Commit Graph

1065 Commits

Author SHA1 Message Date
Matt Moyer
3948bb76d8
Be more lax in some of our test assertions.
Fosite overrides the `Cache-Control` header we set, which is basically fine even though it's not exactly what we want.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-16 13:15:38 -06:00
Matt Moyer
24c01d3e54
Add an integration test to verify security headers on the supervisor authorize endpoint.
It would be great to do this for the supervisor's callback endpoint as well, but it's difficult to get at those since the request happens inside the spawned browser.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-16 12:41:06 -06:00
Matt Moyer
74e52187a3
Simplify securityheader package by merging header fields.
From RFC2616 (https://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2):
 > It MUST be possible to combine the multiple header fields into one "field-name: field-value" pair,
 > without changing the semantics of the message, by appending each subsequent field-value to the first,
 > each separated by a comma.

This was correct before, but this simplifes a bit and shaves off a few bytes from the response.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-16 12:41:05 -06:00
Matt Moyer
602f3c59ba
Fix a regression in securityheader package.
The bug itself has to do with when headers are streamed to the client. Once a wrapped handler has sent any bytes to the `http.ResponseWriter`, the value of the map returned from `w.Header()` no longer matters for the response. The fix is fairly trivial, which is to add those response headers before invoking the wrapped handler.

The existing unit test didn't catch this due to limitations in `httptest.NewRecorder()`. It is now replaced with a new test that runs a full HTTP test server, which catches the previous bug.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-16 12:41:05 -06:00
Matt Moyer
bc1dc0805e
Merge pull request #289 from mattmoyer/fix-secret-type-doc-comment
Fix documentation comment for the UpstreamOIDCProvider's spec.client.secretName type.
2020-12-16 10:09:05 -06:00
Matt Moyer
404ff93102
Fix documentation comment for the UpstreamOIDCProvider's spec.client.secretName type.
The value is correctly validated as `secrets.pinniped.dev/oidc-client` elsewhere, only this comment was wrong.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-15 21:52:07 -06:00
Andrew Keesler
3d4717b772
Merge pull request #285 from vmware-tanzu/log-unexpected-upstream
Log when unexpected Upstream OIDC Providers found
2020-12-15 15:30:20 -05:00
Andrew Keesler
2b7685fa23
Merge branch 'main' into log-unexpected-upstream 2020-12-15 15:30:05 -05:00
Matt Moyer
2b2f1bbfc9
Merge pull request #276 from mattmoyer/extended-e2e-cli
Enhance CLI to integrate supervisor and concierge capabilities.
2020-12-15 13:23:51 -06:00
aram price
2edcdc92f4 Log when unexpected Upstream OIDC Providers found
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-15 10:49:13 -08:00
Matt Moyer
0b38d6c763
Add TestE2EFullIntegration test which combines supervisor, concierge, and CLI.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-15 12:34:50 -06:00
Matt Moyer
ff49647de4
Add some missing test logs in test/library/client.go.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-15 12:34:50 -06:00
Matt Moyer
e0eba9d5a6
Refactor library.CreateTestJWTAuthenticator() so we can also use the supervisor as an upstream.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-15 12:34:50 -06:00
Matt Moyer
5ad3c65ae1
Close the right pipe output in runPinnipedLoginOIDC.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-15 12:34:50 -06:00
Matt Moyer
aca9af748b
Cleanup TestSuccessfulCredentialRequest and TestCLILoginOIDC a little.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-15 12:34:49 -06:00
Matt Moyer
8cdcb89cef
Add a library.PinnipedCLIPath() test helper, with caching.
Caching saves us a little bit of time now that we're using the CLI in more and more tests.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-15 12:34:49 -06:00
Matt Moyer
70fd330178
Add library.CreateTestClusterRoleBinding test helper.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-15 12:34:49 -06:00
Matt Moyer
ad5e257600
Add a library.RandHex() test helper.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-15 12:34:49 -06:00
Matt Moyer
4088793cc5
Add a .ProxyEnv() helper on the test environment.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-15 12:28:04 -06:00
Matt Moyer
b6edc3dc08
Replace TestCLIGetKubeconfig with TestCLIGetKubeconfigStaticToken.
It now tests both the deprecated `pinniped get-kubeconfig` and the new `pinniped get kubeconfig --static-token` flows.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-15 12:28:03 -06:00
Matt Moyer
fe4e2d620d
Update TestCLIGetKubeconfig to ignore stderr output from get-kubeconfig.
This will now have a deprecation warning, so we can't treat is as part of the YAML output.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-15 12:28:03 -06:00
Matt Moyer
f9691208d5
Add library.NewRestConfigFromKubeconfig() test helper.
This is extracted from library.NewClientsetForKubeConfig(). It is useful so you can assert properties of the loaded, parsed kubeconfig.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-15 12:28:03 -06:00
Matt Moyer
71850419c1
Overhaul pinniped CLI subcommands.
- Adds two new subcommands: `pinniped get kubeconfig` and `pinniped login static`
- Adds concierge support to `pinniped login oidc`.
- Adds back wrapper commands for the now deprecated `pinniped get-kubeconfig` and `pinniped exchange-credential` commands. These now wrap `pinniped get kubeconfig` and `pinniped login static` respectively.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-15 12:28:03 -06:00
Matt Moyer
dfbb5b60de
Remove pinniped get-kubeconfig CLI subcommand.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-15 12:28:03 -06:00
Matt Moyer
3b5f00439c
Remove pinniped exchange-credential CLI subcommand.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-15 12:28:02 -06:00
Matt Moyer
9b7fe01648
Add a new ./pkg/conciergeclient package to replace ./internal/client.
This is a slighly evolved version of our previous client package, exported to be public and refactored to use functional options for API maintainability.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-15 12:28:02 -06:00
Andrew Keesler
08cf2f7cd1
Merge pull request #284 from ankeesler/oidcprovider-enum-values
SameIssuerHostMustUseSameSecret is a valid OIDCProvider status, and help some test flakes
2020-12-15 13:23:16 -05:00
Andrew Keesler
be4e34d0c0
Retry a couple of times if we fail to get a token from the Supervisor
I hope this will make TestSupervisorLogin less flaky. There are some instances
where the front half of the OIDC login flow happens so fast that the JWKS
controller doesn't have time to properly generate an asymmetric key.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-15 11:53:58 -05:00
Andrew Keesler
50f9b434e7
SameIssuerHostMustUseSameSecret is a valid OIDCProvider status
I saw this message in our CI logs, which led me to this fix.
  could not update status: OIDCProvider.config.supervisor.pinniped.dev "acceptance-provider" is invalid: status.status: Unsupported value: "SameIssuerHostMustUseSameSecret": supported values: "Success", "Duplicate", "Invalid"

