ContainerImage.Pinniped

Author	SHA1	Message	Date
Andrew Keesler	541019eb98	callback_handler.go: simplify stored ID token claims Fosite is gonna set these fields for us. Signed-off-by: Ryan Richard <richardry@vmware.com>	2020-11-20 15:36:51 -05:00
Jake Knostman	15bffc6b16	Update site demo to use pinniped-concierge namespace	2020-11-20 12:31:23 -08:00
dependabot[bot]	901242c1e1	Bump golang from 1.15.3 to 1.15.5 Bumps golang from 1.15.3 to 1.15.5. Signed-off-by: dependabot[bot] <support@github.com>	2020-11-20 20:19:51 +00:00
Matt Moyer	fd0e0bb4c9	Merge pull request #234 from rajat404/main Avoid printing the error message twice from client	2020-11-20 13:29:35 -06:00
Rajat Goyal	53bece2186	Avoid printing the error message twice from client	2020-11-21 00:05:26 +05:30
Matt Moyer	1a881e4f2b	Merge pull request #232 from mattmoyer/adjust-test-environment-upstream-clients Split test environment variables so there's a specific supervisor upstream client.	2020-11-20 09:46:04 -06:00
Andrew Keesler	488d1b663a	internal/oidc/provider/manager: route to callback endpoint Signed-off-by: Andrew Keesler <akeesler@vmware.com>	2020-11-20 10:44:56 -05:00
Andrew Keesler	8f5d1709a1	callback_handler.go: assert behavior about PKCE and IDSession storage Also aggresively refactor for readability: - Make helper validations functions for each type of storage - Try to label symbols based on their downstream/upstream use and group them accordingly Signed-off-by: Andrew Keesler <akeesler@vmware.com>	2020-11-20 09:41:49 -05:00
Matt Moyer	bc700d58ae	Split test environment variables so there's a specific supervisor upstream client. Prior to this we re-used the CLI testing client to test the authorize flow of the supervisor, but they really need to be separate upstream clients. For example, the supervisor client should be a non-public client with a client secret and a different callback endpoint. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-11-20 08:03:06 -06:00
Andrew Keesler	f8d76066c5	callback_handler.go: assert nonce is stored correctly I think we want to do this here since we are storing all of the other ID token claims? Signed-off-by: Andrew Keesler <akeesler@vmware.com>	2020-11-20 08:38:23 -05:00
Mo Khan	b8fb37b9f6	Merge pull request #233 from enj/enj/i/tmp_disable_max_flight Temporarily disable max inflight checks for mutating requests	2020-11-19 22:51:03 -05:00
Monis Khan	4a28d1f800	Temporarily disable max inflight checks for mutating requests Signed-off-by: Monis Khan <mok@vmware.com>	2020-11-19 21:21:10 -05:00
Andrew Keesler	b25696a1fb	callback_handler.go: Prepend iss to sub when making default username - Also handle several more error cases - Move RequireTimeInDelta to shared testutils package so other tests can also use it - Move all of the oidc test helpers into a new oidc/oidctestutils package to break a circular import dependency. The shared testutil package can't depend on any of our other packages or else we end up with circular dependencies. - Lots more assertions about what was stored at the end of the request to build confidence that we are going to pass all of the right settings over to the token endpoint through the storage, and also to avoid accidental regressions in that area in the future Signed-off-by: Ryan Richard <richardry@vmware.com>	2020-11-19 17:57:07 -08:00
Andrew Keesler	b49d37ca54	callback_handler.go: test invalid upstream ID token username/groups Signed-off-by: Ryan Richard <richardry@vmware.com>	2020-11-19 15:53:21 -05:00
Mo Khan	20b62b8841	Merge pull request #231 from enj/enj/f/fosite_kube_storage Add kube based storage for use with fosite	2020-11-19 15:34:55 -05:00
Ryan Richard	83101eefce	callback_handler.go: start to test upstream token corner cases Also refactor to get rid of duplicate test structs. Also also don't default groups ID token claim because there is no standard one. Also also also add some logging that will hopefully help us in debugging in the future. Signed-off-by: Andrew Keesler <akeesler@vmware.com>	2020-11-19 14:19:01 -05:00
Monis Khan	86865d155a	Switch fuzzing test to UTC Signed-off-by: Monis Khan <mok@vmware.com>	2020-11-19 14:04:25 -05:00
Monis Khan	3575be7742	Add authorization code storage Signed-off-by: Monis Khan <mok@vmware.com>	2020-11-19 13:18:27 -05:00
Monis Khan	b7d823a077	Add generic Kube API based CRUD storage Signed-off-by: Monis Khan <mok@vmware.com>	2020-11-19 13:18:02 -05:00
Ryan Richard	a47617cad0	callback_handler.go: Add JWT Audience claim to storage	2020-11-19 08:53:53 -08:00
Ryan Richard	ee84f31f42	callback_handler.go: Add JWT Issuer claim to storage	2020-11-19 08:35:23 -08:00
Andrew Keesler	ace861f722	callback_handler.go: get some thoughts down about default upstream claims Signed-off-by: Andrew Keesler <akeesler@vmware.com>	2020-11-19 11:08:21 -05:00
Andrew Keesler	2e62be3ebb	callback_handler.go: assert correct args are passed to token exchange Signed-off-by: Andrew Keesler <akeesler@vmware.com>	2020-11-19 10:20:46 -05:00
