)
|
||||
return "", fosite.ErrTemporarilyUnavailable.WithCause(constable.Error("no JWK found for issuer"))
|
||||
return "", fosite.ErrTemporarilyUnavailable.WithWrap(constable.Error("no JWK found for issuer"))
|
||||
}
|
||||
key, ok := activeJwk.Key.(*ecdsa.PrivateKey)
|
||||
if !ok {
|
||||
@ -65,7 +65,7 @@ func (s *dynamicOpenIDConnectECDSAStrategy) GenerateIDToken(
|
||||
"actualType",
|
||||
actualType,
|
||||
)
|
||||
return "", fosite.ErrServerError.WithCause(constable.Error("JWK must be of type ecdsa"))
|
||||
return "", fosite.ErrServerError.WithWrap(constable.Error("JWK must be of type ecdsa"))
|
||||
}
|
||||
|
||||
return compose.NewOpenIDConnectECDSAStrategy(s.fositeConfig, key).GenerateIDToken(ctx, requester)
|
||||
|
@ -266,11 +266,11 @@ func FositeErrorForLog(err error) []interface{} {
|
||||
rfc6749Error := fosite.ErrorToRFC6749Error(err)
|
||||
keysAndValues := make([]interface{}, 0)
|
||||
keysAndValues = append(keysAndValues, "name")
|
||||
keysAndValues = append(keysAndValues, rfc6749Error.Name)
|
||||
keysAndValues = append(keysAndValues, rfc6749Error.ErrorField)
|
||||
keysAndValues = append(keysAndValues, "status")
|
||||
keysAndValues = append(keysAndValues, rfc6749Error.Status())
|
||||
keysAndValues = append(keysAndValues, "description")
|
||||
keysAndValues = append(keysAndValues, rfc6749Error.Description)
|
||||
keysAndValues = append(keysAndValues, rfc6749Error.DescriptionField)
|
||||
return keysAndValues
|
||||
}
|
||||
|
||||
|
@ -78,138 +78,99 @@ var (
|
||||
return here.Docf(`
|
||||
{
|
||||
"error": "invalid_request",
|
||||
"error_verbose": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed",
|
||||
"error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed\n\nHTTP method is \"%s\", expected \"POST\".",
|
||||
"error_hint": "HTTP method is \"%s\", expected \"POST\".",
|
||||
"status_code": 400
|
||||
"error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. HTTP method is '%s', expected 'POST'."
|
||||
}
|
||||
`, actual, actual)
|
||||
`, actual)
|
||||
}
|
||||
|
||||
fositeMissingGrantTypeErrorBody = here.Docf(`
|
||||
{
|
||||
"error": "invalid_request",
|
||||
"error_verbose": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed",
|
||||
"error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed\n\nRequest parameter \"grant_type\"\" is missing",
|
||||
"error_hint": "Request parameter \"grant_type\"\" is missing",
|
||||
"status_code": 400
|
||||
"error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Request parameter 'grant_type' is missing"
|
||||
}
|
||||
`)
|
||||
|
||||
fositeEmptyPayloadErrorBody = here.Doc(`
|
||||
{
|
||||
"error": "invalid_request",
|
||||
"error_verbose": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed",
|
||||
"error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed\n\nThe POST body can not be empty.",
|
||||
"error_hint": "The POST body can not be empty.",
|
||||
"status_code": 400
|
||||
"error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. The POST body can not be empty."
|
||||
}
|
||||
`)
|
||||
|
||||
fositeInvalidPayloadErrorBody = here.Doc(`
|
||||
{
|
||||
"error": "invalid_request",
|
||||
"error_verbose": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed",
|
||||
"error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed\n\nUnable to parse HTTP body, make sure to send a properly formatted form request body.",
|
||||
"error_hint": "Unable to parse HTTP body, make sure to send a properly formatted form request body.",
|
||||
"status_code": 400
|
||||
"error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Unable to parse HTTP body, make sure to send a properly formatted form request body."
