djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
2,943 Commits 30 Branches 34 Tags 22 MiB
0b6b8b4fcd
Commit Graph

115 Commits

Author SHA1 Message Date
Ryan Richard
321abfc98d Merge branch 'dynamic_clients' into token_exchange_aud 2022-06-08 09:03:29 -07:00
Ryan Richard
ea45e5dfef Disallow certain requested audience strings in token exchange 2022-06-07 16:32:19 -07:00
Ryan Richard
8170889aef Update CSP header expectations in TestSupervisorLogin_Browser int test 2022-06-07 11:20:59 -07:00
Ryan Richard
aa732a41fb Add LDAP browser flow login failure tests to supervisor_login_test.go 
Also do some refactoring to share more common test setup code in
supervisor_login_test.go.
 2022-05-10 16:28:08 -07:00
Ryan Richard
0b106c245e Add LDAP browser flow login test to supervisor_login_test.go 2022-05-10 12:54:40 -07:00
Ryan Richard
a4e32d8f3d Extract browsertest.LoginToUpstreamLDAP() integration test helper 2022-05-09 15:43:36 -07:00
Ryan Richard
53348b8464 Add custom prefix to downstream access and refresh tokens and authcodes 2022-04-13 10:13:27 -07:00
Ryan Richard
fffcb7f5b4 Update to github.com/golangci/golangci-lint/cmd/golangci-lint@v1.44.2 
- Two of the linters changed their names
- Updated code and nolint comments to make all linters pass with 1.44.2
- Added a new hack/install-linter.sh script to help developers install
  the expected version of the linter for local development
 2022-03-08 12:28:09 -08:00
Margo Crawford
f6ad5d5c45 Add group change warning test for Active Directory 
Also refactor some of the AD test helper functions

Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-03-02 11:54:36 -08:00
Margo Crawford
e2c6dcd6e6 Add integration test 2022-02-17 12:50:28 -08:00
Margo Crawford
662f2cef9c Integration test for updating group search base 
Also a small change to a comment
 2022-02-17 11:29:59 -08:00
Margo Crawford
cd7538861a Add integration test where we don't get groups back 2022-02-17 11:29:59 -08:00
Margo Crawford
013b521838 Upstream ldap group refresh: 
- Doing it inline on the refresh request
 2022-02-17 11:29:59 -08:00
Monis Khan
b8202d89d9
Enforce naming convention for browser based tests 
This allows us to target browser based tests with the regex:

go test -v -race -count 1 -timeout 0 ./test/integration -run '/_Browser'

New tests that call browsertest.Open will automatically be forced to
follow this convention.

Signed-off-by: Monis Khan <mok@vmware.com>
 2022-02-16 09:20:28 -05:00
Margo Crawford
513c943e87 Keep all scopes except offline_access in integration test 2022-01-19 13:29:26 -08:00
Ryan Richard
91924ec685 Revert adding allowAccessTokenBasedRefresh flag to OIDCIdentityProvider 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-01-12 18:03:25 -08:00
Margo Crawford
683a2c5b23 WIP adding access token to storage upon login 2022-01-12 18:03:25 -08:00
Margo Crawford
2958461970 Addressing PR feedback 
store issuer and subject in storage for refresh
Clean up some constants

Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-01-10 11:03:37 -08:00
Margo Crawford
0cd086cf9c Check username claim is unchanged for oidc. 
Also add integration tests for claims changing.
 2022-01-10 11:03:37 -08:00
Margo Crawford
59d999956c Move ad specific stuff to controller 
also make extra refresh attributes a separate field rather than part of
Extra

Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2021-12-09 16:16:36 -08:00
Margo Crawford
65f3464995 Fix issue with very high integer value parsing, add unit tests 
also add comment about urgent replication
 2021-12-09 16:16:36 -08:00
Margo Crawford
ee4f725209 Incorporate PR feedback 2021-12-09 16:16:36 -08:00
Margo Crawford
ef5a04c7ce Check for locked users on ad upstream refresh 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2021-12-09 16:16:36 -08:00
Margo Crawford
f62e9a2d33 Active directory checks for deactivated user 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2021-12-09 16:16:36 -08:00
Margo Crawford
da9b4620b3 Active Directory checks whether password has changed recently during 
upstream refresh

Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2021-12-09 16:16:35 -08:00
Margo Crawford
cb60a44f8a extract ldap refresh search into helper function 
also added an integration test for refresh failing after updating the username attribute
 2021-11-05 14:22:43 -07:00
Margo Crawford
b5b8cab717 Refactors: 
- pull construction of authenticators.Response into searchAndBindUser
- remove information about the identity provider in the error that gets
  returned to users. Put it in debug instead, where it may show up in
  logs.

Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2021-11-05 14:22:43 -07:00
Margo Crawford
722b5dcc1b Test for change to stored username or subject. 
All of this is still done staticly.
 2021-11-05 14:22:43 -07:00
Margo Crawford
19281313dd Basic upstream LDAP/AD refresh 
This stores the user DN in the session data upon login and checks that
the entry still exists upon refresh. It doesn't check anything
else about the entry yet.
 2021-11-05 14:22:42 -07:00
Ryan Richard
9e05d175a7 Add integration test: upstream refresh failure during downstream refresh 2021-10-13 15:12:19 -07:00
Margo Crawford
05f5bac405 ValidatedSettings is all or nothing 
If either the search base or the tls settings is invalid, just
recheck everything.
 2021-09-07 13:09:35 -07:00
Margo Crawford
27c1d2144a Make sure search base in the validatedSettings cache is properly updated when the bind secret changes 2021-09-07 13:09:35 -07:00
Margo Crawford
6f221678df Change sAMAccountName env vars to userPrincipalName 
and add E2E ActiveDirectory test
also fixed regexes in supervisor_login_test to be anchored to the
beginning and end
 2021-08-26 16:18:05 -07:00
Margo Crawford
c590c8ff41 Merge branch 'main' of github.com:vmware-tanzu/pinniped into active-directory-identity-provider 2021-08-24 12:19:29 -07:00
Margo Crawford
5e9087263d Increase timeout for activedirectoryidentityprovider to be loaded 2021-08-18 16:24:05 -07:00
Margo Crawford
a20aee5f18 Update test assertions to reflect userPrincipalName as username 2021-08-18 13:18:53 -07:00
Margo Crawford
26c47d564f Make new combined sAMAccountName@domain attribute the group name 
Also change default username attribute to userPrincipalName
 2021-08-17 16:53:26 -07:00
Ryan Richard
84c3c3aa9c Optionally allow OIDC password grant for CLI-based login experience 
- Add `AllowPasswordGrant` boolean field to OIDCIdentityProvider's spec
- The oidc upstream watcher controller copies the value of
  `AllowPasswordGrant` into the configuration of the cached provider
- Add password grant to the UpstreamOIDCIdentityProviderI interface
  which is implemented by the cached provider instance for use in the
  authorization endpoint
- Enhance the IDP discovery endpoint to return the supported "flows"
  for each IDP ("cli_password" and/or "browser_authcode")
- Enhance `pinniped get kubeconfig` to help the user choose the desired
  flow for the selected IDP, and to write the flow into the resulting
  kubeconfg
- Enhance `pinniped login oidc` to have a flow flag to tell it which
  client-side flow it should use for auth (CLI-based or browser-based)
- In the Dex config, allow the resource owner password grant, which Dex
  implements to also return ID tokens, for use in integration tests
- Enhance the authorize endpoint to perform password grant when
  requested by the incoming headers. This commit does not include unit
  tests for the enhancements to the authorize endpoint, which will come
  in the next commit
- Extract some shared helpers from the callback endpoint to share the
  code with the authorize endpoint
- Add new integration tests
 2021-08-12 10:45:39 -07:00
Margo Crawford
53b58f65b2 Add integration test for wrong password with ldap 2021-07-26 16:32:46 -07:00
Margo Crawford
cc3875f048 PR feedback 2021-07-26 16:03:12 -07:00
Margo Crawford
1050f39789 Integration test deactivated ad account 2021-07-23 13:01:41 -07:00
Margo Crawford
91085e68f9 Refactoring defaulting logic 2021-07-23 13:01:41 -07:00
Margo Crawford
cb0ee07b51 Fetch AD search base from defaultNamingContext when not specified 2021-07-23 13:01:41 -07:00
Margo Crawford
5d8d7246c2 Refactor active directory and ldap controllers to share almost everything 
Signed-off-by: Ryan Richard <richardry@vmware.com>
 2021-07-23 13:01:41 -07:00
Ryan Richard
3b4f521596 Changed TestLDAPUpstream.TestUsernameAttributeName back to TestUserMailAttributeName 
Also added TestUserSAMAccountNameValue

Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2021-07-23 13:01:40 -07:00
Ryan Richard
aaa4861373 Custom API Group overlay for AD 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2021-07-23 13:01:40 -07:00
Margo Crawford
b3d0b28bd0 Integration test fixes, fixing objectGUID handling 2021-07-23 13:01:40 -07:00
Margo Crawford
5c283d941c Helper script for running active directory tests 2021-07-23 13:01:40 -07:00
Margo Crawford
3b8edb84a5 WIP on active directory integration test 2021-07-23 13:01:40 -07:00
Margo Crawford
8fb35c6569 Active Directory cli options 2021-07-23 13:01:40 -07:00