Commit Graph

812 Commits

Author SHA1 Message Date
Joshua Casey
976dd6c8e1 wip 2023-04-07 19:39:42 -05:00
Joshua Casey
5dc454de3d wip 2023-04-07 19:39:41 -05:00
Joshua Casey
a5d622179e Use tag boringcrypto instead of fips_strict 2023-04-07 19:39:41 -05:00
Ryan Richard
19b60fe563 Clarify audience value in Concierge-only auth doc, and other doc updates
Also renamed a couple of integration test files to make their names
more clear.
2023-04-03 16:54:10 -07:00
Ryan Richard
7cd16b179c Fix integration tests to pass with Kube 1.27/1.28 pre-release builds
Fix test failures that occurred in the k8s-main integration test CI job
when using Kube 1.27 and 1.28 pre-release builds.
2023-04-03 14:16:47 -07:00
Ryan Richard
a04129548f Increase some test timeouts that failed once on Kind jobs in CI 2023-04-03 11:46:11 -07:00
Joshua Casey
fc0f9d959a Bump golangci-lint to 1.51.2 and fix lint issues 2023-03-16 14:55:37 -05:00
Joshua Casey
24cf7c5bcd Remove internal/psets in favor of k8s.io/apimachinery/pkg/util/sets 2023-01-31 10:10:44 -06:00
Ryan Richard
2d3e53e6ac Increase timeouts in supervisor_oidcclientsecret_test.go
They were too short after enabling the race detector for integration
tests in CI.
2023-01-27 14:23:04 -08:00
Ryan Richard
c6e4133c5e Accept both old and new cert error strings on MacOS in test assertions
Used this as an opportunity to refactor how some tests were
making assertions about error strings.

New test helpers make it easy for an error string to be expected as an
exact string, as a string built using sprintf, as a regexp, or as a
string built to include the platform-specific x509 error string.

All of these helpers can be used in a single `wantErr` field of a test
table. They can be used for both unit tests and integration tests.

Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
2023-01-20 15:01:36 -08:00
Ryan Richard
7ff3b3d9cb Code changes to support Kube 0.26 deps 2023-01-18 14:39:22 -08:00
Ryan Richard
2f9b8b105d update copyright to 2023 in files changed by this PR 2023-01-17 15:54:16 -08:00
Ryan Richard
3d20fa79a7 Two more integration tests for additionalClaimMappings
Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
2023-01-17 15:36:39 -08:00
Ryan Richard
74c3156059 Assert more cluster-scoped ID token claims in supervisor_login_test.go 2023-01-17 13:10:51 -08:00
Joshua Casey
6156fdf175 Expect complex subclaims of additionalClaims to have type interface{}
Co-authored-by: Ryan Richard <richardry@vmware.com>
2023-01-17 13:27:40 -06:00
Joshua Casey
f494c61790 additionalClaims claim should not be present when no sub claims are expected
Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
2023-01-17 11:58:08 -06:00
Joshua Casey
a94bbe70c7 Add integration test to verify that additionalClaims are present in an ID Token
Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
2023-01-13 14:59:59 -08:00
Ryan Richard
8ff6ef32e9 Allow additional claims to map into an ID token issued by the supervisor
- Specify mappings on OIDCIdentityProvider.spec.claims.additionalClaimMappings
- Advertise additionalClaims in the OIDC discovery endpoint under claims_supported

Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
2023-01-13 14:59:50 -08:00
Ryan Richard
976035115e Stop using pointer pkg functions that were deprecated by dependency bump 2022-12-14 08:47:16 -08:00
Ryan Richard
e1a0367b03 Upgrade project Go dependencies
Most of the changes in this commit are because of these fosite PRs
which changed behavior and/or APIs in fosite:
- https://github.com/ory/fosite/pull/667
- https://github.com/ory/fosite/pull/679 (from me!)
- https://github.com/ory/fosite/pull/675
- https://github.com/ory/fosite/pull/688