|
||||
}
|
||||
`)
|
||||
|
||||
fositeInvalidRequestErrorBody = here.Doc(`
|
||||
{
|
||||
"error": "invalid_request",
|
||||
"error_verbose": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed",
|
||||
"error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed\n\nMake sure that the various parameters are correct, be aware of case sensitivity and trim your parameters. Make sure that the client you are using has exactly whitelisted the redirect_uri you specified.",
|
||||
"error_hint": "Make sure that the various parameters are correct, be aware of case sensitivity and trim your parameters. Make sure that the client you are using has exactly whitelisted the redirect_uri you specified.",
|
||||
"status_code": 400
|
||||
"error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Make sure that the various parameters are correct, be aware of case sensitivity and trim your parameters. Make sure that the client you are using has exactly whitelisted the redirect_uri you specified."
|
||||
}
|
||||
`)
|
||||
|
||||
fositeInvalidRequestMissingGrantTypeErrorBody = here.Doc(`
|
||||
{
|
||||
"error": "invalid_request",
|
||||
"error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed\n\nRequest parameter \"grant_type\"\" is missing",
|
||||
"error_hint": "Request parameter \"grant_type\"\" is missing",
|
||||
"error_verbose": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed",
|
||||
"status_code": 400
|
||||
"error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Request parameter 'grant_type' is missing"
|
||||
}
|
||||
`)
|
||||
|
||||
fositeMissingClientErrorBody = here.Doc(`
|
||||
{
|
||||
"error": "invalid_request",
|
||||
"error_verbose": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed",
|
||||
"error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed\n\nClient credentials missing or malformed in both HTTP Authorization header and HTTP POST body.",
|
||||
"error_hint": "Client credentials missing or malformed in both HTTP Authorization header and HTTP POST body.",
|
||||
"status_code": 400
|
||||
"error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Client credentials missing or malformed in both HTTP Authorization header and HTTP POST body."
|
||||
}
|
||||
`)
|
||||
|
||||
fositeInvalidClientErrorBody = here.Doc(`
|
||||
{
|
||||
"error": "invalid_client",
|
||||
"error_verbose": "Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)",
|
||||
"error_description": "Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)",
|
||||
"status_code": 401
|
||||
"error_description": "Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)."
|
||||
}
|
||||
`)
|
||||
|
||||
fositeInvalidAuthCodeErrorBody = here.Doc(`
|
||||
{
|
||||
"error": "invalid_grant",
|
||||
"error_verbose": "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client",
|
||||
"error_description": "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client",
|
||||
"status_code": 400
|
||||
"error_description": "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client."
|
||||
}
|
||||
`)
|
||||
|
||||
fositeReusedAuthCodeErrorBody = here.Doc(`
|
||||
{
|
||||
"error": "invalid_grant",
|
||||
"error_verbose": "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client",
|
||||
"error_description": "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client\n\nThe authorization code has already been used.",
|
||||
"error_hint": "The authorization code has already been used.",
|
||||
"status_code": 400
|
||||
"error_description": "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. The authorization code has already been used."
|
||||
}
|
||||
`)
|
||||
|
||||
fositeInvalidRedirectURIErrorBody = here.Doc(`
|
||||
{
|
||||
"error": "invalid_grant",
|
||||
"error_verbose": "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client",
|
||||
"error_description": "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client\n\nThe \"redirect_uri\" from this request does not match the one from the authorize request.",
|
||||
"error_hint": "The \"redirect_uri\" from this request does not match the one from the authorize request.",
|
||||
"status_code": 400
|
||||
"error_description": "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. The 'redirect_uri' from this request does not match the one from the authorize request."
