Commit Graph

2642 Commits

Author SHA1 Message Date
Margo Crawford
8db0203839 Add test for upstream ldap idp not found, wrong idp uid, and malformed
fosite session storage
2021-12-09 16:16:35 -08:00
Ryan Richard
92bd3b49c8 Merge branch 'main' into upstream_access_revocation_during_gc 2021-12-09 14:16:52 -08:00
anjalitelang
4110297a8f
Update ROADMAP.md
Updated roadmap to reflect current velocity
2021-12-09 16:59:09 -05:00
Ryan Richard
dbcb213691 Merge branch 'main' into upstream_access_revocation_during_gc 2021-12-08 14:29:59 -08:00
Ryan Richard
f410d2bd00 Add revocation of upstream access tokens to garbage collector
Also refactor the code that decides which types of revocation failures
are worth retrying. Be more selective by only retrying those types of
errors that are likely to be worth retrying.
2021-12-08 14:29:25 -08:00
Mo Khan
7a3b5e3571
Merge pull request #908 from vmware-tanzu/microwavables-main
Added GOVERNANCE.md file to repo
2021-12-08 14:38:21 -05:00
Nanci Lancaster
505bc47ae1
Added GOVERNANCE.md file to repo
Signed-off-by: Nanci Lancaster <nancil@vmware.com>
2021-12-08 14:29:16 -05:00
Ryan Richard
c9c218fdf0 Merge branch 'main' into upstream_access_revocation_during_gc 2021-12-06 14:47:27 -08:00
Ryan Richard
46008a7235 Add struct field for storing upstream access token in downstream session 2021-12-06 14:43:39 -08:00
Mo Khan
2c5b74c960
Merge pull request #905 from vmware-tanzu/dependabot/docker/golang-1.17.4
Bump golang from 1.17.3 to 1.17.4
2021-12-06 15:44:42 -05:00
dependabot[bot]
db68fc3a2b
Bump golang from 1.17.3 to 1.17.4
Bumps golang from 1.17.3 to 1.17.4.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-12-06 01:14:25 +00:00
Ryan Richard
29490ee665 ran go mod tidy 2021-12-03 16:40:01 -08:00
Ryan Richard
b981055d31 Support revocation of access tokens in UpstreamOIDCIdentityProviderI
- Rename the RevokeRefreshToken() function to RevokeToken() and make it
  take the token type (refresh or access) as a new parameter.
- This is a prefactor getting ready to support revocation of upstream
  access tokens in the garbage collection handler.
2021-12-03 13:44:24 -08:00
Ryan Richard
edd3547977
Merge pull request #903 from vmware-tanzu/code-walkthrough-doc
Add first draft of code walk-through doc
2021-12-03 12:19:29 -08:00
Ryan Richard
aa361a70a7 clarifications to code walkthrough doc 2021-12-03 10:50:02 -08:00
Ryan Richard
7b6bdd8129 fix link to blog and add another in doc 2021-12-03 10:32:16 -08:00
Ryan Richard
4aed3385b6 Merge branch 'main' into code-walkthrough-doc 2021-12-03 09:17:35 -08:00
Ryan Richard
2736c3603a fix typo in doc 2021-12-03 09:17:17 -08:00
Ryan Richard
3ea90467b7 add first draft of code walk-through doc 2021-12-02 17:18:50 -08:00
anjalitelang
683027468e
Update ROADMAP.md 2021-12-02 12:00:54 -05:00
Mo Khan
269cae3a9f
Merge pull request #895 from enj/enj/f/warning_rt
phttp: add generic support for RFC 2616 14.46 warnings headers
2021-11-30 16:15:39 -05:00
Monis Khan
9d4a932656
phttp: add generic support for RFC 2616 14.46 warnings headers
Signed-off-by: Monis Khan <mok@vmware.com>
2021-11-30 15:11:59 -05:00
Mo Khan
1611cf681a Merge pull request #876 from vmware-tanzu/upstream_refresh_revocation_during_gc
Revoke upstream OIDC refresh tokens during downstream session garbage collection
2021-11-23 20:15:37 -05:00
Mo Khan
78474cfae9
Merge branch 'main' into upstream_refresh_revocation_during_gc 2021-11-23 19:29:13 -05:00
Mo Khan
aaf847040f
Merge pull request #893 from vmware-tanzu/fix_unit_test
Attempt to fix a unit test that always failed on my laptop
2021-11-23 19:25:16 -05:00
Ryan Richard
e44540043d Attempt to fix a unit test that always failed on my laptop
Try to make the GCP plugin config less sensitive to the setup of the
computer on which it runs.
2021-11-23 15:47:19 -08:00
Ryan Richard
69be273e01
Merge branch 'main' into upstream_refresh_revocation_during_gc 2021-11-23 14:55:44 -08:00
Mo Khan
5a1de2f54c
Merge pull request #888 from vmware-tanzu/customize_ports
Make Concierge server port numbers configurable
2021-11-23 17:51:04 -05:00
Ryan Richard
91eed1ab24 Merge branch 'main' into upstream_refresh_revocation_during_gc 2021-11-23 12:11:39 -08:00
Ryan Richard
3ca8c49334 Improve garbage collector log format and some comments 2021-11-23 12:11:17 -08:00
Mo Khan
f28b33bbf0
Merge branch 'main' into customize_ports 2021-11-23 08:30:48 -05:00
Mo Khan
537f85205d
Merge pull request #889 from enj/enj/i/strict_tls_acceptance
tls: fix integration tests for long lived environments
2021-11-18 16:37:15 -05:00
Ryan Richard
b8a93b6b90 Merge branch 'main' into customize_ports 2021-11-18 09:31:18 -08:00
Monis Khan
764a1ad7e4
tls: fix integration tests for long lived environments
This change updates the new TLS integration tests to:

1. Only create the supervisor default TLS serving cert if needed
2. Port forward the node port supervisor service since that is
   available in all environments

Signed-off-by: Monis Khan <mok@vmware.com>
2021-11-18 03:55:56 -05:00
Mo Khan
6a68c6532c
Merge pull request #873 from enj/enj/i/strict_tls
Force the use of secure TLS config
2021-11-17 19:17:13 -05:00
Ryan Richard
3b3641568a GC retries failed upstream revocations for a while, but not forever 2021-11-17 15:58:44 -08:00
Monis Khan
cd686ffdf3
Force the use of secure TLS config
This change updates the TLS config used by all pinniped components.
There are no configuration knobs associated with this change.  Thus
this change tightens our static defaults.

There are four TLS config levels:

1. Secure (TLS 1.3 only)
2. Default (TLS 1.2+ best ciphers that are well supported)
3. Default LDAP (TLS 1.2+ with less good ciphers)
4. Legacy (currently unused, TLS 1.2+ with all non-broken ciphers)

Highlights per component:

1. pinniped CLI
   - uses "secure" config against KAS
   - uses "default" for all other connections
2. concierge
   - uses "secure" config as an aggregated API server
   - uses "default" config as a impersonation proxy API server
   - uses "secure" config against KAS
   - uses "default" config for JWT authenticater (mostly, see code)
   - no changes to webhook authenticater (see code)
3. supervisor
   - uses "default" config as a server
   - uses "secure" config against KAS
   - uses "default" config against OIDC IDPs
   - uses "default LDAP" config against LDAP IDPs

Signed-off-by: Monis Khan <mok@vmware.com>
2021-11-17 16:55:35 -05:00
Ryan Richard
ca2cc40769 Add impersonationProxyServerPort to the Concierge's static ConfigMap
- Used to determine on which port the impersonation proxy will bind
- Defaults to 8444, which is the old hard-coded port value
- Allow the port number to be configured to any value within the
  range 1024 to 65535
- This commit does not include adding new config knobs to the ytt
  values file, so while it is possible to change this port without
  needing to recompile, it is not convenient
2021-11-17 13:27:59 -08:00
Ryan Richard
2383a88612 Add aggregatedAPIServerPort to the Concierge's static ConfigMap
- Allow the port number to be configured to any value within the
  range 1024 to 65535
- This commit does not include adding new config knobs to the ytt
  values file, so while it is possible to change this port without
  needing to recompile, it is not convenient
2021-11-16 16:43:51 -08:00
Ryan Richard
48518e9513 Add trace logging to help observe upstream OIDC refresh token revocation 2021-11-11 12:24:05 -08:00
Ryan Richard
de79f15068 Merge branch 'main' into upstream_refresh_revocation_during_gc 2021-11-10 15:35:42 -08:00
Ryan Richard
2388e25235 Revoke upstream OIDC refresh tokens during GC 2021-11-10 15:34:19 -08:00
Mo Khan
c570f08b2b
Merge pull request #885 from vmware-tanzu/dependabot/docker/golang-1.17.3
Bump golang from 1.17.2 to 1.17.3
2021-11-05 21:45:56 -04:00
dependabot[bot]
2aeb464b43
Bump golang from 1.17.2 to 1.17.3
Bumps golang from 1.17.2 to 1.17.3.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-11-06 00:55:39 +00:00
Mo Khan
5a3f83f90f
Merge pull request #877 from vmware-tanzu/upstream-ldap-refresh
Upstream ldap refresh
2021-11-05 18:08:45 -04:00
Margo Crawford
cb60a44f8a extract ldap refresh search into helper function
also added an integration test for refresh failing after updating the username attribute
2021-11-05 14:22:43 -07:00
Margo Crawford
b5b8cab717 Refactors:
- pull construction of authenticators.Response into searchAndBindUser
- remove information about the identity provider in the error that gets
  returned to users. Put it in debug instead, where it may show up in
  logs.

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-11-05 14:22:43 -07:00
Margo Crawford
c84329d7a4 Fix broken ldap_client_test 2021-11-05 14:22:43 -07:00
Margo Crawford
f988879b6e Addressing code review changes
- changed to use custom authenticators.Response rather than the k8s one
  that doesn't include space for a DN
- Added more checking for correct idp type in token handler
- small style changes

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-11-05 14:22:43 -07:00
Margo Crawford
84edfcb541 Refactor out a function, add tests for getting the wrong idp uid 2021-11-05 14:22:43 -07:00