Commit Graph

3404 Commits

Author SHA1 Message Date
Ryan Richard
8f27219ac9 Change allowed gcp auth plugin is deprecation warning text
It seems that google changed it from "the gcp auth plugin is deprecated
in v1.22+, unavailable in v1.25+; use gcloud instead" to instead say
"unavailable in v1.26+". Make the matcher in category_test.go more loose
to allow both to match.
2022-08-25 08:11:37 -07:00
Ryan Richard
736b385d7b
Merge pull request #1264 from vmware-tanzu/access_token_validation
Improve token exchange error messages and error test cases
2022-08-24 17:53:53 -07:00
Ryan Richard
c40465127e Merge branch 'main' into access_token_validation 2022-08-24 16:50:21 -07:00
Ryan Richard
af7cf673e0
Merge pull request #1192 from vmware-tanzu/dependabot/docker/distroless/static-66cd130
Bump distroless/static from `2556293` to `66cd130`
2022-08-24 16:49:37 -07:00
Ryan Richard
ee99106160
Merge pull request #1193 from vmware-tanzu/dependabot/docker/hack/distroless/static-66cd130
Bump distroless/static from `2556293` to `66cd130` in /hack
2022-08-24 16:49:18 -07:00
Ryan Richard
65197d0f9d Merge branch 'main' into access_token_validation 2022-08-24 16:41:12 -07:00
dependabot[bot]
f320a04125
Bump distroless/static from 2556293 to 66cd130
Bumps distroless/static from `2556293` to `66cd130`.

---
updated-dependencies:
- dependency-name: distroless/static
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-24 23:40:35 +00:00
dependabot[bot]
036c937db5
Bump distroless/static from 2556293 to 66cd130 in /hack
Bumps distroless/static from `2556293` to `66cd130`.

---
updated-dependencies:
- dependency-name: distroless/static
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-24 23:40:34 +00:00
Ryan Richard
4e8601e73b
Merge pull request #1272 from vmware-tanzu/bump_deps_aug_2022
Bump all deps
2022-08-24 16:39:45 -07:00
Ryan Richard
138f1d263f Rerun godegen using Go 1.19, causes whitespace diffs in generated code 2022-08-24 16:06:42 -07:00
Ryan Richard
43af297b44 Add codegen for Kube 1.25, and update patch versions on older codegen 2022-08-24 15:13:21 -07:00
Ryan Richard
c6c2c525a6 Upgrade the linter and fix all new linter warnings
Also fix some tests that were broken by bumping golang and dependencies
in the previous commits.

