Margo Crawford
c117329553
Updates based on code review
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-15 09:38:21 -07:00
Margo Crawford
4d0c2e16f4
require groups scope to get groups back from supervisor
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-15 08:00:17 -07:00
Margo Crawford
8f4285dbff
Change group names
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-13 14:28:05 -07:00
Ryan Richard
b9272b2729
Reserve all of *.pinniped.dev for requested aud in token exchanges
...
Our previous plan was to reserve only *.oauth.pinniped.dev but we
changed our minds during PR review.
2022-06-13 12:08:11 -07:00
Margo Crawford
ba371423d9
Add integration test for OIDCClientSecretRequest
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-10 13:56:15 -07:00
Margo Crawford
889348e999
WIP aggregated api for oidcclientsecretrequest
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-09 13:47:19 -07:00
Ryan Richard
321abfc98d
Merge branch 'dynamic_clients' into token_exchange_aud
2022-06-08 09:03:29 -07:00
Ryan Richard
ea45e5dfef
Disallow certain requested audience strings in token exchange
2022-06-07 16:32:19 -07:00
Mo Khan
472ab229e7
Merge branch 'main' into auth_handler_form_post_csp
2022-06-07 18:26:52 -04:00
Ryan Richard
7751c0bf59
Bump project deps, including kube 0.23.6->0.24.1 and Go 1.18.1->1.18.3
...
Several API changes in Kube required changes in Pinniped code.
Signed-off-by: Monis Khan <mok@vmware.com>
2022-06-07 15:26:30 -04:00
Ryan Richard
b99c4773a2
Use CSP headers in auth handler response
...
When response_mode=form_post is requested, some error cases will be
returned to the client using the form_post web page to POST the result
back to the client's redirect URL.
2022-06-02 09:23:34 -07:00
Monis Khan
0674215ef3
Switch to go.uber.org/zap for JSON formatted logging
...
Signed-off-by: Monis Khan <mok@vmware.com>
2022-05-24 11:17:42 -04:00
Ryan Richard
39fd9ba270
Small refactors and comments for LDAP/AD UI
2022-05-19 16:02:08 -07:00
Ryan Richard
0f2a984308
Merge branch 'main' into ldap-login-ui
2022-05-11 11:32:15 -07:00
Ryan Richard
aa732a41fb
Add LDAP browser flow login failure tests to supervisor_login_test.go
...
Also do some refactoring to share more common test setup code in
supervisor_login_test.go.
2022-05-10 16:28:08 -07:00
Ryan Richard
4c44f583e9
Don't add pinniped_idp_name pinniped_idp_type params into upstream state
2022-05-06 12:00:46 -07:00
Ryan Richard
ec22b5715b
Add Pinniped favicon to login UI page 🦭
2022-05-05 14:46:07 -07:00
Ryan Richard
cffa353ffb
Login page styling/structure for users, screen readers, passwd managers
...
Also:
- Add CSS to login page
- Refactor login page HTML and CSS into a new package
- New custom CSP headers for the login page, because the requirements
are different from the form_post page
2022-05-05 13:13:25 -07:00
Ryan Richard
6ca7c932ae
Add unit test for rendering form_post response from POST /login
2022-05-05 13:13:25 -07:00
Ryan Richard
656f221fb7
Merge branch 'main' into ldap-login-ui
2022-05-04 09:29:15 -07:00
Ryan Richard
2e031f727b
Use security headers for the form_post page in the POST /login endpoint
...
Also use more specific test assertions where security headers are
expected. And run the unit tests for the login package in parallel.
2022-05-03 16:46:09 -07:00
Ryan Richard
acc6c50e48
More unit tests for LDAP DNs which contain special chars
...
Adding explicit coverage for PerformRefresh().
2022-05-03 15:43:01 -07:00
Margo Crawford
388cdb6ddd
Fix bug where form was posting to the wrong path
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-05-03 15:18:38 -07:00
Ryan Richard
c74dea6405
Escape special characters in LDAP DNs when used in search filters
2022-05-02 13:37:32 -07:00
Ryan Richard
69e5169fc5
Implement post_login_handler.go to accept form post and auth to LDAP/AD
...
Also extract some helpers from auth_handler.go so they can be shared
with the new handler.
2022-04-29 16:02:00 -07:00
Margo Crawford
646c6ec9ed
Show error message on login page
...
Also add autocomplete attribute and title element
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-29 10:36:13 -07:00
Margo Crawford
453c69af7d
Fix some errors and pass state as form element
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-28 12:07:04 -07:00
Margo Crawford
07b2306254
Add basic outline of login get handler
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-28 11:51:36 -07:00
Margo Crawford
ae60d4356b
Some refactoring of shared code between OIDC and LDAP browser flows
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-27 08:51:37 -07:00
Margo Crawford
379a803509
when password header but not username is sent to password grant, error
...
also add more unit tests
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-26 16:46:58 -07:00
Ryan Richard
65eed7e742
Implement login_handler.go to defer to other handlers
...
