Commit Graph

967 Commits

Author SHA1 Message Date
Ryan Richard
72321fc106
Use /callback (without IDP name) path for callback endpoint (part 1)
This is much nicer UX for an administrator installing a UpstreamOIDCProvider
CRD. They don't have to guess as hard at what the callback endpoint path should
be for their UpstreamOIDCProvider.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-20 16:14:45 -05:00
Andrew Keesler
541019eb98
callback_handler.go: simplify stored ID token claims
Fosite is gonna set these fields for us.

Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-20 15:36:51 -05:00
Jake Knostman
15bffc6b16
Update site demo to use pinniped-concierge namespace 2020-11-20 12:31:23 -08:00
dependabot[bot]
901242c1e1
Bump golang from 1.15.3 to 1.15.5
Bumps golang from 1.15.3 to 1.15.5.

Signed-off-by: dependabot[bot] <support@github.com>
2020-11-20 20:19:51 +00:00
Matt Moyer
fd0e0bb4c9
Merge pull request #234 from rajat404/main
Avoid printing the error message twice from client
2020-11-20 13:29:35 -06:00
Rajat Goyal
53bece2186 Avoid printing the error message twice from client 2020-11-21 00:05:26 +05:30
Matt Moyer
1a881e4f2b
Merge pull request #232 from mattmoyer/adjust-test-environment-upstream-clients
Split test environment variables so there's a specific supervisor upstream client.
2020-11-20 09:46:04 -06:00
Andrew Keesler
488d1b663a
internal/oidc/provider/manager: route to callback endpoint
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-20 10:44:56 -05:00
Andrew Keesler
8f5d1709a1
callback_handler.go: assert behavior about PKCE and IDSession storage
Also aggresively refactor for readability:
- Make helper validations functions for each type of storage
- Try to label symbols based on their downstream/upstream use and group them
  accordingly

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-20 09:41:49 -05:00
Matt Moyer
bc700d58ae
Split test environment variables so there's a specific supervisor upstream client.
Prior to this we re-used the CLI testing client to test the authorize flow of the supervisor, but they really need to be separate upstream clients. For example, the supervisor client should be a non-public client with a client secret and a different callback endpoint.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-20 08:03:06 -06:00
Andrew Keesler
f8d76066c5
callback_handler.go: assert nonce is stored correctly
I think we want to do this here since we are storing all of the
other ID token claims?

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-20 08:38:23 -05:00
Mo Khan
b8fb37b9f6
Merge pull request #233 from enj/enj/i/tmp_disable_max_flight
Temporarily disable max inflight checks for mutating requests
2020-11-19 22:51:03 -05:00
Monis Khan
4a28d1f800
Temporarily disable max inflight checks for mutating requests
Signed-off-by: Monis Khan <mok@vmware.com>
2020-11-19 21:21:10 -05:00
Andrew Keesler
b25696a1fb callback_handler.go: Prepend iss to sub when making default username
- Also handle several more error cases
- Move RequireTimeInDelta to shared testutils package so other tests
  can also use it
- Move all of the oidc test helpers into a new oidc/oidctestutils
  package to break a circular import dependency. The shared testutil
  package can't depend on any of our other packages or else we
  end up with circular dependencies.
- Lots more assertions about what was stored at the end of the
  request to build confidence that we are going to pass all of the
  right settings over to the token endpoint through the storage, and
  also to avoid accidental regressions in that area in the future

Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-19 17:57:07 -08:00
Andrew Keesler
b49d37ca54
callback_handler.go: test invalid upstream ID token username/groups
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-19 15:53:21 -05:00
Mo Khan
20b62b8841
Merge pull request #231 from enj/enj/f/fosite_kube_storage
Add kube based storage for use with fosite
2020-11-19 15:34:55 -05:00
Ryan Richard
83101eefce
callback_handler.go: start to test upstream token corner cases
Also refactor to get rid of duplicate test structs.

Also also don't default groups ID token claim because there is no standard one.