Note that in addition to changes made to satisfy the linter which do not
impact the behavior of the code, this commit also adds ReadHeaderTimeout
to all usages of http.Server to satisfy the linter (and because it
seemed like a good suggestion).
2022-08-24 14:45:55 -07:00
Ryan Richard
03694d78a8 Implement new Destroy() interface from rest.Storage from Kube v1.25 2022-08-24 12:04:38 -07:00
Ryan Richard
fe083f73fc Bump to golang 1.19.0 and to latest distroless base image
For fips dockerfile, the fips 1.19 compiler has not been released yet,
so bump to the latest available.
2022-08-24 11:18:53 -07:00
Ryan Richard
c1ebf5b737 Run go mod tidy -compat=1.17 2022-08-24 10:06:56 -07:00
Ryan Richard
dd7902faa0 bump golang deps 2022-08-24 10:03:09 -07:00
Ryan Richard
1384f75731 Improve token exchange error messages and error test cases 2022-08-23 17:20:30 -07:00
Ryan Richard
91cf439b31
Merge pull request #1249 from vmware-tanzu/username_scope
Add the new `username` scope to the Supervisor and exclude usernames from dynamic clients which are not granted the scope, and other dynamic client related changes
2022-08-19 10:21:45 -07:00
Ryan Richard
02a27e0186 Add docs for dynamic clients 2022-08-11 14:35:18 -07:00
Ryan Richard
0bb2c7beb7 Always add the azp claim to ID tokens to show the original client ID
When the token exchange grant type is used to get a cluster-scoped
ID token, the returned token has a new audience value. The client ID
of the client which performed the authorization was lost. This didn't
matter before, since the only client was `pinniped-cli`, but now that
dynamic clients can be registered, the information would be lost in the
cluster-scoped ID token. It could be useful for logging, tracing, or
auditing, so preserve the information by putting the client ID into the
`azp` claim in every ID token (authcode exchange, clsuter-scoped, and
refreshed ID tokens).
2022-08-09 16:07:23 -07:00
Ryan Richard
8a5db99abf get kubeconfig cmd errors on audience values with reserved substring 2022-08-09 09:12:25 -07:00
Ryan Richard
22fbced863 Create username scope, required for clients to get username in ID token
- For backwards compatibility with older Pinniped CLIs, the pinniped-cli
  client does not need to request the username or groups scopes for them
  to be granted. For dynamic clients, the usual OAuth2 rules apply:
  the client must be allowed to request the scopes according to its
  configuration, and the client must actually request the scopes in the
  authorization request.
- If the username scope was not granted, then there will be no username
  in the ID token, and the cluster-scoped token exchange will fail since
  there would be no username in the resulting cluster-scoped ID token.
- The OIDC well-known discovery endpoint lists the username and groups
  scopes in the scopes_supported list, and lists the username and groups
  claims in the claims_supported list.
- Add username and groups scopes to the default list of scopes
  put into kubeconfig files by "pinniped get kubeconfig" CLI command,
  and the default list of scopes used by "pinniped login oidc" when
  no list of scopes is specified in the kubeconfig file
- The warning header about group memberships changing during upstream
  refresh will only be sent to the pinniped-cli client, since it is
  only intended for kubectl and it could leak the username to the
  client (which may not have the username scope granted) through the
  warning message text.
- Add the user's username to the session storage as a new field, so that
  during upstream refresh we can compare the original username from the
  initial authorization to the refreshed username, even in the case when
  the username scope was not granted (and therefore the username is not
  stored in the ID token claims of the session storage)
- Bump the Supervisor session storage format version from 2 to 3
  due to the username field being added to the session struct
- Extract commonly used string constants related to OIDC flows to api
  package.
- Change some import names to make them consistent:
  - Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc"
  - Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc
    as "oidcapi"
  - Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 16:29:22 -07:00
Ryan Richard
6b29082c27
Merge pull request #1236 from vmware-tanzu/dynamic_clients_in_downstream_flows
Allow dynamic clients to be used in downstream OIDC flows
2022-07-26 11:18:15 -07:00
Ryan Richard
bda233482d Merge branch 'dynamic_clients' into dynamic_clients_in_downstream_flows 2022-07-26 09:31:39 -07:00
Ryan Richard
57f8e18dbc Merge branch 'main' into dynamic_clients 2022-07-26 09:31:18 -07:00
Ryan Richard
a876591765
Merge pull request #1126 from vmware-tanzu/dynamic_clients_proposal
Dynamic Supervisor OIDC Clients proposal
2022-07-26 09:27:37 -07:00
Ryan Richard
b5c0b4b90e
Merge pull request #1240 from vmware-tanzu/pause_community_meeting
pause community meeting for a little while
2022-07-26 09:24:19 -07:00
Ryan Richard
c07cc6b8ec Update e2e_test.go for clusters which have ServerSideFieldValidation
Also update prepare-cluster-for-integration-tests.sh for new