The other handlers for GET and POST requests are not yet implemented in
this commit. The shared handler code in login_handler.go takes care of
things checking the method, checking the CSRF cookie, decoding the state
param, and adding security headers on behalf of both the GET and POST
handlers.
Some code has been extracted from callback_handler.go to be shared.
2022-04-26 15:37:30 -07:00
Margo Crawford
eb1d3812ec
Update authorization endpoint to redirect to new login page
...
Also fix some test failures on the callback handler, register the
new login handler in manager.go and add a (half baked) integration test
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-26 12:51:56 -07:00
Margo Crawford
8832362b94
WIP: Add login handler for LDAP/AD web login
...
Also change state param to include IDP type
2022-04-25 16:41:55 -07:00
Margo Crawford
694e4d6df6
Advertise browser_authcode flow in ldap idp discovery
...
To keep this backwards compatible, this PR changes how
the cli deals with ambiguous flows. Previously, if there
was more than one flow advertised, the cli would require users
to set the flag --upstream-identity-provider-flow. Now it
chooses the first one in the list.
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-25 14:54:21 -07:00
Ryan Richard
0ec5e57114
Merge pull request #1131 from vmware-tanzu/bump_some_deps
...
Bump some deps
2022-04-19 13:29:28 -07:00
Margo Crawford
0b72f7084c
JWTAuthenticator distributed claims resolution honors tls config
...
Kube 1.23 introduced a new field on the OIDC Authenticator which
allows us to pass in a client with our own TLS config. See
https://github.com/kubernetes/kubernetes/pull/106141 .
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-19 11:36:46 -07:00
Ryan Richard
132d2aac72
add a code comment
2022-04-19 11:35:46 -07:00
Ryan Richard
2d4f4e4efd
Merge branch 'main' into bump_some_deps
2022-04-19 11:32:53 -07:00
Ryan Richard
fb8083d024
bump some direct deps
2022-04-19 11:09:24 -07:00
hectorj2f
a3f7afaec4
oidc: add code challenge supported methods
...
Signed-off-by: hectorj2f <hectorf@vmware.com>
2022-04-19 01:21:39 +02:00
Margo Crawford
d5337c9c19
Error format of untrusted certificate errors should depend on OS
...
Go 1.18.1 started using MacOS' x509 verification APIs on Macs
rather than Go's own. The error messages are different.
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-14 17:37:36 -07:00
Margo Crawford
03f19da21c
the http2RoundTripper should only use http2
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-14 10:51:25 -07:00
Monis Khan
e0886c6948
Only emit FIPS startup log when running a server component
...
Signed-off-by: Monis Khan <mok@vmware.com>
2022-04-13 18:31:02 -04:00
Monis Khan
8fd77b72df
Bump to go1.18.1 and fix linter errors
...
Signed-off-by: Monis Khan <mok@vmware.com>
2022-04-13 16:43:06 -04:00
Ryan Richard
53348b8464
Add custom prefix to downstream access and refresh tokens and authcodes
2022-04-13 10:13:27 -07:00
Monis Khan
6b4fbb6e0e
Use klog to make sure FIPS init log is emitted
...
We cannot use plog until the log level config has been setup, but
that occurs after this init function has run.
Signed-off-by: Monis Khan <mok@vmware.com>
2022-04-12 14:36:06 -04:00
Ryan Richard
25d20d4081
Merge branch 'main' into disable_http
2022-04-05 09:00:26 -07:00
Monis Khan
07066e020d
Explicitly set defaultServing ciphers in FIPS mode
...
This is a no-op today, but could change in the future when we add
support for FIPS in non-strict mode.
Signed-off-by: Monis Khan <mok@vmware.com>
2022-04-01 10:59:47 -04:00
Monis Khan
3f0753ec5a
Remove duplication in secure TLS tests
...
Signed-off-by: Monis Khan <mok@vmware.com>
2022-04-01 10:56:38 -04:00
Monis Khan
15bc6a4a67
Add more details to FIPS comments
...
Signed-off-by: Monis Khan <mok@vmware.com>
2022-04-01 10:56:38 -04:00
Ryan Richard
51c527a965
Change to camel-case for insecureAcceptExternalUnencryptedHttpRequests
...
- Use camel-case in the static configmap
- Parse the value into a boolean in the go struct instead of a string
- Add test for when unsupported value is used in the configmap
- Run the config_test.go tests in parallel
- Update some paragraphs in configure-supervisor.md for clarity
2022-03-31 16:23:45 -07:00
Ryan Richard
ae7aac020a
Merge branch 'main' into disable_http
2022-03-30 11:30:32 -07:00
Margo Crawford
53597bb824
Introduce FIPS compatibility
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-03-29 16:58:41 -07:00
Ryan Richard
488f08dd6e
Provide a way to override the new HTTP loopback-only validation
...
