07066e020d
Explicitly set defaultServing ciphers in FIPS mode
...
This is a no-op today, but could change in the future when we add
support for FIPS in non-strict mode.
Signed-off-by: Monis Khan <mok@vmware.com>
2022-04-01 10:59:47 -04:00
3f0753ec5a
Remove duplication in secure TLS tests
...
Signed-off-by: Monis Khan <mok@vmware.com>
2022-04-01 10:56:38 -04:00
15bc6a4a67
Add more details to FIPS comments
...
Signed-off-by: Monis Khan <mok@vmware.com>
2022-04-01 10:56:38 -04:00
53597bb824
Introduce FIPS compatibility
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-03-29 16:58:41 -07:00
48c5a625a5
Remove our direct dependency on ory/x
...
ory/x has new releases very often, sometimes multiple times per week,
causing a lot of noise from dependabot. We were barely using it
directly, so replace our direct usages with equivalent code.
2022-03-24 10:24:54 -07:00
fffcb7f5b4
Update to github.com/golangci/golangci-lint/cmd/golangci-lint@v1.44.2
...
- Two of the linters changed their names
- Updated code and nolint comments to make all linters pass with 1.44.2
- Added a new hack/install-linter.sh script to help developers install
the expected version of the linter for local development
2022-03-08 12:28:09 -08:00
eae55a8595
Fix typo in group removed warning
...
Signed-off-by: Monis Khan <mok@vmware.com>
2022-03-02 12:58:30 -05:00
609b55a6d7
Pinniped Supervisor should issue a warning when groups change during refresh
2022-03-01 14:01:57 -08:00
fdac4d16f0
Only run group refresh when the skipGroupRefresh boolean isn't set
...
for AD and LDAP
2022-02-17 12:50:28 -08:00
662f2cef9c
Integration test for updating group search base
...
Also a small change to a comment
2022-02-17 11:29:59 -08:00
ca523b1f20
Always update groups even if it's nil
...
Also de-dup groups and various small formatting changes
2022-02-17 11:29:59 -08:00
c28602f275
Add unit tests for group parsing overrides
2022-02-17 11:29:59 -08:00
dd11c02b6a
Add back entries because I think it's actually necessary
2022-02-17 11:29:59 -08:00
f890fad90c
Rename a function, sort strings inside searchGroupsForUserDN
2022-02-17 11:29:59 -08:00
cd7538861a
Add integration test where we don't get groups back
2022-02-17 11:29:59 -08:00
013b521838
Upstream ldap group refresh:
...
- Doing it inline on the refresh request
2022-02-17 11:29:59 -08:00
e5a60a8c84
Update a comment
2022-02-16 11:09:05 -08:00
49e88dd74a
Change some single quotes to double quotes in minified JS
...
Signed-off-by: Monis Khan <mok@vmware.com>
2022-02-10 16:15:26 -05:00
5d79d4b9dc
Fix form_post.js mistake from recent commit; Better CORS on callback
2022-02-08 17:30:48 -08:00
6781bfd7d8
Fix JS bug: form post UI shows manual copy/paste UI upon failed callback
...
When the POST to the CLI's localhost callback endpoint results in a
non-2XX status code, then treat that as a failed login attempt and
automatically show the manual copy/paste UI.
2022-02-07 16:21:23 -08:00
b30dad72ed
Fix new refresh token grace period test to have warnings
2022-01-20 14:54:59 -08:00
31cdd808ac
Merge pull request #951 from vmware-tanzu/short-session-warning
...
Supervisor should emit a warning when access token lifetime is too short
2022-01-20 14:44:32 -08:00
e85a6c09f6
Merge pull request #953 from vmware-tanzu/dependabot/go_modules/github.com/tdewolff/minify/v2-2.9.29
...
Bump github.com/tdewolff/minify/v2 from 2.9.26 to 2.9.29
2022-01-20 14:16:05 -08:00
38d184fe81
Integration test + making sure we get the session correctly in token handler
2022-01-20 13:48:50 -08:00
b0ea7063c7
Supervisor should emit a warning when access token lifetime is too short
2022-01-20 13:48:50 -08:00
db789dc2bf
Merge branch 'main' into dependabot/go_modules/github.com/tdewolff/minify/v2-2.9.29
2022-01-20 12:10:24 -08:00
6ddc953989
Merge branch 'main' into dependabot/go_modules/github.com/ory/fosite-0.42.0
2022-01-20 12:10:01 -08:00
dff53b8144
Changes for Fosite's new RevokeRefreshTokenMaybeGracePeriod() interface
...