|
||||
}
|
||||
`)
|
||||
|
||||
fositeMissingPKCEVerifierErrorBody = here.Doc(`
|
||||
{
|
||||
"error": "invalid_grant",
|
||||
"error_verbose": "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client",
|
||||
"error_description": "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client\n\nThe PKCE code verifier must be at least 43 characters.",
|
||||
"error_hint": "The PKCE code verifier must be at least 43 characters.",
|
||||
"status_code": 400
|
||||
"error_description": "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. The PKCE code verifier must be at least 43 characters."
|
||||
}
|
||||
`)
|
||||
|
||||
fositeWrongPKCEVerifierErrorBody = here.Doc(`
|
||||
{
|
||||
"error": "invalid_grant",
|
||||
"error_verbose": "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client",
|
||||
"error_description": "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client\n\nThe PKCE code challenge did not match the code verifier.",
|
||||
"error_hint": "The PKCE code challenge did not match the code verifier.",
|
||||
"status_code": 400
|
||||
"error_description": "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. The PKCE code challenge did not match the code verifier."
|
||||
}
|
||||
`)
|
||||
|
||||
fositeTemporarilyUnavailableErrorBody = here.Doc(`
|
||||
{
|
||||
"error": "temporarily_unavailable",
|
||||
"error_description": "The authorization server is currently unable to handle the request due to a temporary overloading or maintenance of the server",
|
||||
"error_verbose": "The authorization server is currently unable to handle the request due to a temporary overloading or maintenance of the server",
|
||||
"status_code": 503
|
||||
"error_description": "The authorization server is currently unable to handle the request due to a temporary overloading or maintenance of the server."
|
||||
}
|
||||
`)
|
||||
|
||||
@ -749,7 +710,7 @@ func TestTokenExchange(t *testing.T) {
|
||||
},
|
||||
requestedAudience: "some-workload-cluster",
|
||||
wantStatus: http.StatusForbidden,
|
||||
wantResponseBodyContains: `missing the \"pinniped:request-audience\" scope`,
|
||||
wantResponseBodyContains: `missing the 'pinniped:request-audience' scope`,
|
||||
},
|
||||
{
|
||||
name: "access token missing openid scope",
|
||||
@ -766,7 +727,7 @@ func TestTokenExchange(t *testing.T) {
|
||||
},
|
||||
requestedAudience: "some-workload-cluster",
|
||||
wantStatus: http.StatusForbidden,
|
||||
wantResponseBodyContains: `missing the \"openid\" scope`,
|
||||
wantResponseBodyContains: `missing the 'openid' scope`,
|
||||
},
|
||||
{
|
||||
name: "token minting failure",
|
||||
|
@ -135,7 +135,7 @@ func (t *TokenExchangeHandler) validateAccessToken(ctx context.Context, requeste
|
||||
signature := t.accessTokenStrategy.AccessTokenSignature(accessToken)
|
||||
originalRequester, err := t.accessTokenStorage.GetAccessTokenSession(ctx, signature, requester.GetSession())
|
||||
if err != nil {
|
||||
return nil, fosite.ErrRequestUnauthorized.WithCause(err).WithHint("invalid subject_token")
|
||||
return nil, fosite.ErrRequestUnauthorized.WithWrap(err).WithHint("invalid subject_token")
|
||||
}
|
||||
return originalRequester, nil
|
||||
}
|
||||
|
@ -25,7 +25,7 @@ spec:
|
||||
emptyDir: {}
|
||||
containers:
|
||||
- name: proxy
|
||||
image: docker.io/getpinniped/test-forward-proxy
|
||||
image: projects.registry.vmware.com/pinniped/test-forward-proxy
|
||||
imagePullPolicy: Always
|
||||
ports:
|
||||
- name: http
|
||||
|
@ -1,12 +0,0 @@
|
||||
// +build tools
|
||||
|
||||
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
// Package tools exists to work around a Go modules oddity and depend on some tool versions.
|
||||
package tools
|
||||
|
||||
import (
|
||||
_ "github.com/golang/mock/mockgen"
|
||||
_ "github.com/golangci/golangci-lint/cmd/golangci-lint"
|
||||
)
|
Loading…
Reference in New Issue
Block a user