ContainerImage.Pinniped

Author	SHA1	Message	Date
Matt Moyer	014d760f3d	Add validated ID token claims to the oidctypes.Token structure. This is just a more convenient copy of these values which are already stored inside the ID token. This will save us from having to pass them around seprately or re-parse them later. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-12-04 15:18:41 -06:00
Matt Moyer	7b088d611d	Merge pull request #252 from mattmoyer/fix-csrf-cookie-same-site Switch CSRF cookie from `Same-Site=Strict` to `Same-Site=Lax`.	2020-12-03 21:53:24 -06:00
Matt Moyer	f0ebd808d7	Switch CSRF cookie from `Same-Site=Strict` to `Same-Site=Lax`. This CSRF cookie needs to be included on the request to the callback endpoint triggered by the redirect from the OIDC upstream provider. This is not allowed by `Same-Site=Strict` but is allowed by `Same-Site=Lax` because it is a "cross-site top-level navigation" [1]. We didn't catch this earlier with our Dex-based tests because the upstream and downstream issuers were on the same parent domain `*.svc.cluster.local` so the cookie was allowed even with `Strict` mode. [1]: https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00#section-3.2 Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-12-03 21:30:00 -06:00
Matt Moyer	fa94ebfbd1	Merge pull request #229 from vmware-tanzu/callback-endpoint Implement supervisor OIDC upstream callback endpoint used during authorize flow	2020-12-03 16:28:02 -06:00
Matt Moyer	c18c670765	Merge remote-tracking branch 'origin/main' into callback-endpoint	2020-12-03 14:53:26 -06:00
Matt Moyer	f410da0ed2	Merge pull request #242 from rajat404/refactor-docs Remove duplicate docs from the repo and change all links to point to …	2020-12-03 14:52:51 -06:00
Matt Moyer	c8abc79d9b	Fix this comment (and retrigger CI). Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-12-03 14:24:26 -06:00
Matt Moyer	9455a66be8	This trailing dash is now taken care of by the library method. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-12-03 13:56:24 -06:00
Matt Moyer	8563c05baf	Tweak these timeouts to be a bit faster (and retrigger CI). Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-12-03 13:22:27 -06:00
Matt Moyer	408fbe4f76	Parameterize the `supervisor_redirect_uri` in the test env Dex. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-12-03 12:45:56 -06:00
Matt Moyer	cb5e494815	Dump out proxy access logs in TestSupervisorLogin. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-12-03 11:28:48 -06:00
Matt Moyer	954591d2db	Add some debugging logs to our proxy client code. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-12-03 10:25:26 -06:00
Matt Moyer	d7b1ab8e43	Try to capture more logs from the TestSupervisorLogin test. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-12-03 09:39:33 -06:00
Matt Moyer	1d44a0cdfa	Add a small integration test library to dump pod logs on test failures. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-12-03 09:39:33 -06:00
Matt Moyer	1fa41c4d0a	Merge remote-tracking branch 'origin/main' into callback-endpoint	2020-12-03 08:50:31 -06:00
Matt Moyer	0deb7cc09a	Merge pull request #250 from mattmoyer/fix-ipv6-test-regression Fix a test regression with IPv6 localhost interfaces.	2020-12-03 08:48:57 -06:00
Ryan Richard	95093ab0af	Use kube storage for the supervisor callback endpoint's fosite sessions	2020-12-02 17:40:01 -08:00
Matt Moyer	64ef53402d	In TestSupervisorLogin, wrap the discovery request in an `Eventually()`. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-12-02 18:07:52 -06:00
Matt Moyer	37c5e121c4	Fix a test issue with IPv6 localhost interfaces. This fixes a regression introduced by `24c4bc0dd4`. It could occasionally cause the tests to fail when run on a machine with an IPv6 localhost interface. As a fix I added a wrapper for the new Go 1.15 `LookupIP()` method, and created a partially-functional backport for Go 1.14. This should be easy to delete in the future. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-12-02 17:49:21 -06:00
Matt Moyer	879525faac	Clean up the browsertest package a bit. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-12-02 17:20:24 -06:00
Ryan Richard	6ed9107df0	Remove a couple of todos that will be resolved in Slack conversations	2020-12-02 14:20:18 -08:00
Ryan Richard	c320132289	Back-fill some more unit tests on authorizationcode_test.go	2020-12-02 14:20:18 -08:00
Matt Moyer	ae9bdc1d61	Fix a lint warning by simplifying this append operation. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-12-02 16:11:40 -06:00
Matt Moyer	c0f13ef4ac	Merge remote-tracking branch 'origin/main' into callback-endpoint Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-12-02 16:09:08 -06:00
Matt Moyer	f40144e1a9	Update TestSupervisorLogin to test the callback flow using a browser. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-12-02 15:55:35 -06:00
Matt Moyer	0ccf14801e	Expose the MaskTokens function so other test code can use it. This is just a small helper to make test output more readable. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-12-02 15:55:34 -06:00