Fosite v0.42.0 introduced a new RevokeRefreshTokenMaybeGracePeriod()
interface function. Updated our code to support this change. We didn't
support grace periods on refresh tokens before, so implemented it by
making the new RevokeRefreshTokenMaybeGracePeriod() method just call
the old RevokeRefreshToken() method, therefore keeping our old behavior.
2022-01-19 13:57:01 -08:00
3b1cc30e8d
Update unit test to match new JS minify output after minify upgrade
2022-01-19 13:29:07 -08:00
a4ca44ca14
Improve error handling when upstream groups is invalid during refresh
2022-01-19 12:57:47 -08:00
78bdb1928a
Merge branch 'main' into upstream-oidc-refresh-groups
2022-01-18 16:03:14 -08:00
1e1789f6d1
Allow configuration of supervisor endpoints
...
This change allows configuration of the http and https listeners
used by the supervisor.
TCP (IPv4 and IPv6 with any interface and port) and Unix domain
socket based listeners are supported. Listeners may also be
disabled.
Binding the http listener to TCP addresses other than 127.0.0.1 or
::1 is deprecated.
The deployment now uses https health checks. The supervisor is
always able to complete a TLS connection with the use of a bootstrap
certificate that is signed by an in-memory certificate authority.
To support sidecar containers used by service meshes, Unix domain
socket based listeners include ACLs that allow writes to the socket
file from any runAsUser specified in the pod's containers.
Signed-off-by: Monis Khan <mok@vmware.com>
2022-01-18 17:43:45 -05:00
70bd831099
Merge branch 'main' into upstream-oidc-refresh-groups
2022-01-18 14:36:18 -08:00
88f3b29515
Merge branch 'main' into upstream-oidc-refresh-groups
2022-01-14 16:51:12 -08:00
75e4093067
Merge branch 'main' into ldap_and_activedirectory_status_conditions_bug
2022-01-14 16:50:34 -08:00
548977f579
Update group memberships during refresh for upstream OIDC providers
...
Update the user's group memberships when possible. Note that we won't
always have enough information to be able to update it (see code
comments).
2022-01-14 16:38:21 -08:00
7551af3eb8
Fix code that did not auto-merge correctly in previous merge from main
2022-01-14 10:59:39 -08:00
814399324f
Merge branch 'main' into upstream_access_revocation_during_gc
2022-01-14 10:49:22 -08:00
db0a765b98
Merge branch 'main' into ldap_and_activedirectory_status_conditions_bug
2022-01-14 10:06:16 -08:00
092a80f849
Refactor some variable names and update one comment
...
Change variable names to match previously renamed interface name.
2022-01-14 10:06:00 -08:00
5b161be334
Refactored oidcUpstreamRefresh
...
Various style changes, updated some comments and variable names and
extracted a helper function for validation.
2022-01-12 18:05:22 -08:00
62be761ef1
Perform access token based refresh by fetching the userinfo
2022-01-12 18:05:10 -08:00
651d392b00
Refuse logins when no upstream refresh token and no userinfo endpoint
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-01-12 18:03:25 -08:00
6f3977de9d
Store access token when refresh not available for authcode flow.
...
Also refactor oidc downstreamsessiondata code to be shared between
callback handler and auth handler.
Signed-off-by: Ryan Richard <richardry@vmware.com>
2022-01-12 18:03:25 -08:00
91924ec685
Revert adding allowAccessTokenBasedRefresh flag to OIDCIdentityProvider
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-01-12 18:03:25 -08:00
683a2c5b23
WIP adding access token to storage upon login
2022-01-12 18:03:25 -08:00
1f146f905a
Add struct field for storing upstream access token in downstream session
2022-01-12 18:03:25 -08:00
2b744b2eef
Add back comment about deferring validation when id token subject is missing
2022-01-12 11:19:43 -08:00
2958461970
Addressing PR feedback
...
store issuer and subject in storage for refresh
Clean up some constants
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-01-10 11:03:37 -08:00
f2d2144932
rename ValidateToken to ValidateTokenAndMergeWithUserInfo to better reflect what it's doing
...
Also changed a few comments and small things
2022-01-10 11:03:37 -08:00
Monis Khan