djpbessems
/
ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
2,953 Commits 30 Branches 34 Tags 22 MiB
Commit Graph

115 Commits

Author SHA1 Message Date
Margo Crawford 4d0c2e16f4 require groups scope to get groups back from supervisor 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-06-15 08:00:17 -07:00
Ryan Richard ec533cd781 Skip some recently added integration tests when LDAP is unavailable 
Also refactor to use shared test helper for skipping LDAP and AD tests.
 2022-06-08 12:57:00 -07:00
Ryan Richard 8170889aef Update CSP header expectations in TestSupervisorLogin_Browser int test 2022-06-07 11:20:59 -07:00
Ryan Richard aa732a41fb Add LDAP browser flow login failure tests to supervisor_login_test.go 
Also do some refactoring to share more common test setup code in
supervisor_login_test.go.
 2022-05-10 16:28:08 -07:00
Ryan Richard 0b106c245e Add LDAP browser flow login test to supervisor_login_test.go 2022-05-10 12:54:40 -07:00
Ryan Richard a4e32d8f3d Extract browsertest.LoginToUpstreamLDAP() integration test helper 2022-05-09 15:43:36 -07:00
Ryan Richard 53348b8464 Add custom prefix to downstream access and refresh tokens and authcodes 2022-04-13 10:13:27 -07:00
Ryan Richard fffcb7f5b4 Update to github.com/golangci/golangci-lint/cmd/golangci-lint@v1.44.2 
- Two of the linters changed their names
- Updated code and nolint comments to make all linters pass with 1.44.2
- Added a new hack/install-linter.sh script to help developers install
  the expected version of the linter for local development
 2022-03-08 12:28:09 -08:00
Margo Crawford f6ad5d5c45 Add group change warning test for Active Directory 
Also refactor some of the AD test helper functions

Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-03-02 11:54:36 -08:00
Margo Crawford e2c6dcd6e6 Add integration test 2022-02-17 12:50:28 -08:00
Margo Crawford 662f2cef9c Integration test for updating group search base 
Also a small change to a comment
 2022-02-17 11:29:59 -08:00
Margo Crawford cd7538861a Add integration test where we don't get groups back 2022-02-17 11:29:59 -08:00
Margo Crawford 013b521838 Upstream ldap group refresh: 
- Doing it inline on the refresh request
 2022-02-17 11:29:59 -08:00
Monis Khan b8202d89d9
Enforce naming convention for browser based tests 
This allows us to target browser based tests with the regex:

go test -v -race -count 1 -timeout 0 ./test/integration -run '/_Browser'

New tests that call browsertest.Open will automatically be forced to
follow this convention.

Signed-off-by: Monis Khan <mok@vmware.com>
 2022-02-16 09:20:28 -05:00
Margo Crawford 513c943e87 Keep all scopes except offline_access in integration test 2022-01-19 13:29:26 -08:00
Ryan Richard 91924ec685 Revert adding allowAccessTokenBasedRefresh flag to OIDCIdentityProvider 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-01-12 18:03:25 -08:00
Margo Crawford 683a2c5b23 WIP adding access token to storage upon login 2022-01-12 18:03:25 -08:00
Margo Crawford 2958461970 Addressing PR feedback 
store issuer and subject in storage for refresh
Clean up some constants

Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-01-10 11:03:37 -08:00
Margo Crawford 0cd086cf9c Check username claim is unchanged for oidc. 
Also add integration tests for claims changing.
 2022-01-10 11:03:37 -08:00
Margo Crawford 59d999956c Move ad specific stuff to controller 
also make extra refresh attributes a separate field rather than part of
Extra

Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2021-12-09 16:16:36 -08:00
Margo Crawford 65f3464995 Fix issue with very high integer value parsing, add unit tests 
also add comment about urgent replication
 2021-12-09 16:16:36 -08:00
Margo Crawford ee4f725209 Incorporate PR feedback 2021-12-09 16:16:36 -08:00
Margo Crawford ef5a04c7ce Check for locked users on ad upstream refresh 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2021-12-09 16:16:36 -08:00
Margo Crawford f62e9a2d33 Active directory checks for deactivated user 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2021-12-09 16:16:36 -08:00
Margo Crawford da9b4620b3 Active Directory checks whether password has changed recently during 
upstream refresh

Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2021-12-09 16:16:35 -08:00
Margo Crawford cb60a44f8a extract ldap refresh search into helper function 
also added an integration test for refresh failing after updating the username attribute
 2021-11-05 14:22:43 -07:00
Margo Crawford b5b8cab717 Refactors: 
- pull construction of authenticators.Response into searchAndBindUser
- remove information about the identity provider in the error that gets
  returned to users. Put it in debug instead, where it may show up in
  logs.

Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2021-11-05 14:22:43 -07:00
Margo Crawford 722b5dcc1b Test for change to stored username or subject. 
All of this is still done staticly.
 2021-11-05 14:22:43 -07:00
Margo Crawford 19281313dd Basic upstream LDAP/AD refresh 
This stores the user DN in the session data upon login and checks that
the entry still exists upon refresh. It doesn't check anything
else about the entry yet.
 2021-11-05 14:22:42 -07:00
Ryan Richard 9e05d175a7 Add integration test: upstream refresh failure during downstream refresh 2021-10-13 15:12:19 -07:00
Margo Crawford 05f5bac405 ValidatedSettings is all or nothing 
If either the search base or the tls settings is invalid, just
recheck everything.
 2021-09-07 13:09:35 -07:00
Margo Crawford 27c1d2144a Make sure search base in the validatedSettings cache is properly updated when the bind secret changes 2021-09-07 13:09:35 -07:00
Margo Crawford 6f221678df Change sAMAccountName env vars to userPrincipalName 
and add E2E ActiveDirectory test
also fixed regexes in supervisor_login_test to be anchored to the
beginning and end
 2021-08-26 16:18:05 -07:00
Margo Crawford c590c8ff41 Merge branch 'main' of github.com:vmware-tanzu/pinniped into active-directory-identity-provider 2021-08-24 12:19:29 -07:00
Margo Crawford 5e9087263d Increase timeout for activedirectoryidentityprovider to be loaded 2021-08-18 16:24:05 -07:00
Margo Crawford a20aee5f18 Update test assertions to reflect userPrincipalName as username 2021-08-18 13:18:53 -07:00
Margo Crawford 26c47d564f Make new combined sAMAccountName@domain attribute the group name 
Also change default username attribute to userPrincipalName
 2021-08-17 16:53:26 -07:00
Ryan Richard 84c3c3aa9c Optionally allow OIDC password grant for CLI-based login experience 
- Add `AllowPasswordGrant` boolean field to OIDCIdentityProvider's spec
- The oidc upstream watcher controller copies the value of
  `AllowPasswordGrant` into the configuration of the cached provider
- Add password grant to the UpstreamOIDCIdentityProviderI interface
  which is implemented by the cached provider instance for use in the
  authorization endpoint
- Enhance the IDP discovery endpoint to return the supported "flows"
  for each IDP ("cli_password" and/or "browser_authcode")
- Enhance `pinniped get kubeconfig` to help the user choose the desired
  flow for the selected IDP, and to write the flow into the resulting
  kubeconfg
- Enhance `pinniped login oidc` to have a flow flag to tell it which
  client-side flow it should use for auth (CLI-based or browser-based)
- In the Dex config, allow the resource owner password grant, which Dex
  implements to also return ID tokens, for use in integration tests
- Enhance the authorize endpoint to perform password grant when
  requested by the incoming headers. This commit does not include unit
  tests for the enhancements to the authorize endpoint, which will come
  in the next commit
- Extract some shared helpers from the callback endpoint to share the
  code with the authorize endpoint
- Add new integration tests
 2021-08-12 10:45:39 -07:00
Margo Crawford 53b58f65b2 Add integration test for wrong password with ldap 2021-07-26 16:32:46 -07:00
Margo Crawford cc3875f048 PR feedback 2021-07-26 16:03:12 -07:00
Margo Crawford 1050f39789 Integration test deactivated ad account 2021-07-23 13:01:41 -07:00
Margo Crawford 91085e68f9 Refactoring defaulting logic 2021-07-23 13:01:41 -07:00
Margo Crawford cb0ee07b51 Fetch AD search base from defaultNamingContext when not specified 2021-07-23 13:01:41 -07:00
Margo Crawford 5d8d7246c2 Refactor active directory and ldap controllers to share almost everything 
Signed-off-by: Ryan Richard <richardry@vmware.com>
 2021-07-23 13:01:41 -07:00
Ryan Richard 3b4f521596 Changed TestLDAPUpstream.TestUsernameAttributeName back to TestUserMailAttributeName 
Also added TestUserSAMAccountNameValue

Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2021-07-23 13:01:40 -07:00
Ryan Richard aaa4861373 Custom API Group overlay for AD 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2021-07-23 13:01:40 -07:00
Margo Crawford b3d0b28bd0 Integration test fixes, fixing objectGUID handling 2021-07-23 13:01:40 -07:00
Margo Crawford 5c283d941c Helper script for running active directory tests 2021-07-23 13:01:40 -07:00
Margo Crawford 3b8edb84a5 WIP on active directory integration test 2021-07-23 13:01:40 -07:00
Margo Crawford 8fb35c6569 Active Directory cli options 2021-07-23 13:01:40 -07:00