Add new deprecated_insecure_accept_external_unencrypted_http_requests
value in values.yaml. Allow it to be a boolean or a string to make it
easier to use (both --data-value and --data-value-yaml will work).
Also:
- Consider "ip6-localhost" and "ip6-loopback" to be loopback addresses
for the validation
- Remove unused env.SupervisorHTTPAddress var
- Deprecate the `service_http_*` values in values.yaml by renaming them
and causing a ytt render error when the old names are used
2022-03-28 17:03:23 -07:00
Ryan Richard
8d12c1b674
HTTP listener: default disabled and may only bind to loopback interfaces
2022-03-24 15:46:10 -07:00
Ryan Richard
48c5a625a5
Remove our direct dependency on ory/x
...
ory/x has new releases very often, sometimes multiple times per week,
causing a lot of noise from dependabot. We were barely using it
directly, so replace our direct usages with equivalent code.
2022-03-24 10:24:54 -07:00
Ryan Richard
fffcb7f5b4
Update to github.com/golangci/golangci-lint/cmd/golangci-lint@v1.44.2
...
- Two of the linters changed their names
- Updated code and nolint comments to make all linters pass with 1.44.2
- Added a new hack/install-linter.sh script to help developers install
the expected version of the linter for local development
2022-03-08 12:28:09 -08:00
Monis Khan
eae55a8595
Fix typo in group removed warning
...
Signed-off-by: Monis Khan <mok@vmware.com>
2022-03-02 12:58:30 -05:00
Margo Crawford
609b55a6d7
Pinniped Supervisor should issue a warning when groups change during refresh
2022-03-01 14:01:57 -08:00
Margo Crawford
fdac4d16f0
Only run group refresh when the skipGroupRefresh boolean isn't set
...
for AD and LDAP
2022-02-17 12:50:28 -08:00
Margo Crawford
662f2cef9c
Integration test for updating group search base
...
Also a small change to a comment
2022-02-17 11:29:59 -08:00
Margo Crawford
ca523b1f20
Always update groups even if it's nil
...
Also de-dup groups and various small formatting changes
2022-02-17 11:29:59 -08:00
Margo Crawford
c28602f275
Add unit tests for group parsing overrides
2022-02-17 11:29:59 -08:00
Margo Crawford
dd11c02b6a
Add back entries because I think it's actually necessary
2022-02-17 11:29:59 -08:00
Margo Crawford
f890fad90c
Rename a function, sort strings inside searchGroupsForUserDN
2022-02-17 11:29:59 -08:00
Margo Crawford
cd7538861a
Add integration test where we don't get groups back
2022-02-17 11:29:59 -08:00
Margo Crawford
013b521838
Upstream ldap group refresh:
...
- Doing it inline on the refresh request
2022-02-17 11:29:59 -08:00
Ryan Richard
e5a60a8c84
Update a comment
2022-02-16 11:09:05 -08:00
Monis Khan
49e88dd74a
Change some single quotes to double quotes in minified JS
...
Signed-off-by: Monis Khan <mok@vmware.com>
2022-02-10 16:15:26 -05:00
Ryan Richard
5d79d4b9dc
Fix form_post.js mistake from recent commit; Better CORS on callback
2022-02-08 17:30:48 -08:00
Ryan Richard
6781bfd7d8
Fix JS bug: form post UI shows manual copy/paste UI upon failed callback
...
When the POST to the CLI's localhost callback endpoint results in a
non-2XX status code, then treat that as a failed login attempt and
automatically show the manual copy/paste UI.
2022-02-07 16:21:23 -08:00
Margo Crawford
b30dad72ed
Fix new refresh token grace period test to have warnings
2022-01-20 14:54:59 -08:00
Margo Crawford
31cdd808ac
Merge pull request #951 from vmware-tanzu/short-session-warning
...
Supervisor should emit a warning when access token lifetime is too short
2022-01-20 14:44:32 -08:00
Ryan Richard
e85a6c09f6
Merge pull request #953 from vmware-tanzu/dependabot/go_modules/github.com/tdewolff/minify/v2-2.9.29
...
Bump github.com/tdewolff/minify/v2 from 2.9.26 to 2.9.29
2022-01-20 14:16:05 -08:00
Margo Crawford
38d184fe81
Integration test + making sure we get the session correctly in token handler
2022-01-20 13:48:50 -08:00
Margo Crawford
b0ea7063c7
Supervisor should emit a warning when access token lifetime is too short
2022-01-20 13:48:50 -08:00
Ryan Richard
db789dc2bf
Merge branch 'main' into dependabot/go_modules/github.com/tdewolff/minify/v2-2.9.29
2022-01-20 12:10:24 -08:00
Ryan Richard
6ddc953989
Merge branch 'main' into dependabot/go_modules/github.com/ory/fosite-0.42.0
2022-01-20 12:10:01 -08:00
Ryan Richard
dff53b8144
Changes for Fosite's new RevokeRefreshTokenMaybeGracePeriod() interface
...
