Commit Graph

284 Commits

Author SHA1 Message Date
Ryan Richard
50964c6677 Supervisor CSRF Secret has unique Type
Signed-off-by: aram price <pricear@vmware.com>
2020-12-17 15:30:26 -08:00
Ryan Richard
b27e3e1a89 Put a Type on the Secrets that we create for FederationDomain JWKS
Signed-off-by: Aram Price <pricear@vmware.com>
2020-12-17 14:48:49 -08:00
Aram Price
55483b726b More "op" and "opc" local variable renames
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-17 13:49:53 -08:00
Ryan Richard
65e7df1417
Merge branch 'main' into more-opc-rename 2020-12-17 12:10:19 -08:00
Ryan Richard
b96d49df0f Rename all "op" and "opc" usages
Signed-off-by: Aram Price <pricear@vmware.com>
2020-12-17 11:34:49 -08:00
Matt Moyer
41832369fd
Upgrade the Dex we use for local testing to v2.27.0.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-17 12:04:09 -06:00
Ryan Richard
4c6e1e5fb3 supervisor_login_test.go: wait for the /jwks.json endpoint to be ready
- Also fail in a more obvious way if the token exchanged failed by
  adding an assertion about its status code
2020-12-16 17:59:39 -08:00
Ryan Richard
b2b906f4fe supervisor_discovery_test.go: make test timeouts longer to avoid flakes 2020-12-16 15:13:02 -08:00
Margo Crawford
196e43aa48 Rename off of main
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 14:27:09 -08:00
Matt Moyer
7dae166a69
Merge branch 'main' into username-and-subject-claims 2020-12-16 15:23:19 -06:00
Matt Moyer
72ce69410e
Merge pull request #273 from vmware-tanzu/secret-generation
Generate secrets for Pinniped Supervisor
2020-12-16 15:22:23 -06:00
Matt Moyer
7bb0d649c0
Merge pull request #290 from mattmoyer/rename-token-exchange-scope
Rename the "pinniped.sts.unrestricted" scope to "pinniped:request-audience".
2020-12-16 15:22:05 -06:00
Matt Moyer
111f6513ac
Upgrade base images to Debian 10.7-slim.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-16 15:16:31 -06:00
Andrew Keesler
095ba14cc8
Merge remote-tracking branch 'upstream/main' into secret-generation 2020-12-16 15:40:34 -05:00
Matt Moyer
8527c363bb
Rename the "pinniped.sts.unrestricted" scope to "pinniped:request-audience".
This is a bit more clear. We're changing this now because it is a non-backwards-compatible change that we can make now since none of this RFC8693 token exchange stuff has been released yet.

There is also a small typo fix in some flag usages (s/RF8693/RFC8693/)

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-16 14:24:13 -06:00
Matt Moyer
24c01d3e54
Add an integration test to verify security headers on the supervisor authorize endpoint.
It would be great to do this for the supervisor's callback endpoint as well, but it's difficult to get at those since the request happens inside the spawned browser.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-16 12:41:06 -06:00
Ryan Richard
dcb19150fc Nest claim configs one level deeper in JWTAuthenticatorSpec
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-16 09:42:19 -08:00
Andrew Keesler
fec80113c7
Revert "Retry a couple of times if we fail to get a token from the Supervisor"
This reverts commit be4e34d0c0.