Due to the changes in fosite PR #688, we need to bump our storage
version for anything which stores the DefaultSession struct as JSON.
2022-12-14 08:47:16 -08:00
Ryan Richard
66f4ee8a1b Update more tests to notice different var for external ldap server 2022-09-28 14:32:10 -07:00
Benjamin A. Petersen
09b9075abb
Update TestLDAPSearch_Parallel to notice different var for external ldap server 2022-09-28 16:02:56 -04:00
Ryan Richard
563c193499 Fix integration test expectation for AKS clusters 2022-09-26 17:00:11 -07:00
Ryan Richard
0d215566d8 Yet another integration test fix for dynamic clients feature with Okta 2022-09-26 16:41:52 -07:00
Ryan Richard
23185d55a5 Another integration test fix for dynamic clients feature with Okta
Also increase the timeout in an integration test because it is flaking
on one of the GKE environments sometimes, probably because the
Concierge controllers aren't ready fast enough before the integration
tests start.
2022-09-26 14:43:50 -07:00
Ryan Richard
f302e71b0f Fix some integration tests' handling of groups to work with Okta 2022-09-26 12:40:07 -07:00
Ryan Richard
36dbc7c9bf Update supervisor_storage_test.go to avoid using fuzzed value
The fuzzed value depends on which Go compiler is used. This breaks
the fips tests in CI as long as the fips compiler is a version behind
(we are still waiting for the 1.19 fips compiler to come out).

The fuzzing is still being tested by a separate unit test, so we are
not losing fuzzing test coverage.
2022-09-26 11:19:39 -07:00
Ryan Richard
208a566bdf Merge branch 'main' into dynamic_clients 2022-09-23 14:01:11 -07:00
Ryan Richard
66b1df2dd9 Fix a test assertion in supervisor_oidcclientsecret_test.go 2022-09-23 07:59:05 -07:00
Ryan Richard
31716358a9 Make the assertNoRestartsDuringTest() helper ignore terminating pods 2022-09-21 21:27:02 -07:00
Ryan Richard
12b3079377 integration tests for oidcclientsecretrequest endpoint
Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
2022-09-21 16:25:41 -07:00
Ryan Richard
90f13225ef Update integration test helper to call new OIDCClientSecretRequest API 2022-09-21 15:17:21 -07:00
Ryan Richard
af01c3aeb6 Make kubectl explain work for Pinniped aggregated APIs
- Change update-codegen.sh script to also generated openapi code for the
  aggregated API types
- Update both aggregated API servers' configuration to make them serve
  the openapi docs for the aggregated APIs
- Add new integration test which runs `kubectl explain` for all Pinniped
  API resources, and all fields and subfields of those resources
- Update some the comments on the API structs
- Change some names of the tmpl files to make the filename better match
  the struct names
2022-09-21 15:15:37 -07:00
Ryan Richard
1c296e5c4c Implement the OIDCClientSecretRequest API
This commit is a WIP commit because it doesn't include many tests
for the new feature.

Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
2022-09-21 15:15:07 -07:00
Ryan Richard
b564454bab Make Pinniped compatible with Kube clusters which have enabled PSAs
Where possible, use securityContext settings which will work with the
most restrictive Pod Security Admission policy level (as of Kube 1.25).
Where privileged containers are needed, use the namespace-level
annotation to allow them.

Also adjust some integration tests to make similar changes to allow the
integration tests to pass on test clusters which use restricted PSAs.
2022-09-15 14:58:15 -07:00
Ryan Richard
8d8f980e86 Merge branch 'main' into dynamic_clients 2022-08-26 11:35:35 -07:00
Ryan Richard
5246ff9005 Give more time for slow envs to update in concierge_api_serving_certs_test.go
This test is a little flaky in slow Kubernetes clusters. Try giving a
little more time for things to update before failing the test, to
hopefully make this test a little more reliable.
2022-08-25 11:20:54 -07:00
Ryan Richard
8f27219ac9 Change allowed gcp auth plugin is deprecation warning text
It seems that google changed it from "the gcp auth plugin is deprecated
in v1.22+, unavailable in v1.25+; use gcloud instead" to instead say
"unavailable in v1.26+". Make the matcher in category_test.go more loose
to allow both to match.
2022-08-25 08:11:37 -07:00
Ryan Richard
c6c2c525a6 Upgrade the linter and fix all new linter warnings
Also fix some tests that were broken by bumping golang and dependencies
in the previous commits.

