djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
2,503 Commits 30 Branches 34 Tags 22 MiB
48518e9513
Commit Graph

2503 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Andrew Keesler
b49d37ca54
callback_handler.go: test invalid upstream ID token username/groups 
Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-11-19 15:53:21 -05:00
Mo Khan
20b62b8841
Merge pull request #231 from enj/enj/f/fosite_kube_storage 
Add kube based storage for use with fosite
 2020-11-19 15:34:55 -05:00
Ryan Richard
83101eefce
callback_handler.go: start to test upstream token corner cases 
Also refactor to get rid of duplicate test structs.

Also also don't default groups ID token claim because there is no standard one.

Also also also add some logging that will hopefully help us in debugging in the
future.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-19 14:19:01 -05:00
Monis Khan
86865d155a
Switch fuzzing test to UTC 
Signed-off-by: Monis Khan <mok@vmware.com>
 2020-11-19 14:04:25 -05:00
Monis Khan
3575be7742
Add authorization code storage 
Signed-off-by: Monis Khan <mok@vmware.com>
 2020-11-19 13:18:27 -05:00
Monis Khan
b7d823a077
Add generic Kube API based CRUD storage 
Signed-off-by: Monis Khan <mok@vmware.com>
 2020-11-19 13:18:02 -05:00
Ryan Richard
a47617cad0 callback_handler.go: Add JWT Audience claim to storage 2020-11-19 08:53:53 -08:00
Ryan Richard
ee84f31f42 callback_handler.go: Add JWT Issuer claim to storage 2020-11-19 08:35:23 -08:00
Andrew Keesler
ace861f722
callback_handler.go: get some thoughts down about default upstream claims 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-19 11:08:21 -05:00
Andrew Keesler
2e62be3ebb
callback_handler.go: assert correct args are passed to token exchange 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-19 10:20:46 -05:00
Andrew Keesler
48e0250649
callback_handler.go: test that we request openid scope correctly 
Also add some testing.T.Log() calls to make debugging handler test failures
easier.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-19 09:28:56 -05:00
Andrew Keesler
6c72507bca
callback_handler.go: add test for failed upstream exchange/validation 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-19 09:00:41 -05:00
Andrew Keesler
63b8c6e4b2
callback_handler.go: test when state missing a needed param 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-19 08:51:23 -05:00
Andrew Keesler
ffdb7fa795
callback_handler.go: add a test for invalid state auth params 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-19 08:41:44 -05:00
Ryan Richard
652ea6bd2a Start using fosite in the Supervisor's callback handler 2020-11-18 17:15:01 -08:00
Mo Khan
3bc5952f7e
Merge pull request #227 from mattmoyer/add-authorizationconfig-omitempty 
Use `omitempty` on UpstreamOIDCProvider `spec.authorizationConfig` field.
 2020-11-18 20:10:55 -05:00
Matt Moyer
7520dadbdd
Use omitempty on UpstreamOIDCProvider spec.authorizationConfig field. 
This allows you to omit the field in creation requests, which was annoying.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-18 17:14:35 -06:00
Mo Khan
8a4be431f6
Merge pull request #230 from vmware-tanzu/scc 
Add nonroot SCC to work on OpenShift clusters
 2020-11-18 17:46:01 -05:00
Mo Khan
c32e452db8
Add nonroot SCC to work on OpenShift clusters 2020-11-18 17:08:45 -05:00
Ryan Richard
24bd8b2e42
Merge pull request #226 from absoludity/fix-getting-started4 
Fix demo.md and update default namespace for pinniped concierge.
 2020-11-18 13:39:04 -08:00
Ryan Richard
227fbd63aa Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider 
Because we want it to implement an AuthcodeExchanger interface and
do it in a way that will be more unit test-friendly than the underlying
library that we intend to use inside its implementation.
 2020-11-18 13:38:13 -08:00
Ryan Richard
c83cec341b
Merge branch 'main' into fix-getting-started4 2020-11-17 15:02:36 -08:00
Matt Moyer
7404ee4531
Merge pull request #224 from mattmoyer/make-oidcclient-public 
Move `./internal/oidcclient` to `./pkg/oidcclient`.
 2020-11-17 15:13:50 -06:00
Matt Moyer
e0a9bef6ce
Move ./internal/oidcclient to ./pkg/oidcclient. 
This will allow it to be imported by Go code outside of our repository, which was something we have planned for since this code was written.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-17 14:53:32 -06:00
Matt Moyer
428b9f2758
Merge pull request #223 from mattmoyer/refactor-cert-gen 
Refactor certificate generation for integration test Dex.
 2020-11-17 12:45:20 -06:00
Matt Moyer
0d1ad6e1df
Fix some broken resource grouping/ordering in Tiltfile. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-17 12:21:15 -06:00
Matt Moyer
6ce2f109bf
Refactor certificate generation for integration test Dex. 
Before, we did this in an init container, which meant if the Dex pod restarted we would have fresh certs, but our Tilt/bash setup didn't account for this.

