a3f7afaec4
oidc: add code challenge supported methods
...
Signed-off-by: hectorj2f <hectorf@vmware.com>
2022-04-19 01:21:39 +02:00
d5337c9c19
Error format of untrusted certificate errors should depend on OS
...
Go 1.18.1 started using MacOS' x509 verification APIs on Macs
rather than Go's own. The error messages are different.
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-14 17:37:36 -07:00
53348b8464
Add custom prefix to downstream access and refresh tokens and authcodes
2022-04-13 10:13:27 -07:00
3f0753ec5a
Remove duplication in secure TLS tests
...
Signed-off-by: Monis Khan <mok@vmware.com>
2022-04-01 10:56:38 -04:00
15bc6a4a67
Add more details to FIPS comments
...
Signed-off-by: Monis Khan <mok@vmware.com>
2022-04-01 10:56:38 -04:00
53597bb824
Introduce FIPS compatibility
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-03-29 16:58:41 -07:00
bedf4e5a39
Try to avoid getting a second username prompt in a test in e2e_test.go
2022-03-22 14:23:50 -07:00
2715741c2c
Increase a test timeout in e2e_test.go
2022-03-22 12:13:10 -07:00
d162e294ed
Split up the context timeouts per test in e2e_test.go
2022-03-22 10:17:45 -07:00
8fac6cb9a4
Rework or remove tests that rely on the http port
...
Signed-off-by: Monis Khan <mok@vmware.com>
2022-03-10 19:43:12 -05:00
fffcb7f5b4
Update to github.com/golangci/golangci-lint/cmd/golangci-lint@v1.44.2
...
- Two of the linters changed their names
- Updated code and nolint comments to make all linters pass with 1.44.2
- Added a new hack/install-linter.sh script to help developers install
the expected version of the linter for local development
2022-03-08 12:28:09 -08:00
f6ad5d5c45
Add group change warning test for Active Directory
...
Also refactor some of the AD test helper functions
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-03-02 11:54:36 -08:00
eae55a8595
Fix typo in group removed warning
...
Signed-off-by: Monis Khan <mok@vmware.com>
2022-03-02 12:58:30 -05:00
609b55a6d7
Pinniped Supervisor should issue a warning when groups change during refresh
2022-03-01 14:01:57 -08:00
e1e3342b3d
Increase a test timeout to account for slower test on EKS in CI
...
The test takes longer on EKS because it has to wait about 2 minutes for
the EKS load balancer to be ready during the test.
2022-02-22 11:46:15 -08:00
e2c6dcd6e6
Add integration test
2022-02-17 12:50:28 -08:00
dec89b5378
Merge branch 'main' into proposal_process
2022-02-17 12:48:58 -08:00
662f2cef9c
Integration test for updating group search base
...
Also a small change to a comment
2022-02-17 11:29:59 -08:00
ca523b1f20
Always update groups even if it's nil
...
Also de-dup groups and various small formatting changes
2022-02-17 11:29:59 -08:00
cd7538861a
Add integration test where we don't get groups back
2022-02-17 11:29:59 -08:00
013b521838
Upstream ldap group refresh:
...
- Doing it inline on the refresh request
2022-02-17 11:29:59 -08:00
9dbf7d6bf5
Merge branch 'main' into proposal_process
2022-02-17 10:07:37 -08:00
c09daa8513
Merge branch 'main' into fix_int_test_macos
2022-02-16 11:09:11 -08:00
b8202d89d9
Enforce naming convention for browser based tests
...
This allows us to target browser based tests with the regex:
go test -v -race -count 1 -timeout 0 ./test/integration -run '/_Browser'
New tests that call browsertest.Open will automatically be forced to
follow this convention.