kubectl version command options.
2022-07-25 17:25:21 -07:00
Ryan Richard
8c7fbd2c0c pause community meeting for a little while 2022-07-25 12:07:18 -07:00
Ryan Richard
88f611d31a Be extra defensive and don't lookup dynamic client ID's lacking prefix 2022-07-22 15:19:19 -07:00
Ryan Richard
2f1966dbc8 Merge branch 'dynamic_clients' into dynamic_clients_in_downstream_flows 2022-07-22 10:01:26 -07:00
Ryan Richard
f1cd4eebb0 Merge branch 'main' into dynamic_clients 2022-07-22 10:00:53 -07:00
Ryan Richard
075bc824e7 Merge branch 'main' into dynamic_clients_proposal 2022-07-22 09:56:40 -07:00
Ryan Richard
7ccd41b5f2 docs gen tool changed its output, so rerun codegen 2022-07-22 09:56:20 -07:00
Ryan Richard
ae917bfd8d Merge branch 'main' into dynamic_clients_proposal 2022-07-22 09:33:45 -07:00
Ryan Richard
7450fb6c8e A few more small changes to the dynamic clients proposal 2022-07-22 09:26:24 -07:00
Mo Khan
ee3646ef13
Merge pull request #1239 from enj/goodbye
Update current maintainers ✌️👋🫡
2022-07-22 10:39:55 -04:00
Ryan Richard
b65f872dcd Configure printer columns for OIDCClient CRD 2022-07-21 16:40:03 -07:00
Monis Khan
1e56968491
Update current maintainers ✌️👋🫡
Signed-off-by: Monis Khan <mok@vmware.com>
2022-07-21 18:07:54 -04:00
Ryan Richard
0495286f97 Fix lint error and remove accidental direct dep on ory/x
Fixing some mistakes from previous commit on feature branch.
2022-07-21 13:50:33 -07:00
Ryan Richard
b507604b90 Update dynamic clients proposal with a link to the LDAP/AD UI release
Also fix a typos.
2022-07-21 11:37:58 -07:00
Ryan Richard
1eefba537d Update dynamic clients proposal with details learned during implementation
Also fix some typos and add some clarifying comments.
2022-07-21 11:26:04 -07:00
Ryan Richard
c12ffad29e Add integration test for failed client auth for a dynamic client 2022-07-21 10:13:34 -07:00
Ryan Richard
e42f5488fa More unit tests for dynamic clients
- Add dynamic client unit tests for the upstream OIDC callback and
  POST login endpoints.
- Enhance a few log statements to print the full fosite error messages
  into the logs where they were previously only printing the name of
  the error type.
2022-07-21 09:26:00 -07:00
Ryan Richard
34509e7430 Add more unit tests for dynamic clients and enhance token exchange
- Enhance the token exchange to check that the same client is used
  compared to the client used during the original authorization and
  token requests, and also check that the client has the token-exchange
  grant type allowed in its configuration.
- Reduce the minimum required bcrypt cost for OIDCClient secrets
  because 15 is too slow for real-life use, especially considering
  that every login and every refresh flow will require two client auths.
- In unit tests, use bcrypt hashes with a cost of 4, because bcrypt
  slows down by 13x when run with the race detector, and we run our
  tests with the race detector enabled, causing the tests to be
  unacceptably slow. The production code uses a higher minimum cost.
- Centralize all pre-computed bcrypt hashes used by unit tests to a
  single place. Also extract some other useful test helpers for
  unit tests related to OIDCClients.
- Add tons of unit tests for the token endpoint related to dynamic
  clients for authcode exchanges, token exchanges, and refreshes.
2022-07-20 13:55:56 -07:00
Ryan Richard
32ea6090ad Merge branch 'dynamic_clients' into dynamic_clients_in_downstream_flows 2022-07-15 10:28:30 -07:00
Mo Khan
f9dfd68420
Merge pull request #1221 from vmware-tanzu/oidcclient_controller2
Enhancements to OIDCClient controller
2022-07-15 08:51:44 -04:00
Ryan Richard
f5f55176af Enhance integration tests for OIDCClients in supervisor_login_test.go 2022-07-14 18:50:23 -07:00
Ryan Richard
e0ecdc004b Allow dynamic clients to be used in downstream OIDC flows
This is only a first commit towards making this feature work.
- Hook dynamic clients into fosite by returning them from the storage
  interface (after finding and validating them)
- In the auth endpoint, prevent the use of the username and password
  headers for dynamic clients to force them to use the browser-based
  login flows for all the upstream types
- Add happy path integration tests in supervisor_login_test.go
- Add lots of comments (and some small refactors) in
  supervisor_login_test.go to make it much easier to understand
- Add lots of unit tests for the auth endpoint regarding dynamic clients
  (more unit tests to be added for other endpoints in follow-up commits)
- Enhance crud.go to make lifetime=0 mean never garbage collect,
  since we want client secret storage Secrets to last forever
- Move the OIDCClient validation code to a package where it can be
  shared between the controller and the fosite storage interface
- Make shared test helpers for tests that need to create OIDC client
  secret storage Secrets
- Create a public const for "pinniped-cli" now that we are using that
  string in several places in the production code
2022-07-14 09:51:11 -07:00
Ryan Richard
be85e1ed0a TotalClientSecrets field gets omitempty and becomes int32 2022-07-14 09:30:03 -07:00