Ryan Richard
86c791b8a6
reorganize federation domain packages to be more intuitive
...
Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
2023-09-11 11:11:52 -07:00
Ryan Richard
7af75dfe3c
First draft of implementation of multiple IDPs support
2023-09-11 11:09:49 -07:00
Joshua Casey
64f1bff13f
Use Conditions from apimachinery, specifically k8s.io/apimachinery/pkg/apis/meta/v1.Conditions
2023-09-11 10:13:39 -07:00
Joshua Casey
cd91edf26c
[LDAP] move attributeUnchangedSinceLogin from upstreamldap to activedirectoryupstreamwatcher
2023-09-06 14:52:01 -05:00
Joshua Casey
8fd55a1d81
Adjust test expectations for compilation differences with 1.21
...
- Requires some production code changes, to use pointers to function variables instead of pointers to functions
2023-09-06 14:52:01 -05:00
Ryan Richard
600d002a35
Use groupSearch.userAttributeForFilter during ActiveDirectory group searches
...
- Load the setting in the controller.
- The LDAP auth code is shared between AD and LDAP,
so no new changes there in this commit.
2023-05-31 11:17:40 -07:00
Ryan Richard
c187474499
Use groupSearch.userAttributeForFilter during LDAP group searches
...
Load the setting in the controller.
Use the setting during authentication and during refreshes.
2023-05-25 14:25:17 -07:00
Margo Crawford
a010e72b29
Merge branch 'dynamic_clients' into require-groups-scope
2022-06-22 14:27:06 -07:00
Margo Crawford
c70a0b99a8
Don't do ldap group search when group scope not specified
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-22 10:58:08 -07:00
Ryan Richard
5aa0d91267
New controller watches OIDCClients and updates validation Conditions
2022-06-17 13:11:26 -04:00
Monis Khan
0674215ef3
Switch to go.uber.org/zap for JSON formatted logging
...
Signed-off-by: Monis Khan <mok@vmware.com>
2022-05-24 11:17:42 -04:00
Margo Crawford
fdac4d16f0
Only run group refresh when the skipGroupRefresh boolean isn't set
...
for AD and LDAP
2022-02-17 12:50:28 -08:00
Ryan Richard
092a80f849
Refactor some variable names and update one comment
...
Change variable names to match previously renamed interface name.
2022-01-14 10:06:00 -08:00
Ryan Richard
7f99d78462
Fix bug where LDAP or AD status conditions were not updated correctly
...
When the LDAP and AD IDP watcher controllers encountered an update error
while trying to update the status conditions of the IDP resources, then
they would drop the computed desired new value of the condition on the
ground. Next time the controller ran it would not try to update the
condition again because it wants to use the cached settings and had
already forgotten the desired new value of the condition computed during
the previous run of the controller. This would leave the outdated value
of the condition on the IDP resource.
This bug would manifest in CI as random failures in which the expected
condition message and the actual condition message would refer to
different versions numbers of the bind secret. The actual condition
message would refer to an older version of the bind secret because the
update failed and then the new desired message got dropped on the
ground.
This commit changes the in-memory caching strategy to also cache the
computed condition messages, allowing the conditions to be updated
on the IDP resource during future calls to Sync() in the case of a
failed update.
2022-01-07 17:19:13 -08:00
Monis Khan
c155c6e629
Clean up nits in AD code
...
