aram price
3ca877f1df
WIP - preliminary OIDCProviderSecrets controller
...
Tests not yet passing, controller is incomplete and expectations may be
incorrect.
2020-12-13 17:37:49 -05:00
aram price
3e31668eb0
Refactor some utilitiy methods for sharing.
2020-12-13 17:37:48 -05:00
aram price
9e2213cbae
Rename for clarity
...
- makes space for OIDCPrivder related controller
2020-12-13 17:37:48 -05:00
Andrew Keesler
022dcd1909
Update secretgenerator controller after synchronous review
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-11 15:37:10 -05:00
Andrew Keesler
e2aad48852
internal/oidc/dynamiccodec: loosen test to reduce flakes
...
When we try to decode with the wrong decryption key, we could get any number of
error messages, depending on what failure mode we are in (couldn't authenticate
plaintext after decryption, couldn't deserialize, etc.). This change makes the
test weaker, but at least we know we will get an error message in the case where
the decryption key is wrong.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-11 11:49:27 -05:00
Andrew Keesler
e17bc31b29
Pass CSRF cookie signing key from controller to cache
...
This also sets the CSRF cookie Secret's OwnerReference to the Pod's grandparent
Deployment so that when the Deployment is cleaned up, then the Secret is as
well.
Obviously this controller implementation has a lot of issues, but it will at
least get us started.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-11 11:49:27 -05:00
Andrew Keesler
22c5b102ed
internal/downward: add support for (optional) pod name
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-11 11:49:27 -05:00
Andrew Keesler
0246e57d7f
Set lifespans on state and CSRF cooking encoding
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-11 11:49:22 -05:00
Andrew Keesler
9460b08873
Use just-in-time HMAC signing key fetching in our Fosite config
...
This pattern is similar to what we did in
58237d0e7d
.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-11 11:16:46 -05:00
aram price
a3285fc187
Fix variable / package name collision
2020-12-10 17:32:55 -08:00
aram price
e1173eb5eb
manager.Manager is initialized with secret.Cache
...
- hard-coded secret.Cache is passed in from pinniped-supervisor/main
2020-12-10 17:32:55 -08:00
aram price
72bc458c8e
Manager uses secret.Cach with hardcoded values
2020-12-10 17:32:55 -08:00
Andrew Keesler
e067892ffc
Add secret.Cache to hold crypto inputs
2020-12-10 17:32:55 -08:00
aram price
2f87be3f94
Manager uses dynamiccodec.Codec for cookie encoding
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-10 17:32:55 -08:00
Andrew Keesler
1291380611
dynamiccodec.Codec uses securecookie.JSONEncoder
...
Signed-off-by: aram price <pricear@vmware.com>
2020-12-10 17:32:55 -08:00
aram price
ccac124b7a
Fix broken test
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-10 17:32:55 -08:00
Andrew Keesler
d8212d1337
Whitespace
...
Signed-off-by: aram price <pricear@vmware.com>
2020-12-10 17:32:55 -08:00
aram price
030edaf72d
KeyFunc no longer uses multi-value return
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-10 17:32:55 -08:00
Andrew Keesler
c3f73ffb57
Check in some musings on a symmetric key generator controller
...
There is still a test failing, but I am sure it is a simple fix hiding in the
code. I think this is the general shape of the controller that we want.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-10 17:32:55 -08:00
Andrew Keesler
3e112fb1ac
internal/oidc/dynamiccodec: first draft
...
Note that we don't cache the securecookie.SecureCookie that we use in our
implementation. This was purely because of laziness. We should think about
caching this value in the future.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-10 17:32:55 -08:00
Ryan Richard
c001bb876e
Merge pull request #275 from vmware-tanzu/fosite-storage-gc-prefactor
...
Fosite storage garbage collection prefactor
2020-12-10 10:50:29 -08:00
Ryan Richard
3c6d1a1924
Merge branch 'main' into fosite-storage-gc
2020-12-10 10:45:26 -08:00
Margo Crawford
6f40dcb471
Increase the RefreshTokenSessionStorageLifetime
...
- Make it more likely that the end user will get the more specific error
message saying that their refresh token has expired the first time
that they try to use an expired refresh token
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-10 10:44:27 -08:00
Ryan Richard
a561fd21d9
Consolidate the supervisor's timeout settings into a single struct
...
- This struct represents the configuration of all timeouts. These
timeouts are all interrelated to declare them all in one place.
This should also make it easier to allow the user to override
our defaults if we would like to implement such a feature in the
future.