Signed-off-by: Monis Khan <mok@vmware.com>
2022-02-16 09:20:28 -05:00
1aa17bd84d
Check for darwin before relaxing stderr vs stdout assertion in e2e test
2022-02-15 13:45:04 -08:00
b0c36c6633
Fix int test that was failing on MacOS, and some small doc changes
2022-02-15 11:19:49 -08:00
5d79d4b9dc
Fix form_post.js mistake from recent commit; Better CORS on callback
2022-02-08 17:30:48 -08:00
29368e8242
Make the linter happy
2022-02-08 16:31:04 -05:00
cd825c5e51
Use "-v6" for kubectl for an e2e test so we can get more failure output
2022-02-08 13:00:49 -08:00
8ee461ae8a
e2e_test: handle hung go routines and readers
...
Signed-off-by: Monis Khan <mok@vmware.com>
2022-02-08 11:40:10 -05:00
1388183bf1
TestE2EFullIntegration: reduce timeout
...
This causes the test to timeout before concourse terminates the entire test run.
2022-02-07 20:53:03 -05:00
0431a072ae
Remove an unnecessary nolint comment
2022-02-07 16:26:39 -08:00
aa56f174db
Capture and print the full kubectl output in an e2e test upon failure
2022-02-07 16:17:38 -08:00
2b93fdf357
Fix a bug in the e2e tests
...
When the test was going to fail, a goroutine would accidentally block
on writing to an unbuffered channel, and the spawnTestGoroutine helper
would wait for that goroutine to end on cleanup, causing the test to
hang forever while it was trying to fail.
2022-02-07 11:57:54 -08:00
842ef38868
Ensure warning is on stderr and not stdout.
2022-01-20 13:48:50 -08:00
acd23c4c37
Separate test for access token refresh
2022-01-20 13:48:50 -08:00
38d184fe81
Integration test + making sure we get the session correctly in token handler
2022-01-20 13:48:50 -08:00
513c943e87
Keep all scopes except offline_access in integration test
2022-01-19 13:29:26 -08:00
1e1789f6d1
Allow configuration of supervisor endpoints
...
This change allows configuration of the http and https listeners
used by the supervisor.
TCP (IPv4 and IPv6 with any interface and port) and Unix domain
socket based listeners are supported. Listeners may also be
disabled.
Binding the http listener to TCP addresses other than 127.0.0.1 or
::1 is deprecated.
The deployment now uses https health checks. The supervisor is
always able to complete a TLS connection with the use of a bootstrap
certificate that is signed by an in-memory certificate authority.
To support sidecar containers used by service meshes, Unix domain
socket based listeners include ACLs that allow writes to the socket
file from any runAsUser specified in the pod's containers.
Signed-off-by: Monis Khan <mok@vmware.com>
2022-01-18 17:43:45 -05:00
814399324f
Merge branch 'main' into upstream_access_revocation_during_gc
2022-01-14 10:49:22 -08:00
91924ec685
Revert adding allowAccessTokenBasedRefresh flag to OIDCIdentityProvider
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-01-12 18:03:25 -08:00
683a2c5b23
WIP adding access token to storage upon login
2022-01-12 18:03:25 -08:00
2958461970
Addressing PR feedback
...
store issuer and subject in storage for refresh
Clean up some constants
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-01-10 11:03:37 -08:00
0cd086cf9c
Check username claim is unchanged for oidc.
...
Also add integration tests for claims changing.
2022-01-10 11:03:37 -08:00
c155c6e629
Clean up nits in AD code
...
- Make everything private
- Drop unused AuthTime field
- Use %q format string instead of "%s"
- Only rely on GetRawAttributeValues in AttributeUnchangedSinceLogin
Signed-off-by: Monis Khan <mok@vmware.com>
2021-12-17 08:53:44 -05:00
59d999956c
Move ad specific stuff to controller
...
also make extra refresh attributes a separate field rather than part of
Extra
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-09 16:16:36 -08:00
65f3464995
Fix issue with very high integer value parsing, add unit tests
...
also add comment about urgent replication
2021-12-09 16:16:36 -08:00
ee4f725209
Incorporate PR feedback
2021-12-09 16:16:36 -08:00
ef5a04c7ce
Check for locked users on ad upstream refresh
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-09 16:16:36 -08:00
f62e9a2d33
Active directory checks for deactivated user
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-09 16:16:36 -08:00
hectorj2f