Matt Moyer	273ac62ec2	Extend the test client helpers in ./test/library/client.go. This adds a few new "create test object" helpers and extends `CreateTestOIDCProvider()` to optionally wait for the created OIDCProvider to enter some expected status condition. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-12-02 15:55:34 -06:00
Matt Moyer	545c26e5fe	Refactor browser-related test functions to a `./test/library/browsertest` package. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-12-02 15:55:34 -06:00
Matt Moyer	22953cdb78	Add a CA.Pool() method to ./internal/certauthority. This is convenient for at least one test and is simple enough to write and test. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-12-02 15:55:34 -06:00
Matt Moyer	fe0481c304	In integration test env, deploy a ClusterIP service and register that with Dex. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-12-02 15:55:33 -06:00
Matt Moyer	fde56164cd	Add a `redirectURI` parameter to ExchangeAuthcodeAndValidateTokens() method. We missed this in the original interface specification, but the `grant_type=authorization_code` requires it, per RFC6749 (https://tools.ietf.org/html/rfc6749#section-4.1.3). Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-12-02 15:55:33 -06:00
Matt Moyer	4fe691de92	Save an http.Client with each upstreamoidc.ProviderConfig object. This allows the token exchange request to be performed with the correct TLS configuration. We go to a bit of extra work to make sure the `http.Client` object is cached between reconcile operations so that connection pooling works as expected. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-12-02 15:55:33 -06:00
Matt Moyer	c23c54f500	Add an explicit `Path=/;` to our CSRF cookie, per the spec. > [...] a cookie named "__Host-cookie1" MUST contain a "Path" attribute with a value of "/". https://tools.ietf.org/html/draft-ietf-httpbis-cookie-prefixes-00#section-3.2 Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-12-02 15:55:33 -06:00
Rajat Goyal	7e78c9322c	Remove duplicate documentation images from the repo and change all links to point to the Hugo site	2020-12-02 23:58:19 +05:30
Rajat Goyal	31810a97e1	Remove duplicate docs from the repo and change all links to point to the Hugo site	2020-12-02 23:58:19 +05:30
Margo Crawford	d60c184424	Add pkce and openidconnect storage - Also refactor authorizationcode_test Signed-off-by: Ryan Richard <rrichard@vmware.com>	2020-12-01 17:18:32 -08:00
Ryan Richard	f38c150f6a	Finished tests for pkce storage and added it to kubestorage - Also fixed some lint errors with v1.33.0 of the linter Signed-off-by: Margo Crawford <margaretc@vmware.com>	2020-12-01 14:53:22 -08:00
Margo Crawford	c8eaa3f383	WIP towards using k8s fosite storage in the supervisor's callback endpoint - Note that this WIP commit includes a failing unit test, which will be addressed in the next commit Signed-off-by: Ryan Richard <richardry@vmware.com>	2020-12-01 11:01:42 -08:00
Matt Moyer	be8f11fe5a	Merge pull request #246 from mattmoyer/build-on-go-1.14 Tweak some stdlib usage so we compile under Go 1.14.	2020-11-30 17:38:19 -06:00
Matt Moyer	b272b3f331	Refactor oidcclient.Login to use new upstreamoidc package. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-11-30 17:37:14 -06:00
Matt Moyer	4b60c922ef	Add generated mock of UpstreamOIDCIdentityProviderI. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-11-30 17:37:14 -06:00
Matt Moyer	25ee99f93a	Add ValidateToken method to UpstreamOIDCIdentityProviderI interface. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-11-30 17:37:14 -06:00
Matt Moyer	d32583dd7f	Move OIDC Token structs into a new `oidctypes` package. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-11-30 17:02:03 -06:00
Matt Moyer	d64acbb5a9	Add upstreamoidc.ProviderConfig type implementing provider.UpstreamOIDCIdentityProviderI. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-11-30 15:22:56 -06:00
Matt Moyer	24c4bc0dd4	Tweak some stdlib usage so we compile under Go 1.14. Mainly, avoid using some `testing` helpers that were added in 1.14, as well as a couple of other niceties we can live without. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-11-30 10:11:41 -06:00
Andrew Keesler	58a3e35c51	Revert "test/integration: skip TestSupervisorLogin until new callback logic is on main" This reverts commit `eae6d355f8`. We have added the new callback path logic (see `b21f003`), so we can stop skipping this test.	2020-11-30 11:07:25 -05:00
Andrew Keesler	25bbd28527	Merge remote-tracking branch 'upstream/main' into callback-endpoint	2020-11-30 11:06:20 -05:00
Andrew Keesler	385d2db445	Merge pull request #245 from ankeesler/fix-supervisor-login-test Run TestSupervisorLogin only on valid HTTP/HTTPS supervisor addresses	2020-11-30 11:05:43 -05:00
Andrew Keesler	eae6d355f8	test/integration: skip TestSupervisorLogin until new callback logic is on main Signed-off-by: Andrew Keesler <akeesler@vmware.com>	2020-11-30 10:12:03 -05:00
Andrew Keesler	5be46d0bb7	test/integration: get downstream issuer path from upstream redirect See comment in the code. Signed-off-by: Andrew Keesler <akeesler@vmware.com>	2020-11-30 09:58:08 -05:00

1 2 3 4 5 ...

926 Commits