Commit Graph

2572 Commits

Author SHA1 Message Date
Margo Crawford
2b744b2eef Add back comment about deferring validation when id token subject is missing 2022-01-12 11:19:43 -08:00
Margo Crawford
2958461970 Addressing PR feedback
store issuer and subject in storage for refresh
Clean up some constants

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-01-10 11:03:37 -08:00
Margo Crawford
f2d2144932 rename ValidateToken to ValidateTokenAndMergeWithUserInfo to better reflect what it's doing
Also changed a few comments and small things
2022-01-10 11:03:37 -08:00
Margo Crawford
c9cf13a01f Check for issuer if available
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-01-10 11:03:37 -08:00
Margo Crawford
0cd086cf9c Check username claim is unchanged for oidc.
Also add integration tests for claims changing.
2022-01-10 11:03:37 -08:00
Margo Crawford
b098435290 Refactor validatetoken to handle refresh case without id token
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-01-10 11:03:37 -08:00
Margo Crawford
74b007ff66 Validate that issuer url and urls returned from discovery are https
and that they have no query or fragment

Signed-off-by: Ryan Richard <richardry@vmware.com>
2022-01-10 11:03:37 -08:00
Margo Crawford
ed96b597c7 Check for subject matching with upstream refresh
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-01-10 11:03:37 -08:00
Mo Khan
d438bfbc99
Merge pull request #939 from vmware-tanzu/dependabot/go_modules/github.com/ory/x-0.0.331
Bump github.com/ory/x from 0.0.330 to 0.0.331
2022-01-09 12:04:56 -05:00
dependabot[bot]
a7ff638f4c
Bump github.com/ory/x from 0.0.330 to 0.0.331
Bumps [github.com/ory/x](https://github.com/ory/x) from 0.0.330 to 0.0.331.
- [Release notes](https://github.com/ory/x/releases)
- [Commits](https://github.com/ory/x/compare/v0.0.330...v0.0.331)

---
updated-dependencies:
- dependency-name: github.com/ory/x
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-01-07 13:45:37 +00:00
Mo Khan
287d5094ec
Merge pull request #938 from vmware-tanzu/dependabot/docker/golang-1.17.6
Bump golang from 1.17.5 to 1.17.6
2022-01-07 08:13:16 -05:00
dependabot[bot]
f2b4d667d1
Bump golang from 1.17.5 to 1.17.6
Bumps golang from 1.17.5 to 1.17.6.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-01-07 01:04:10 +00:00
Mo Khan
fff27a4270
Merge pull request #935 from enj/enj/i/bump_0001
Bump all deps to latest
2022-01-03 19:48:08 -05:00
Monis Khan
f90f173826
Bump all deps to latest
Ran:

go get -u ./... && go mod tidy

Pinned all go.opentelemetry.io deps to match k/k.
This is needed to make the go get command work.

Signed-off-by: Monis Khan <mok@vmware.com>
2022-01-03 17:48:59 -05:00
Mo Khan
cc88d2a334
Merge pull request #931 from vmware-tanzu/dependabot/docker/distroless/static-80c956f
Bump distroless/static from `bca3c20` to `80c956f`
2022-01-03 10:49:08 -05:00
dependabot[bot]
a0ddf4a945
Bump distroless/static from bca3c20 to 80c956f
Bumps distroless/static from `bca3c20` to `80c956f`.

---
updated-dependencies:
- dependency-name: distroless/static
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-12-27 01:17:24 +00:00
Mo Khan
05277a5579
Merge pull request #925 from enj/enj/i/flexible_cli_redirect
pinniped CLI: allow all forms of http redirects
2021-12-17 15:51:44 -05:00
Monis Khan
c155c6e629
Clean up nits in AD code
- Make everything private
- Drop unused AuthTime field
- Use %q format string instead of "%s"
- Only rely on GetRawAttributeValues in AttributeUnchangedSinceLogin

Signed-off-by: Monis Khan <mok@vmware.com>
2021-12-17 08:53:44 -05:00
Monis Khan
a6085c9678
Drop unsafe unwrapper for exec.roundTripper
exec.roundTripper now implements utilnet.RoundTripperWrapper so this
unsafe hack is no longer needed.

Signed-off-by: Monis Khan <mok@vmware.com>
2021-12-17 08:28:30 -05:00
Monis Khan
86f2bea8c5
pinniped CLI: allow all forms of http redirects
For password based login on the CLI (i.e. no browser), this change
relaxes the response code check to allow for any redirect code
handled by the Go standard library.  In the future, we can drop the
rewriteStatusSeeOtherToStatusFoundForBrowserless logic from the
server side code.

Signed-off-by: Monis Khan <mok@vmware.com>
2021-12-17 08:28:29 -05:00
Mo Khan
adf04d29f7
Merge pull request #914 from enj/enj/i/bump_0.23.0
Update all deps to latest where possible, bump Kube deps to v0.23.1
2021-12-16 21:45:32 -05:00
Monis Khan
9599ffcfb9
Update all deps to latest where possible, bump Kube deps to v0.23.1
Highlights from this dep bump:

1. Made a copy of the v0.4.0 github.com/go-logr/stdr implementation
   for use in tests.  We must bump this dep as Kube code uses a
   newer version now.  We would have to rewrite hundreds of test log
   assertions without this copy.
2. Use github.com/felixge/httpsnoop to undo the changes made by
   ory/fosite#636 for CLI based login flows.  This is required for
   backwards compatibility with older versions of our CLI.  A
   separate change after this will update the CLI to be more
   flexible (it is purposefully not part of this change to confirm
   that we did not break anything).  For all browser login flows, we
   now redirect using http.StatusSeeOther instead of http.StatusFound.
3. Drop plog.RemoveKlogGlobalFlags as klog no longer mutates global
   process flags
4. Only bump github.com/ory/x to v0.0.297 instead of the latest
   v0.0.321 because v0.0.298+ pulls in a newer version of
   go.opentelemetry.io/otel/semconv which breaks k8s.io/apiserver.
   We should update k8s.io/apiserver to use the newer code.
5. Migrate all code from k8s.io/apimachinery/pkg/util/clock to
   k8s.io/utils/clock and k8s.io/utils/clock/testing
6. Delete testutil.NewDeleteOptionsRecorder and migrate to the new
   kubetesting.NewDeleteActionWithOptions
7. Updated ExpectedAuthorizeCodeSessionJSONFromFuzzing caused by
   fosite's new rotated_secrets OAuth client field.  This new field
   is currently not relevant to us as we have no private clients.

Signed-off-by: Monis Khan <mok@vmware.com>
2021-12-16 21:15:27 -05:00
Mo Khan
69d5951296
Merge pull request #919 from microwavables/updating-community-details
Updated community and resources pages
2021-12-16 17:14:21 -05:00
Mo Khan
b148359337
Merge pull request #918 from vmware-tanzu/replace_reflections
Replace reflections in go.mod
2021-12-16 17:10:28 -05:00
Nanci Lancaster
e31a410096 Updated community and resources pages 2021-12-16 16:02:47 -06:00
Ryan Richard
6bf67f44ef replace reflections in go.mod 2021-12-16 11:15:24 -08:00
Mo Khan
fdc91ec56c
Merge pull request #909 from vmware-tanzu/dependabot/docker/golang-1.17.5
Bump golang from 1.17.4 to 1.17.5
2021-12-10 12:41:02 -05:00
dependabot[bot]
884d18bade
Bump golang from 1.17.4 to 1.17.5
Bumps golang from 1.17.4 to 1.17.5.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-12-10 17:03:50 +00:00
Mo Khan
ca2ee26c86
Merge pull request #884 from vmware-tanzu/upstream-ad-refresh
Upstream active directory refresh checks for password changes, deactivated and locked users
2021-12-09 20:51:46 -05:00
Margo Crawford
59d999956c Move ad specific stuff to controller
also make extra refresh attributes a separate field rather than part of
Extra

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-09 16:16:36 -08:00
Margo Crawford
acaad05341 Make pwdLastSet stuff more generic and not require parsing the timestamp
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-09 16:16:36 -08:00
Margo Crawford
65f3464995 Fix issue with very high integer value parsing, add unit tests
also add comment about urgent replication
2021-12-09 16:16:36 -08:00
Margo Crawford
ee4f725209 Incorporate PR feedback 2021-12-09 16:16:36 -08:00
Margo Crawford
ef5a04c7ce Check for locked users on ad upstream refresh
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-09 16:16:36 -08:00
Margo Crawford
f62e9a2d33 Active directory checks for deactivated user
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-09 16:16:36 -08:00
Margo Crawford
da9b4620b3 Active Directory checks whether password has changed recently during
upstream refresh

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-09 16:16:35 -08:00
Margo Crawford
8db0203839 Add test for upstream ldap idp not found, wrong idp uid, and malformed
fosite session storage
2021-12-09 16:16:35 -08:00
anjalitelang
4110297a8f
Update ROADMAP.md
Updated roadmap to reflect current velocity
2021-12-09 16:59:09 -05:00
Mo Khan
7a3b5e3571
Merge pull request #908 from vmware-tanzu/microwavables-main
Added GOVERNANCE.md file to repo
2021-12-08 14:38:21 -05:00
Nanci Lancaster
505bc47ae1
Added GOVERNANCE.md file to repo
Signed-off-by: Nanci Lancaster <nancil@vmware.com>
2021-12-08 14:29:16 -05:00
Mo Khan
2c5b74c960
Merge pull request #905 from vmware-tanzu/dependabot/docker/golang-1.17.4
Bump golang from 1.17.3 to 1.17.4
2021-12-06 15:44:42 -05:00
dependabot[bot]
db68fc3a2b
Bump golang from 1.17.3 to 1.17.4
Bumps golang from 1.17.3 to 1.17.4.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-12-06 01:14:25 +00:00
Ryan Richard
29490ee665 ran go mod tidy 2021-12-03 16:40:01 -08:00
Ryan Richard
edd3547977
Merge pull request #903 from vmware-tanzu/code-walkthrough-doc
Add first draft of code walk-through doc
2021-12-03 12:19:29 -08:00
Ryan Richard
aa361a70a7 clarifications to code walkthrough doc 2021-12-03 10:50:02 -08:00
Ryan Richard
7b6bdd8129 fix link to blog and add another in doc 2021-12-03 10:32:16 -08:00
Ryan Richard
4aed3385b6 Merge branch 'main' into code-walkthrough-doc 2021-12-03 09:17:35 -08:00
Ryan Richard
2736c3603a fix typo in doc 2021-12-03 09:17:17 -08:00
Ryan Richard
3ea90467b7 add first draft of code walk-through doc 2021-12-02 17:18:50 -08:00
anjalitelang
683027468e
Update ROADMAP.md 2021-12-02 12:00:54 -05:00