Fosite v0.42.0 introduced a new RevokeRefreshTokenMaybeGracePeriod()
interface function. Updated our code to support this change. We didn't
support grace periods on refresh tokens before, so implemented it by
making the new RevokeRefreshTokenMaybeGracePeriod() method just call
the old RevokeRefreshToken() method, therefore keeping our old behavior.
2022-01-19 13:57:01 -08:00
Ryan Richard
3b1cc30e8d
Update unit test to match new JS minify output after minify upgrade
2022-01-19 13:29:07 -08:00
Ryan Richard
a4ca44ca14
Improve error handling when upstream groups is invalid during refresh
2022-01-19 12:57:47 -08:00
Ryan Richard
78bdb1928a
Merge branch 'main' into upstream-oidc-refresh-groups
2022-01-18 16:03:14 -08:00
Monis Khan
1e1789f6d1
Allow configuration of supervisor endpoints
...
This change allows configuration of the http and https listeners
used by the supervisor.
TCP (IPv4 and IPv6 with any interface and port) and Unix domain
socket based listeners are supported. Listeners may also be
disabled.
Binding the http listener to TCP addresses other than 127.0.0.1 or
::1 is deprecated.
The deployment now uses https health checks. The supervisor is
always able to complete a TLS connection with the use of a bootstrap
certificate that is signed by an in-memory certificate authority.
To support sidecar containers used by service meshes, Unix domain
socket based listeners include ACLs that allow writes to the socket
file from any runAsUser specified in the pod's containers.
Signed-off-by: Monis Khan <mok@vmware.com>
2022-01-18 17:43:45 -05:00
Ryan Richard
70bd831099
Merge branch 'main' into upstream-oidc-refresh-groups
2022-01-18 14:36:18 -08:00
Ryan Richard
88f3b29515
Merge branch 'main' into upstream-oidc-refresh-groups
2022-01-14 16:51:12 -08:00
Ryan Richard
75e4093067
Merge branch 'main' into ldap_and_activedirectory_status_conditions_bug
2022-01-14 16:50:34 -08:00
Ryan Richard
548977f579
Update group memberships during refresh for upstream OIDC providers
...
Update the user's group memberships when possible. Note that we won't
always have enough information to be able to update it (see code
comments).
2022-01-14 16:38:21 -08:00
Ryan Richard
7551af3eb8
Fix code that did not auto-merge correctly in previous merge from main
2022-01-14 10:59:39 -08:00
Ryan Richard
814399324f
Merge branch 'main' into upstream_access_revocation_during_gc
2022-01-14 10:49:22 -08:00
Ryan Richard
db0a765b98
Merge branch 'main' into ldap_and_activedirectory_status_conditions_bug
2022-01-14 10:06:16 -08:00
Ryan Richard
092a80f849
Refactor some variable names and update one comment
...
Change variable names to match previously renamed interface name.
2022-01-14 10:06:00 -08:00
Margo Crawford
5b161be334
Refactored oidcUpstreamRefresh
...
Various style changes, updated some comments and variable names and
extracted a helper function for validation.
2022-01-12 18:05:22 -08:00
Margo Crawford
62be761ef1
Perform access token based refresh by fetching the userinfo
2022-01-12 18:05:10 -08:00
Ryan Richard
651d392b00
Refuse logins when no upstream refresh token and no userinfo endpoint
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-01-12 18:03:25 -08:00
Margo Crawford
6f3977de9d
Store access token when refresh not available for authcode flow.
...
Also refactor oidc downstreamsessiondata code to be shared between
callback handler and auth handler.
Signed-off-by: Ryan Richard <richardry@vmware.com>
2022-01-12 18:03:25 -08:00
Ryan Richard
91924ec685
Revert adding allowAccessTokenBasedRefresh flag to OIDCIdentityProvider
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-01-12 18:03:25 -08:00
Margo Crawford
683a2c5b23
WIP adding access token to storage upon login
2022-01-12 18:03:25 -08:00
Ryan Richard
1f146f905a
Add struct field for storing upstream access token in downstream session
2022-01-12 18:03:25 -08:00
Margo Crawford
2b744b2eef
Add back comment about deferring validation when id token subject is missing
2022-01-12 11:19:43 -08:00
Margo Crawford
2958461970
Addressing PR feedback
...
store issuer and subject in storage for refresh
Clean up some constants
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-01-10 11:03:37 -08:00