Now, the certs are generated by a Job which runs once and saves the generated files into a Secret. This should be a bit more stable.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-17 11:36:36 -06:00
Matt Moyer
3b9fb71dd1
Merge pull request #222 from mattmoyer/readd-supervisor-login-tests 
Re-add the TestSupervisorLogin integration test.
 2020-11-17 11:16:01 -06:00
Ryan Richard
97552aec5f Merge branch 'main' into callback-endpoint 2020-11-17 09:06:54 -08:00
Matt Moyer
d6d808d185
Re-add the TestSupervisorLogin integration test. 
This is 99% Andrew's code from 4032ed32ae, but tweaked to work with the new UpstreamOIDCProvider setup.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-17 09:21:17 -06:00
Matt Moyer
b75a6cdb76
Merge pull request #221 from mattmoyer/use-https-dex 
Add support for custom CA bundle in CLI and UpstreamOIDCProvider.
 2020-11-16 20:47:16 -06:00
Matt Moyer
b31deff0fb
Update integration tests to use HTTPS Dex for UpstreamOIDCProvider testing. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-16 20:23:20 -06:00
Matt Moyer
ee978fdde8
Add controller support for spec.tls field. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-16 20:23:20 -06:00
Matt Moyer
e867fb82b9
Add spec.tls field to UpstreamOIDCProvider API. 
This allows for a custom CA bundle to be used when connecting to the upstream issuer.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-16 20:23:20 -06:00
Matt Moyer
b17ac6ec0b
Update integration tests to run Dex over HTTPS. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-16 20:23:20 -06:00
Matt Moyer
dd2133458e
Add --ca-bundle flag to "pinniped login oidc" command. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-16 18:15:20 -06:00
Matt Moyer
e7ecfd3954
Merge pull request #219 from mattmoyer/add-test-proxy 
Convert CLI tests to work through an HTTP forward proxy.
 2020-11-16 17:48:16 -06:00
Matt Moyer
c8b17978a9
Convert CLI tests to work through an HTTP forward proxy. 
This change deploys a small Squid-based proxy into the `dex` namespace in our integration test environment. This lets us use the cluster-local DNS name (`http://dex.dex.svc.cluster.local/dex`) as the OIDC issuer. It will make generating certificates easier, and most importantly it will mean that our CLI can see Dex at the same name/URL as the supervisor running inside the cluster.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-16 17:16:58 -06:00
Matt Moyer
a4733025ce
Merge pull request #220 from jonasrosland/fix-landing-text 
Fix landing page use cases
 2020-11-16 16:36:44 -06:00
Andrew Keesler
1c7601a2b5
callback_handler.go: start happy path test with redirect 
Next steps: fosite storage?

Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-11-16 17:07:34 -05:00
Ryan Richard
052cdc40dc
callback_handler.go: add CSRF and version state validations 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-16 14:41:00 -05:00
jonasrosland
332ed8e50b Fix landing page use cases 
Signed-off-by: jonasrosland <jrosland@vmware.com>
 2020-11-16 12:00:06 -05:00
Andrew Keesler
4138c9244f
callback_handler.go: write 2 invalid cookie tests 
Also common-ize some more constants shared between the auth and callback
endpoints.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-16 11:47:49 -05:00
Michael Nelson
57a2dc9fc1 Update default namespace for pinniped-concierge to match install-pinniped-concierge.yaml 2020-11-16 11:05:53 +11:00
Michael Nelson
9bb9402e89 Updated doc/demo.md with required namespace 2020-11-16 11:05:53 +11:00
Andrew Keesler
3ef1171667 Tiny bit more code for Supervisor's callback_handler.go 
Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-11-13 15:59:51 -08:00
Matt Moyer
84b61fac88
Merge pull request #215 from mattmoyer/fix-upstream-oidc-provider 
Fix some issues in the UpstreamOIDCProvider CRD and controller
 2020-11-13 17:23:10 -06:00
Matt Moyer
c10393b495
Mask the raw error messages from go-oidc, since they are dangerous. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-13 16:22:34 -06:00
Matt Moyer
d3d8ef44a0
Make more fields in UpstreamOIDCProvider optional. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-13 15:28:37 -06:00
Mo Khan
d5ee925e62
Merge pull request #213 from mattmoyer/more-categories 
Add our TokenCredentialRequest to the "pinniped" API category as well.
 2020-11-13 15:51:42 -05:00