Commit Graph

3459 Commits

Author SHA1 Message Date
Ryan Richard
32ea6090ad Merge branch 'dynamic_clients' into dynamic_clients_in_downstream_flows 2022-07-15 10:28:30 -07:00
Mo Khan
f9dfd68420
Merge pull request #1221 from vmware-tanzu/oidcclient_controller2
Enhancements to OIDCClient controller
2022-07-15 08:51:44 -04:00
Ryan Richard
f5f55176af Enhance integration tests for OIDCClients in supervisor_login_test.go 2022-07-14 18:50:23 -07:00
Ryan Richard
e0ecdc004b Allow dynamic clients to be used in downstream OIDC flows
This is only a first commit towards making this feature work.
- Hook dynamic clients into fosite by returning them from the storage
  interface (after finding and validating them)
- In the auth endpoint, prevent the use of the username and password
  headers for dynamic clients to force them to use the browser-based
  login flows for all the upstream types
- Add happy path integration tests in supervisor_login_test.go
- Add lots of comments (and some small refactors) in
  supervisor_login_test.go to make it much easier to understand
- Add lots of unit tests for the auth endpoint regarding dynamic clients
  (more unit tests to be added for other endpoints in follow-up commits)
- Enhance crud.go to make lifetime=0 mean never garbage collect,
  since we want client secret storage Secrets to last forever
- Move the OIDCClient validation code to a package where it can be
  shared between the controller and the fosite storage interface
- Make shared test helpers for tests that need to create OIDC client
  secret storage Secrets
- Create a public const for "pinniped-cli" now that we are using that
  string in several places in the production code
2022-07-14 09:51:11 -07:00
Ryan Richard
be85e1ed0a TotalClientSecrets field gets omitempty and becomes int32 2022-07-14 09:30:03 -07:00
Ryan Richard
93939ccbd8 OIDCClient watcher controller updates based on PR feedback 2022-07-06 10:34:24 -07:00
Ryan Richard
8a23f244f3
Merge pull request #1215 from vmware-tanzu/prepare_supervisor_on_kind_linux
fix usage of base64 in hack script for linux
2022-06-29 10:51:16 -07:00
Ryan Richard
5b0c165dc8 fix usage of base64 in hack script 2022-06-28 12:44:41 -07:00
Ryan Richard
4878ae77e5
Merge pull request #1142 from vmware-tanzu/audit_logging_proposal
Audit logging proposal
2022-06-28 12:33:55 -07:00
Ryan Richard
18a1f3a43a
Merge branch 'main' into audit_logging_proposal 2022-06-28 12:33:02 -07:00
Mo Khan
43a76648d5
Merge pull request #1213 from vmware-tanzu/fix-groups-scope-integration-tests
One line fix to the supervisor warnings test
2022-06-24 11:12:07 -04:00
Margo Crawford
98b0b6b21c One line fix to the supervisor warnings test
Make the scopes in the cache key include the new groups scope

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-24 08:09:32 -07:00
Monis Khan
f13c5e3f06
Fix supervisor scheme comment
Signed-off-by: Monis Khan <mok@vmware.com>
2022-06-24 09:56:44 -04:00
Mo Khan
d576e44f0a
Merge pull request #1197 from vmware-tanzu/require-groups-scope
Require groups scope
2022-06-23 14:06:46 -04:00
Margo Crawford
8adc1ce345 Fix failing active directory integration test
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-22 16:16:32 -07:00
Ryan Richard
3cf3b28c5b Update audit log proposal 2022-06-22 15:12:28 -07:00
Margo Crawford
a010e72b29 Merge branch 'dynamic_clients' into require-groups-scope 2022-06-22 14:27:06 -07:00
Margo Crawford
dac0395680 Add a couple tests, address pr comments
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-22 14:19:55 -07:00
Margo Crawford
f2005b4c7f Merge branch 'dynamic_clients' into require-groups-scope 2022-06-22 12:30:54 -07:00
Margo Crawford
c70a0b99a8 Don't do ldap group search when group scope not specified
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-22 10:58:08 -07:00
Margo Crawford
9903c5f79e Handle refresh requests without groups scope
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-22 08:21:16 -07:00
Mo Khan
0a2aa9338d
Merge pull request #1198 from vmware-tanzu/oidcclient_controller
New controller watches OIDCClients and updates validation Conditions
2022-06-17 13:39:49 -04:00
Ryan Richard
5aa0d91267
New controller watches OIDCClients and updates validation Conditions 2022-06-17 13:11:26 -04:00
Mo Khan
f8183e0fab
Merge pull request #1199 from enj/enj/f/dynamic_clients_name_fix
Fix TestOIDCClientStaticValidation on old servers
2022-06-17 09:05:08 -04:00
Monis Khan
36a5c4c20d
Fix TestOIDCClientStaticValidation on old servers
Signed-off-by: Monis Khan <mok@vmware.com>
2022-06-17 09:04:03 -04:00
Mo Khan
4bf734061d
Merge pull request #1190 from vmware-tanzu/client-secret-api-noop
aggregated api for oidcclientsecretrequest
2022-06-16 10:30:13 -04:00
Mo Khan
90077f7135
Merge pull request #1195 from enj/enj/f/dynamic_clients_name
Static validation for OIDC clients
2022-06-16 10:29:03 -04:00
Margo Crawford
64cd8b0b9f Add e2e test for groups scope
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-15 13:41:22 -07:00
Monis Khan
59d67322d3
Static validation for OIDC clients
The following validation is enforced:

1. Names must start with client.oauth.pinniped.dev-
2. Redirect URIs must start with https://
   or http://127.0.0.1
   or http://::1
3. All spec lists must not have duplicates

Added an integration test to assert all static validations.

Signed-off-by: Monis Khan <mok@vmware.com>
2022-06-15 15:09:40 -04:00
Margo Crawford
ff26c424ae Remove unused role binding
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-15 10:19:56 -07:00
Margo Crawford
424f925a14 Merge branch 'dynamic_clients' into client-secret-api-noop 2022-06-15 09:38:55 -07:00
Margo Crawford
c117329553 Updates based on code review
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-15 09:38:21 -07:00
Margo Crawford
4d0c2e16f4 require groups scope to get groups back from supervisor
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-15 08:00:17 -07:00
Mo Khan
c77bee67c1
Merge pull request #1189 from vmware-tanzu/token_exchange_aud
Disallow certain requested audience strings in token exchange
2022-06-14 16:41:51 -04:00
Margo Crawford
c95efad180 Merge branch 'dynamic_clients' into client-secret-api-noop
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-13 17:12:00 -07:00
Ryan Richard
268e1108d1
Merge pull request #1194 from vmware-tanzu/config_oidcclient
Move oidcclient into config.supervisor.pinniped.dev
2022-06-13 16:03:05 -07:00
Margo Crawford
104e08b0f6 Merge branch 'dynamic_clients' into client-secret-api-noop 2022-06-13 15:52:34 -07:00
Margo Crawford
0c1f48cbc1 Move oidcclient into config.supervisor.pinniped.dev
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-13 15:48:54 -07:00
Margo Crawford
8f4285dbff Change group names
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-13 14:28:05 -07:00
Ryan Richard
aceea7888b Merge branch 'main' into dynamic_clients 2022-06-13 12:29:09 -07:00
Ryan Richard
b9272b2729 Reserve all of *.pinniped.dev for requested aud in token exchanges
Our previous plan was to reserve only *.oauth.pinniped.dev but we
changed our minds during PR review.
2022-06-13 12:08:11 -07:00
Margo Crawford
ba371423d9 Add integration test for OIDCClientSecretRequest
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-10 13:56:15 -07:00
Margo Crawford
018bdacc6d
Merge pull request #1191 from vmware-tanzu/codegen-docker-pull-always
Always attempt to docker pull before codegen
2022-06-10 13:31:47 -07:00
Ryan Richard
e7096c61a8 Merge branch 'main' into dynamic_clients 2022-06-10 12:52:59 -07:00
Margo Crawford
b3ad29fe1c Always attempt to docker pull before codegen
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-10 12:26:40 -07:00
Margo Crawford
479b6c421d fix out of date codegen images
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-10 09:51:37 -07:00
Margo Crawford
157b5a7079 Update 1.24 codegen
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-10 07:55:46 -07:00
Margo Crawford
37884e7015 reran update.sh to get the codegen up to date
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-09 14:39:06 -07:00
Margo Crawford
889348e999 WIP aggregated api for oidcclientsecretrequest
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-09 13:47:19 -07:00
Ryan Richard
484c8f4bf3
Merge pull request #1183 from anjaltelang/main
Blog for v0.18.0
2022-06-08 15:14:31 -07:00