Note that in addition to changes made to satisfy the linter which do not
impact the behavior of the code, this commit also adds ReadHeaderTimeout
to all usages of http.Server to satisfy the linter (and because it
seemed like a good suggestion).
2022-08-24 14:45:55 -07:00
Ryan Richard
0bb2c7beb7 Always add the azp claim to ID tokens to show the original client ID
When the token exchange grant type is used to get a cluster-scoped
ID token, the returned token has a new audience value. The client ID
of the client which performed the authorization was lost. This didn't
matter before, since the only client was `pinniped-cli`, but now that
dynamic clients can be registered, the information would be lost in the
cluster-scoped ID token. It could be useful for logging, tracing, or
auditing, so preserve the information by putting the client ID into the
`azp` claim in every ID token (authcode exchange, clsuter-scoped, and
refreshed ID tokens).
2022-08-09 16:07:23 -07:00
Ryan Richard
22fbced863 Create username scope, required for clients to get username in ID token
- For backwards compatibility with older Pinniped CLIs, the pinniped-cli
  client does not need to request the username or groups scopes for them
  to be granted. For dynamic clients, the usual OAuth2 rules apply:
  the client must be allowed to request the scopes according to its
  configuration, and the client must actually request the scopes in the
  authorization request.
- If the username scope was not granted, then there will be no username
  in the ID token, and the cluster-scoped token exchange will fail since
  there would be no username in the resulting cluster-scoped ID token.
- The OIDC well-known discovery endpoint lists the username and groups
  scopes in the scopes_supported list, and lists the username and groups
  claims in the claims_supported list.
- Add username and groups scopes to the default list of scopes
  put into kubeconfig files by "pinniped get kubeconfig" CLI command,
  and the default list of scopes used by "pinniped login oidc" when
  no list of scopes is specified in the kubeconfig file
- The warning header about group memberships changing during upstream
  refresh will only be sent to the pinniped-cli client, since it is
  only intended for kubectl and it could leak the username to the
  client (which may not have the username scope granted) through the
  warning message text.
- Add the user's username to the session storage as a new field, so that
  during upstream refresh we can compare the original username from the
  initial authorization to the refreshed username, even in the case when
  the username scope was not granted (and therefore the username is not
  stored in the ID token claims of the session storage)
- Bump the Supervisor session storage format version from 2 to 3
  due to the username field being added to the session struct
- Extract commonly used string constants related to OIDC flows to api
  package.
- Change some import names to make them consistent:
  - Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc"
  - Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc
    as "oidcapi"
  - Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 16:29:22 -07:00
Ryan Richard
bda233482d Merge branch 'dynamic_clients' into dynamic_clients_in_downstream_flows 2022-07-26 09:31:39 -07:00
Ryan Richard
57f8e18dbc Merge branch 'main' into dynamic_clients 2022-07-26 09:31:18 -07:00
Ryan Richard
c07cc6b8ec Update e2e_test.go for clusters which have ServerSideFieldValidation
Also update prepare-cluster-for-integration-tests.sh for new
kubectl version command options.
2022-07-25 17:25:21 -07:00
Ryan Richard
b65f872dcd Configure printer columns for OIDCClient CRD 2022-07-21 16:40:03 -07:00
Ryan Richard
0495286f97 Fix lint error and remove accidental direct dep on ory/x
Fixing some mistakes from previous commit on feature branch.
2022-07-21 13:50:33 -07:00
Ryan Richard
c12ffad29e Add integration test for failed client auth for a dynamic client 2022-07-21 10:13:34 -07:00
Ryan Richard
e42f5488fa More unit tests for dynamic clients
- Add dynamic client unit tests for the upstream OIDC callback and
  POST login endpoints.
- Enhance a few log statements to print the full fosite error messages
  into the logs where they were previously only printing the name of
  the error type.
2022-07-21 09:26:00 -07:00
Ryan Richard
34509e7430 Add more unit tests for dynamic clients and enhance token exchange
- Enhance the token exchange to check that the same client is used
  compared to the client used during the original authorization and
  token requests, and also check that the client has the token-exchange
  grant type allowed in its configuration.
- Reduce the minimum required bcrypt cost for OIDCClient secrets
  because 15 is too slow for real-life use, especially considering
  that every login and every refresh flow will require two client auths.
- In unit tests, use bcrypt hashes with a cost of 4, because bcrypt
  slows down by 13x when run with the race detector, and we run our
  tests with the race detector enabled, causing the tests to be
  unacceptably slow. The production code uses a higher minimum cost.
- Centralize all pre-computed bcrypt hashes used by unit tests to a
  single place. Also extract some other useful test helpers for
  unit tests related to OIDCClients.
- Add tons of unit tests for the token endpoint related to dynamic
  clients for authcode exchanges, token exchanges, and refreshes.
2022-07-20 13:55:56 -07:00
Ryan Richard
f5f55176af Enhance integration tests for OIDCClients in supervisor_login_test.go 2022-07-14 18:50:23 -07:00