Also also also add some logging that will hopefully help us in debugging in the
future.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-19 14:19:01 -05:00
Monis Khan
86865d155a
Switch fuzzing test to UTC
Signed-off-by: Monis Khan <mok@vmware.com>
2020-11-19 14:04:25 -05:00
Monis Khan
3575be7742
Add authorization code storage
Signed-off-by: Monis Khan <mok@vmware.com>
2020-11-19 13:18:27 -05:00
Monis Khan
b7d823a077
Add generic Kube API based CRUD storage
Signed-off-by: Monis Khan <mok@vmware.com>
2020-11-19 13:18:02 -05:00
Ryan Richard
a47617cad0 callback_handler.go: Add JWT Audience claim to storage 2020-11-19 08:53:53 -08:00
Ryan Richard
ee84f31f42 callback_handler.go: Add JWT Issuer claim to storage 2020-11-19 08:35:23 -08:00
Andrew Keesler
ace861f722
callback_handler.go: get some thoughts down about default upstream claims
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-19 11:08:21 -05:00
Andrew Keesler
2e62be3ebb
callback_handler.go: assert correct args are passed to token exchange
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-19 10:20:46 -05:00
Andrew Keesler
48e0250649
callback_handler.go: test that we request openid scope correctly
Also add some testing.T.Log() calls to make debugging handler test failures
easier.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-19 09:28:56 -05:00
Andrew Keesler
6c72507bca
callback_handler.go: add test for failed upstream exchange/validation
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-19 09:00:41 -05:00
Andrew Keesler
63b8c6e4b2
callback_handler.go: test when state missing a needed param
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-19 08:51:23 -05:00
Andrew Keesler
ffdb7fa795
callback_handler.go: add a test for invalid state auth params
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-19 08:41:44 -05:00
Ryan Richard
652ea6bd2a Start using fosite in the Supervisor's callback handler 2020-11-18 17:15:01 -08:00
Mo Khan
3bc5952f7e
Merge pull request #227 from mattmoyer/add-authorizationconfig-omitempty
Use `omitempty` on UpstreamOIDCProvider `spec.authorizationConfig` field.
2020-11-18 20:10:55 -05:00
Matt Moyer
7520dadbdd
Use omitempty on UpstreamOIDCProvider spec.authorizationConfig field.
This allows you to omit the field in creation requests, which was annoying.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-18 17:14:35 -06:00
Mo Khan
8a4be431f6
Merge pull request #230 from vmware-tanzu/scc
Add nonroot SCC to work on OpenShift clusters
2020-11-18 17:46:01 -05:00
Mo Khan
c32e452db8
Add nonroot SCC to work on OpenShift clusters 2020-11-18 17:08:45 -05:00
Ryan Richard
24bd8b2e42
Merge pull request #226 from absoludity/fix-getting-started4
Fix demo.md and update default namespace for pinniped concierge.
2020-11-18 13:39:04 -08:00
Ryan Richard
227fbd63aa Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider
Because we want it to implement an AuthcodeExchanger interface and
do it in a way that will be more unit test-friendly than the underlying
library that we intend to use inside its implementation.
2020-11-18 13:38:13 -08:00
Ryan Richard
c83cec341b
Merge branch 'main' into fix-getting-started4 2020-11-17 15:02:36 -08:00
Matt Moyer
7404ee4531
Merge pull request #224 from mattmoyer/make-oidcclient-public
Move `./internal/oidcclient` to `./pkg/oidcclient`.
2020-11-17 15:13:50 -06:00
Matt Moyer
e0a9bef6ce
Move ./internal/oidcclient to ./pkg/oidcclient.
This will allow it to be imported by Go code outside of our repository, which was something we have planned for since this code was written.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-17 14:53:32 -06:00
Matt Moyer
428b9f2758
Merge pull request #223 from mattmoyer/refactor-cert-gen
Refactor certificate generation for integration test Dex.
2020-11-17 12:45:20 -06:00
Matt Moyer
0d1ad6e1df
Fix some broken resource grouping/ordering in Tiltfile.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-17 12:21:15 -06:00
Matt Moyer
6ce2f109bf
Refactor certificate generation for integration test Dex.
Before, we did this in an init container, which meant if the Dex pod restarted we would have fresh certs, but our Tilt/bash setup didn't account for this.

Now, the certs are generated by a Job which runs once and saves the generated files into a Secret. This should be a bit more stable.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-17 11:36:36 -06:00
Matt Moyer
3b9fb71dd1
Merge pull request #222 from mattmoyer/readd-supervisor-login-tests
Re-add the TestSupervisorLogin integration test.
2020-11-17 11:16:01 -06:00
Ryan Richard
97552aec5f Merge branch 'main' into callback-endpoint 2020-11-17 09:06:54 -08:00
Matt Moyer
d6d808d185
Re-add the TestSupervisorLogin integration test.
This is 99% Andrew's code from 4032ed32ae, but tweaked to work with the new UpstreamOIDCProvider setup.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-17 09:21:17 -06:00
Matt Moyer
b75a6cdb76
Merge pull request #221 from mattmoyer/use-https-dex
Add support for custom CA bundle in CLI and UpstreamOIDCProvider.
2020-11-16 20:47:16 -06:00
Matt Moyer
b31deff0fb
Update integration tests to use HTTPS Dex for UpstreamOIDCProvider testing.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-16 20:23:20 -06:00
Matt Moyer
ee978fdde8
Add controller support for spec.tls field.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-16 20:23:20 -06:00
Matt Moyer
e867fb82b9
Add spec.tls field to UpstreamOIDCProvider API.
This allows for a custom CA bundle to be used when connecting to the upstream issuer.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-16 20:23:20 -06:00
Matt Moyer
b17ac6ec0b
Update integration tests to run Dex over HTTPS.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-16 20:23:20 -06:00
Matt Moyer
dd2133458e
Add --ca-bundle flag to "pinniped login oidc" command.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-16 18:15:20 -06:00