Also - correct an integration test error message that was misleading.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-15 11:53:53 -05:00
Ryan Richard
417e6b1fee
Merge pull request #282 from vmware-tanzu/security-headers
Add Cache-Control, Pragma, Expires, and X-DNS-Prefetch-Control headers
2020-12-14 17:22:09 -08:00
Ryan Richard
16907e4453 Add Cache-Control, Pragma, Expires, and X-DNS-Prefetch-Control headers
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-14 15:28:32 -08:00
Ryan Richard
a5c07042c1
Merge pull request #279 from vmware-tanzu/fosite-settings
Update more fosite settings
2020-12-11 18:19:50 -08:00
Ryan Richard
7cda6628a6
Merge branch 'main' into fosite-settings 2020-12-11 18:19:37 -08:00
Ryan Richard
020fbcf190 Adjust some expectations about the state and nonce lengths 2020-12-11 17:39:58 -08:00
Ryan Richard
791c50fd33
Merge pull request #278 from vmware-tanzu/fosite-storage-gc
Garbage collect the fosite secrets to limit amount of storage used
2020-12-11 17:17:15 -08:00
Margo Crawford
2a19dd0d2e Pass prompt through to upstream login request
Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-11 17:13:27 -08:00
Margo Crawford
ded28dff15 Update the fosite settings
- AudienceMatchingStrategy: we want to use the default matcher from
  fosite, so remove that line
- AllowedPromptValues: We can use the default if we add a small
  change to the auth_handler.go to account for it (in a future commit)
- MinParameterEntropy: Use the fosite default to make it more likely
  that off the shelf OIDC clients can work with the supervisor

Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-11 16:15:50 -08:00
Ryan Richard
baa1a4a2fc Supervisor storage garbage collection controller enabled in production
- Also add more log statements to the controller
- Also have the controller apply a rate limit to itself, to avoid
  having a very chatty controller that runs way more often than is
  needed.
- Also add an integration test for the controller's behavior.

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-11 15:21:34 -08:00
Margo Crawford
ed9b3ffce5 Add controller for garbage collecting secrets
Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-10 17:34:05 -08:00
Ryan Richard
afd216308b KubeStorage annotates every Secret with garbage-collect-after timestamp
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-10 14:47:58 -08:00
Margo Crawford
b0c354637d WIP passing lifetime through to storage, unit tests are failing
Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-10 12:15:40 -08:00
Ryan Richard
c001bb876e
Merge pull request #275 from vmware-tanzu/fosite-storage-gc-prefactor
Fosite storage garbage collection prefactor
2020-12-10 10:50:29 -08:00
Ryan Richard
3c6d1a1924 Merge branch 'main' into fosite-storage-gc 2020-12-10 10:45:26 -08:00
Margo Crawford
6f40dcb471 Increase the RefreshTokenSessionStorageLifetime
- Make it more likely that the end user will get the more specific error
  message saying that their refresh token has expired the first time
  that they try to use an expired refresh token

Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-10 10:44:27 -08:00
Ryan Richard
a561fd21d9 Consolidate the supervisor's timeout settings into a single struct
- This struct represents the configuration of all timeouts. These
  timeouts are all interrelated to declare them all in one place.
  This should also make it easier to allow the user to override
  our defaults if we would like to implement such a feature in the
  future.

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-10 10:14:54 -08:00
Matt Moyer
40c9e8472c
Merge pull request #272 from mattmoyer/default-cli-scopes
Tweak default CLI `--scopes` parameter to match supervisor use case.
2020-12-10 11:41:22 -06:00
Matt Moyer
e7338da3dc
Tweak default CLI --scopes parameter to match supervisor use case.
This should be a better default for most cases.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-10 10:48:11 -06:00
Matt Moyer
0c52739997
Merge pull request #271 from mattmoyer/fix-cli-content-type-parsing
Fix bug in handling response content-type in oidcclient.
2020-12-10 10:46:10 -06:00
Matt Moyer
9d3c98232b
Fix bug in handling response content-type in oidcclient.
Before this, we weren't properly parsing the `Content-Type` header. This breaks in integration with the Supervisor since it sends an extra encoding parameter like `application/json;charset=UTF-8`.

This change switches to properly parsing with the `mime.ParseMediaType` function, and adds test cases to match the supervisor behavior.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-10 10:12:56 -06:00
Matt Moyer
5a0918afde
Merge pull request #270 from mattmoyer/default-cli-client-id
Add a default --client-id in `pinniped login oidc` command.
2020-12-10 10:12:28 -06:00