- Make everything private
- Drop unused AuthTime field
- Use %q format string instead of "%s"
- Only rely on GetRawAttributeValues in AttributeUnchangedSinceLogin
Signed-off-by: Monis Khan <mok@vmware.com>
2021-12-17 08:53:44 -05:00
Margo Crawford
59d999956c
Move ad specific stuff to controller
...
also make extra refresh attributes a separate field rather than part of
Extra
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-09 16:16:36 -08:00
Margo Crawford
acaad05341
Make pwdLastSet stuff more generic and not require parsing the timestamp
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-09 16:16:36 -08:00
Margo Crawford
ee4f725209
Incorporate PR feedback
2021-12-09 16:16:36 -08:00
Margo Crawford
ef5a04c7ce
Check for locked users on ad upstream refresh
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-09 16:16:36 -08:00
Margo Crawford
f62e9a2d33
Active directory checks for deactivated user
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-09 16:16:36 -08:00
Margo Crawford
da9b4620b3
Active Directory checks whether password has changed recently during
...
upstream refresh
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-09 16:16:35 -08:00
Margo Crawford
1bd346cbeb
Require refresh tokens for upstream OIDC and save more session data
...
- Requiring refresh tokens to be returned from upstream OIDC idps
- Storing refresh tokens (for oidc) and idp information (for all idps) in custom session data during authentication
- Don't pass access=offline all the time
2021-10-08 15:48:21 -07:00
Margo Crawford
05f5bac405
ValidatedSettings is all or nothing
...
If either the search base or the tls settings is invalid, just
recheck everything.
2021-09-07 13:09:35 -07:00
Margo Crawford
27c1d2144a
Make sure search base in the validatedSettings cache is properly updated when the bind secret changes
2021-09-07 13:09:35 -07:00
Margo Crawford
6f221678df
Change sAMAccountName env vars to userPrincipalName
...
and add E2E ActiveDirectory test
also fixed regexes in supervisor_login_test to be anchored to the
beginning and end
2021-08-26 16:18:05 -07:00
Margo Crawford
05afae60c2
Review comments--
...
- Change list of attributeParsingOverrides to a map
- Add unit test for sAMAccountName as group name without the override
- Change some comments in the the type definition.
2021-08-19 14:21:18 -07:00
Margo Crawford
8657b0e3e7
Cleanup new group attribute behavior and add test coverage
2021-08-18 10:11:18 -07:00
Margo Crawford
26c47d564f
Make new combined sAMAccountName@domain attribute the group name
...
Also change default username attribute to userPrincipalName
2021-08-17 16:53:26 -07:00
Margo Crawford
bbaa820278
parsing objectGUID as human-readable string version
2021-07-27 11:08:23 -07:00
Margo Crawford
287a5d225a
Change SearchBaseFound condition success reason to be a string constant
2021-07-27 10:23:05 -07:00
Margo Crawford
cc3875f048
PR feedback
2021-07-26 16:03:12 -07:00
Margo Crawford
5d23068690
Removed a todo that was resolved
2021-07-23 13:01:41 -07:00
Margo Crawford
91085e68f9
Refactoring defaulting logic
2021-07-23 13:01:41 -07:00
Margo Crawford
f99f7be836
Default values for ad usersearch and groupsearch
2021-07-23 13:01:41 -07:00
Margo Crawford
890d9c3216
resolve some todos about error handling search base discovery results
2021-07-23 13:01:41 -07:00
Margo Crawford
cb0ee07b51
Fetch AD search base from defaultNamingContext when not specified
2021-07-23 13:01:41 -07:00
Margo Crawford
5d8d7246c2
Refactor active directory and ldap controllers to share almost everything
...
Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-07-23 13:01:41 -07:00
Margo Crawford
e5c8cbb3a4
One line fix for lint error. Forgot a period in a comment.
...
Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-07-23 13:01:40 -07:00
Margo Crawford
7696f4256d
Move defaulting of ad username and uid attributes to controller
...
Now the controller uses upstreamldap so there is less duplication,
since they are very similar.
Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-07-23 13:01:40 -07:00
Ryan Richard
aaa4861373
Custom API Group overlay for AD
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-07-23 13:01:40 -07:00
Margo Crawford
be6f9f83ce
RBAC rules for activedirectoryidentityprovider
2021-07-23 13:01:40 -07:00
Margo Crawford
3899292e89
Advertise Active Directory idps
2021-07-23 13:01:40 -07:00