djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
1,321 Commits 30 Branches 34 Tags 22 MiB
2679d27ced
Commit Graph

1321 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Andrew Keesler
60d4a7beac
Test more filters in SupervisorSecretsController (see 6e8d564013) 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-15 07:58:33 -05:00
Andrew Keesler
9a3e60d4df
go.mod: unnecessary dependency slipped in (c3f73ff) 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-15 07:56:31 -05:00
aram price
e03e344dcd SecretHelper depends less on OIDCProvider 
This should allow the helper to be more generic so that it can be used
with the SupervisorSecretsController
 2020-12-14 19:35:45 -08:00
aram price
bf86bc3383 Rename for clarity 2020-12-14 18:36:56 -08:00
Ryan Richard
16dfab0aff token_handler_test.go: Add tests for username and groups custom claims 2020-12-14 18:27:14 -08:00
aram price
b799515f84 Pull symmetricsecrethelper package up to generator 
- rename symmetricsecrethelper.New => generator.NewSymmetricSecretHelper
 2020-12-14 17:41:02 -08:00
Ryan Richard
417e6b1fee
Merge pull request #282 from vmware-tanzu/security-headers 
Add Cache-Control, Pragma, Expires, and X-DNS-Prefetch-Control headers
 2020-12-14 17:22:09 -08:00
Margo Crawford
afcd5e3e36 WIP: Adjust subject and username claims 
Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-12-14 17:05:53 -08:00
aram price
b1ee434ddf Rename in preparation for refactor 2020-12-14 16:44:27 -08:00
aram price
6e8d564013 Test filters in SupervisorSecretsController 2020-12-14 16:08:48 -08:00
Ryan Richard
16907e4453 Add Cache-Control, Pragma, Expires, and X-DNS-Prefetch-Control headers 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2020-12-14 15:28:32 -08:00
Andrew Keesler
9c79adcb26 Rename and move some code to perpare for refactor 
Signed-off-by: aram price <pricear@vmware.com>
 2020-12-14 14:24:13 -08:00
Aram Price
5b7a86ecc1
Integration test for Supervisor secret controllers 
This forced us to add labels to the CSRF cookie secret, just as we do
for other Supervisor secrets. Yay tests.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-14 15:53:12 -05:00
Andrew Keesler
cae0023234
Merge remote-tracking branch 'upstream/main' into secret-generation 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-14 11:44:01 -05:00
Andrew Keesler
2f28d2a96b
Synchronize the OIDCProvider secrets cache 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-14 11:32:33 -05:00
Andrew Keesler
e3ea141bf3
Reuse helper filter in generic secret gen controller 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-14 10:37:27 -05:00
Andrew Keesler
b043dae149
Finish first implementation of generic secret generator controller 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-14 10:36:45 -05:00
aram price
3ca877f1df
WIP - preliminary OIDCProviderSecrets controller 
Tests not yet passing, controller is incomplete and expectations may be
incorrect.
 2020-12-13 17:37:49 -05:00
aram price
3e31668eb0
Refactor some utilitiy methods for sharing. 2020-12-13 17:37:48 -05:00
aram price
9e2213cbae
Rename for clarity 
- makes space for OIDCPrivder related controller
 2020-12-13 17:37:48 -05:00
Ryan Richard
a5c07042c1
Merge pull request #279 from vmware-tanzu/fosite-settings 
Update more fosite settings
 2020-12-11 18:19:50 -08:00
Ryan Richard
7cda6628a6
Merge branch 'main' into fosite-settings 2020-12-11 18:19:37 -08:00
Ryan Richard
020fbcf190 Adjust some expectations about the state and nonce lengths 2020-12-11 17:39:58 -08:00
Ryan Richard
791c50fd33
Merge pull request #278 from vmware-tanzu/fosite-storage-gc 
Garbage collect the fosite secrets to limit amount of storage used
 2020-12-11 17:17:15 -08:00
Margo Crawford
2a19dd0d2e Pass prompt through to upstream login request 
Signed-off-by: Ryan Richard <rrichard@vmware.com>
 2020-12-11 17:13:27 -08:00
Margo Crawford
ded28dff15 Update the fosite settings 
- AudienceMatchingStrategy: we want to use the default matcher from
  fosite, so remove that line
- AllowedPromptValues: We can use the default if we add a small
  change to the auth_handler.go to account for it (in a future commit)
- MinParameterEntropy: Use the fosite default to make it more likely
  that off the shelf OIDC clients can work with the supervisor

Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-12-11 16:15:50 -08:00
Ryan Richard
baa1a4a2fc Supervisor storage garbage collection controller enabled in production 
- Also add more log statements to the controller
- Also have the controller apply a rate limit to itself, to avoid
  having a very chatty controller that runs way more often than is
  needed.
- Also add an integration test for the controller's behavior.

Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2020-12-11 15:21:34 -08:00
Andrew Keesler
022dcd1909
Update secretgenerator controller after synchronous review 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-11 15:37:10 -05:00
Andrew Keesler
e2aad48852
internal/oidc/dynamiccodec: loosen test to reduce flakes 
When we try to decode with the wrong decryption key, we could get any number of
error messages, depending on what failure mode we are in (couldn't authenticate
plaintext after decryption, couldn't deserialize, etc.). This change makes the
test weaker, but at least we know we will get an error message in the case where
the decryption key is wrong.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-11 11:49:27 -05:00
Andrew Keesler
e17bc31b29
Pass CSRF cookie signing key from controller to cache 
This also sets the CSRF cookie Secret's OwnerReference to the Pod's grandparent
Deployment so that when the Deployment is cleaned up, then the Secret is as
well.

Obviously this controller implementation has a lot of issues, but it will at
least get us started.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-11 11:49:27 -05:00
Andrew Keesler
22c5b102ed
internal/downward: add support for (optional) pod name 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-11 11:49:27 -05:00
Andrew Keesler
0246e57d7f
Set lifespans on state and CSRF cooking encoding 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-11 11:49:22 -05:00
Andrew Keesler
9460b08873
Use just-in-time HMAC signing key fetching in our Fosite config 
This pattern is similar to what we did in
58237d0e7d.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-11 11:16:46 -05:00
Margo Crawford
ed9b3ffce5 Add controller for garbage collecting secrets 
Signed-off-by: Ryan Richard <rrichard@vmware.com>
 2020-12-10 17:34:05 -08:00
aram price
a3285fc187 Fix variable / package name collision 2020-12-10 17:32:55 -08:00
aram price
e1173eb5eb manager.Manager is initialized with secret.Cache 
- hard-coded secret.Cache is passed in from pinniped-supervisor/main
 2020-12-10 17:32:55 -08:00
aram price
72bc458c8e Manager uses secret.Cach with hardcoded values 2020-12-10 17:32:55 -08:00
Andrew Keesler
e067892ffc Add secret.Cache to hold crypto inputs 2020-12-10 17:32:55 -08:00
aram price
2f87be3f94 Manager uses dynamiccodec.Codec for cookie encoding 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-10 17:32:55 -08:00
Andrew Keesler
1291380611 dynamiccodec.Codec uses securecookie.JSONEncoder 
Signed-off-by: aram price <pricear@vmware.com>
 2020-12-10 17:32:55 -08:00
aram price
ccac124b7a Fix broken test 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-10 17:32:55 -08:00
Andrew Keesler
d8212d1337 Whitespace 
Signed-off-by: aram price <pricear@vmware.com>
 2020-12-10 17:32:55 -08:00
aram price
030edaf72d KeyFunc no longer uses multi-value return 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-10 17:32:55 -08:00
Andrew Keesler
c3f73ffb57 Check in some musings on a symmetric key generator controller 
There is still a test failing, but I am sure it is a simple fix hiding in the
code. I think this is the general shape of the controller that we want.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-10 17:32:55 -08:00
Andrew Keesler
3e112fb1ac internal/oidc/dynamiccodec: first draft 
Note that we don't cache the securecookie.SecureCookie that we use in our
implementation. This was purely because of laziness. We should think about
caching this value in the future.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-10 17:32:55 -08:00
Ryan Richard
afd216308b KubeStorage annotates every Secret with garbage-collect-after timestamp 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2020-12-10 14:47:58 -08:00
Margo Crawford
b0c354637d WIP passing lifetime through to storage, unit tests are failing 
Signed-off-by: Ryan Richard <rrichard@vmware.com>
 2020-12-10 12:15:40 -08:00
Ryan Richard
c001bb876e
Merge pull request #275 from vmware-tanzu/fosite-storage-gc-prefactor 
Fosite storage garbage collection prefactor
 2020-12-10 10:50:29 -08:00
Ryan Richard
3c6d1a1924 Merge branch 'main' into fosite-storage-gc 2020-12-10 10:45:26 -08:00
Margo Crawford
6f40dcb471 Increase the RefreshTokenSessionStorageLifetime 
- Make it more likely that the end user will get the more specific error
  message saying that their refresh token has expired the first time
  that they try to use an expired refresh token

Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-12-10 10:44:27 -08:00