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-10 10:14:54 -08:00
Matt Moyer
40c9e8472c
Merge pull request #272 from mattmoyer/default-cli-scopes
...
Tweak default CLI `--scopes` parameter to match supervisor use case.
2020-12-10 11:41:22 -06:00
Matt Moyer
e7338da3dc
Tweak default CLI --scopes
parameter to match supervisor use case.
...
This should be a better default for most cases.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-10 10:48:11 -06:00
Matt Moyer
0c52739997
Merge pull request #271 from mattmoyer/fix-cli-content-type-parsing
...
Fix bug in handling response content-type in oidcclient.
2020-12-10 10:46:10 -06:00
Matt Moyer
9d3c98232b
Fix bug in handling response content-type in oidcclient.
...
Before this, we weren't properly parsing the `Content-Type` header. This breaks in integration with the Supervisor since it sends an extra encoding parameter like `application/json;charset=UTF-8`.
This change switches to properly parsing with the `mime.ParseMediaType` function, and adds test cases to match the supervisor behavior.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-10 10:12:56 -06:00
Matt Moyer
5a0918afde
Merge pull request #270 from mattmoyer/default-cli-client-id
...
Add a default --client-id in `pinniped login oidc` command.
2020-12-10 10:12:28 -06:00
Matt Moyer
4395d5a0ca
Add a default --client-id in pinniped login oidc
command.
...
This default matches the static client we have defined in the supervisor, which will be the correct value in most cases.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-10 09:46:07 -06:00
Andrew Keesler
d83927ae75
Merge pull request #268 from vmware-tanzu/secret-generation-prefactor
...
Secret generation prefactor
2020-12-10 08:39:32 -05:00
aram price
86c75b7a80
CSRF cookie is no longer encrypted
2020-12-09 17:34:02 -08:00
aram price
f1f8ffa456
Distinct Encoder
's use distinct keys
2020-12-09 17:34:02 -08:00
aram price
4a5f8e30a8
Use distinct Encoder
for state and csrf data
2020-12-09 17:34:02 -08:00
aram price
e111ca02da
Use the narrowest possible interface
2020-12-09 17:34:02 -08:00
aram price
6ec3589112
Use recorder Cookies()
helper
...
- replaces hand-parsing of cookie strings
2020-12-09 17:34:02 -08:00
Margo Crawford
2ddba8d825
Merge pull request #267 from vmware-tanzu/token-exchange-endpoint
...
Implement RFC8693 token exchange handler in the supervisor
2020-12-09 17:13:28 -08:00
Margo Crawford
218f27306c
Integration test for refresh grant
...
Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-09 17:07:37 -08:00
Margo Crawford
fde2e6fa97
Merge remote-tracking branch 'origin/main' into token-exchange-endpoint
2020-12-09 15:22:54 -08:00
Ryan Richard
4d82ec1283
Merge pull request #262 from vmware-tanzu/token-refresh
...
Support for the refresh grant in the supervisor's token endpoint
2020-12-09 15:22:02 -08:00
Ryan Richard
5b7c510577
Fixed error handling for token exchange when openid scope missing
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-09 15:15:50 -08:00
Ryan Richard
0abadddb1a
token_handler_test.go: modify a test about refresh request scopes param
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-09 15:03:52 -08:00
Margo Crawford
5f6e7de785
Merge branch 'token-refresh' into token-exchange-endpoint
...
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-09 14:56:41 -08:00
Ryan Richard
64631d5780
token_handler_test.go: add even more test cases for refresh grant
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-09 14:53:39 -08:00
Ryan Richard
0386658d26
token_handler_test.go: add more test cases for refresh grant
2020-12-09 14:12:00 -08:00
Matt Moyer
167d440b65
Remove this unneccesary go113 nolint
directives.
...
We disabled this linter across the project.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-09 14:51:27 -06:00
Matt Moyer
3e6ebab389
Clean up TestTokenExchange a bit.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-09 14:49:44 -06:00
Matt Moyer
f90b5d48de
Merge branch 'token-refresh' of github.com:vmware-tanzu/pinniped into token-exchange-endpoint
2020-12-09 14:46:57 -06:00
Matt Moyer
016b0e9a8e
Satisfy the pedantic linter config 🙃 .
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-09 14:41:27 -06:00
Ryan Richard
51c828382f
Supervisor token endpoint supports refresh grant type
...
- This commit does not include the sad path tests for the refresh
grant type, which will come in a future commit.
2020-12-09 12:12:59 -08:00