Andrew Keesler	48e0250649	callback_handler.go: test that we request openid scope correctly Also add some testing.T.Log() calls to make debugging handler test failures easier. Signed-off-by: Andrew Keesler <akeesler@vmware.com>	2020-11-19 09:28:56 -05:00
Andrew Keesler	6c72507bca	callback_handler.go: add test for failed upstream exchange/validation Signed-off-by: Andrew Keesler <akeesler@vmware.com>	2020-11-19 09:00:41 -05:00
Andrew Keesler	63b8c6e4b2	callback_handler.go: test when state missing a needed param Signed-off-by: Andrew Keesler <akeesler@vmware.com>	2020-11-19 08:51:23 -05:00
Andrew Keesler	ffdb7fa795	callback_handler.go: add a test for invalid state auth params Signed-off-by: Andrew Keesler <akeesler@vmware.com>	2020-11-19 08:41:44 -05:00
Ryan Richard	652ea6bd2a	Start using fosite in the Supervisor's callback handler	2020-11-18 17:15:01 -08:00
Mo Khan	3bc5952f7e	Merge pull request #227 from mattmoyer/add-authorizationconfig-omitempty Use `omitempty` on UpstreamOIDCProvider `spec.authorizationConfig` field.	2020-11-18 20:10:55 -05:00
Matt Moyer	7520dadbdd	Use `omitempty` on UpstreamOIDCProvider `spec.authorizationConfig` field. This allows you to omit the field in creation requests, which was annoying. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-11-18 17:14:35 -06:00
Mo Khan	8a4be431f6	Merge pull request #230 from vmware-tanzu/scc Add nonroot SCC to work on OpenShift clusters	2020-11-18 17:46:01 -05:00
Mo Khan	c32e452db8	Add nonroot SCC to work on OpenShift clusters	2020-11-18 17:08:45 -05:00
Ryan Richard	24bd8b2e42	Merge pull request #226 from absoludity/fix-getting-started4 Fix demo.md and update default namespace for pinniped concierge.	2020-11-18 13:39:04 -08:00
Ryan Richard	227fbd63aa	Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider Because we want it to implement an AuthcodeExchanger interface and do it in a way that will be more unit test-friendly than the underlying library that we intend to use inside its implementation.	2020-11-18 13:38:13 -08:00
Ryan Richard	c83cec341b	Merge branch 'main' into fix-getting-started4	2020-11-17 15:02:36 -08:00
Matt Moyer	7404ee4531	Merge pull request #224 from mattmoyer/make-oidcclient-public Move `./internal/oidcclient` to `./pkg/oidcclient`.	2020-11-17 15:13:50 -06:00
Matt Moyer	e0a9bef6ce	Move `./internal/oidcclient` to `./pkg/oidcclient`. This will allow it to be imported by Go code outside of our repository, which was something we have planned for since this code was written. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-11-17 14:53:32 -06:00
Matt Moyer	428b9f2758	Merge pull request #223 from mattmoyer/refactor-cert-gen Refactor certificate generation for integration test Dex.	2020-11-17 12:45:20 -06:00
Matt Moyer	0d1ad6e1df	Fix some broken resource grouping/ordering in Tiltfile. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-11-17 12:21:15 -06:00
Matt Moyer	6ce2f109bf	Refactor certificate generation for integration test Dex. Before, we did this in an init container, which meant if the Dex pod restarted we would have fresh certs, but our Tilt/bash setup didn't account for this. Now, the certs are generated by a Job which runs once and saves the generated files into a Secret. This should be a bit more stable. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-11-17 11:36:36 -06:00
Matt Moyer	3b9fb71dd1	Merge pull request #222 from mattmoyer/readd-supervisor-login-tests Re-add the TestSupervisorLogin integration test.	2020-11-17 11:16:01 -06:00
Ryan Richard	97552aec5f	Merge branch 'main' into callback-endpoint	2020-11-17 09:06:54 -08:00
Matt Moyer	d6d808d185	Re-add the TestSupervisorLogin integration test. This is 99% Andrew's code from `4032ed32ae`, but tweaked to work with the new UpstreamOIDCProvider setup. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-11-17 09:21:17 -06:00
Matt Moyer	b75a6cdb76	Merge pull request #221 from mattmoyer/use-https-dex Add support for custom CA bundle in CLI and UpstreamOIDCProvider.	2020-11-16 20:47:16 -06:00
Matt Moyer	b31deff0fb	Update integration tests to use HTTPS Dex for UpstreamOIDCProvider testing. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-11-16 20:23:20 -06:00
Matt Moyer	ee978fdde8	Add controller support for spec.tls field. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-11-16 20:23:20 -06:00
Matt Moyer	e867fb82b9	Add `spec.tls` field to UpstreamOIDCProvider API. This allows for a custom CA bundle to be used when connecting to the upstream issuer. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-11-16 20:23:20 -06:00
Matt Moyer	b17ac6ec0b	Update integration tests to run Dex over HTTPS. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-11-16 20:23:20 -06:00
Matt Moyer	dd2133458e	Add --ca-bundle flag to "pinniped login oidc" command. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-11-16 18:15:20 -06:00
Matt Moyer	e7ecfd3954	Merge pull request #219 from mattmoyer/add-test-proxy Convert CLI tests to work through an HTTP forward proxy.	2020-11-16 17:48:16 -06:00

... 3 4 5 6 7 ...

1066 Commits