Roll back this change that was supposed to make the test more robust. If we
retry multiple token exchanges with the same auth code, of course we are going
to get failures on the second try onwards because the auth code was invalidated
on the first try.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-16 09:04:29 -05:00
Andrew Keesler
5bdbfe1bc6
test/integration: more verbosity to try to track down flakes...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-16 09:04:25 -05:00
aram price
78df80f128 Tests ensure OIDCProvider secrets exist
... whenever one is successfully created.
2020-12-15 18:26:27 -08:00
Ryan Richard
40c6a67631 Merge branch 'main' into username-and-subject-claims 2020-12-15 18:09:44 -08:00
Ryan Richard
91af51d38e Fix integration tests to work with the username and sub claims
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-15 17:16:08 -08:00
Andrew Keesler
0758ecfea8 Tests wait for OIDCProvider secrets to be set
Signed-off-by: aram price <pricear@vmware.com>
2020-12-15 15:46:55 -08:00
Aram Price
0bd428e45d
test/integration: more logging to track down flakes
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-15 16:52:57 -05:00
Andrew Keesler
056afc17bd
Merge remote-tracking branch 'upstream/main' into secret-generation 2020-12-15 15:55:46 -05:00
Matt Moyer
0b38d6c763
Add TestE2EFullIntegration test which combines supervisor, concierge, and CLI.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-15 12:34:50 -06:00
Matt Moyer
ff49647de4
Add some missing test logs in test/library/client.go.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-15 12:34:50 -06:00
Matt Moyer
e0eba9d5a6
Refactor library.CreateTestJWTAuthenticator() so we can also use the supervisor as an upstream.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-15 12:34:50 -06:00
Matt Moyer
5ad3c65ae1
Close the right pipe output in runPinnipedLoginOIDC.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-15 12:34:50 -06:00
Matt Moyer
aca9af748b
Cleanup TestSuccessfulCredentialRequest and TestCLILoginOIDC a little.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-15 12:34:49 -06:00
Matt Moyer
8cdcb89cef
Add a library.PinnipedCLIPath() test helper, with caching.
Caching saves us a little bit of time now that we're using the CLI in more and more tests.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-15 12:34:49 -06:00
Matt Moyer
70fd330178
Add library.CreateTestClusterRoleBinding test helper.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-15 12:34:49 -06:00
Matt Moyer
ad5e257600
Add a library.RandHex() test helper.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-15 12:34:49 -06:00
Matt Moyer
4088793cc5
Add a .ProxyEnv() helper on the test environment.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-15 12:28:04 -06:00
Matt Moyer
b6edc3dc08
Replace TestCLIGetKubeconfig with TestCLIGetKubeconfigStaticToken.
It now tests both the deprecated `pinniped get-kubeconfig` and the new `pinniped get kubeconfig --static-token` flows.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-15 12:28:03 -06:00
Matt Moyer
fe4e2d620d
Update TestCLIGetKubeconfig to ignore stderr output from get-kubeconfig.
This will now have a deprecation warning, so we can't treat is as part of the YAML output.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-15 12:28:03 -06:00
Matt Moyer
f9691208d5
Add library.NewRestConfigFromKubeconfig() test helper.
This is extracted from library.NewClientsetForKubeConfig(). It is useful so you can assert properties of the loaded, parsed kubeconfig.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-15 12:28:03 -06:00
Andrew Keesler
2e784e006c
Merge remote-tracking branch 'upstream/main' into secret-generation 2020-12-15 13:24:33 -05:00
Andrew Keesler
be4e34d0c0
Retry a couple of times if we fail to get a token from the Supervisor
I hope this will make TestSupervisorLogin less flaky. There are some instances
where the front half of the OIDC login flow happens so fast that the JWKS
controller doesn't have time to properly generate an asymmetric key.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-15 11:53:58 -05:00
Andrew Keesler
50f9b434e7
SameIssuerHostMustUseSameSecret is a valid OIDCProvider status
I saw this message in our CI logs, which led me to this fix.
  could not update status: OIDCProvider.config.supervisor.pinniped.dev "acceptance-provider" is invalid: status.status: Unsupported value: "SameIssuerHostMustUseSameSecret": supported values: "Success", "Duplicate", "Invalid"

Also - correct an integration test error message that was misleading.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-15 11:53:53 -05:00
Andrew Keesler
82ae98d9d0
Set secret names on OIDCProvider status field
We believe this API is more forwards compatible with future secrets management
use cases. The implementation is a cry for help, but I was trying to follow the
previously established pattern of encapsulating the secret generation
functionality to a single group of packages.

This commit makes a breaking change to the current OIDCProvider API, but that
OIDCProvider API was added after the latest release, so it is technically still
in development until we release, and therefore we can continue to thrash on it.

I also took this opportunity to make some things private that didn't need to be
public.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-15 09:13:01 -05:00
Aram Price
5b7a86ecc1
Integration test for Supervisor secret controllers
This forced us to add labels to the CSRF cookie secret, just as we do
for other Supervisor secrets. Yay tests.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-14 15:53:12 -05:00
Ryan Richard
baa1a4a2fc Supervisor storage garbage collection controller enabled in production
- Also add more log statements to the controller
- Also have the controller apply a rate limit to itself, to avoid
  having a very chatty controller that runs way more often than is
  needed.
- Also add an integration test for the controller's behavior.

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-11 15:21:34 -08:00
Ryan Richard
afd216308b KubeStorage annotates every Secret with garbage-collect-after timestamp
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-10 14:47:58 -08:00
Ryan Richard
a561fd21d9 Consolidate the supervisor's timeout settings into a single struct
- This struct represents the configuration of all timeouts. These
  timeouts are all interrelated to declare them all in one place.
  This should also make it easier to allow the user to override
  our defaults if we would like to implement such a feature in the
  future.

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-10 10:14:54 -08:00
Margo Crawford
218f27306c Integration test for refresh grant
Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-09 17:07:37 -08:00
Matt Moyer
f1aff2faab
Start extending TestSupervisorLogin to test the token exchange flow (WIP).
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-09 10:23:10 -06:00
Andrew Keesler
4c0fb12cf6
test/integration: only set JWTAuthenticator CA bundle when it exists
See comment in code.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-09 10:15:53 -05:00
Andrew Keesler
57103e0a9f
Add JWTAuthenticator controller
See https://github.com/vmware-tanzu/pinniped/issues/260 for UX bummer.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-08 15:41:48 -05:00
Andrew Keesler
946b0539d2
Add JWTAuthenticator API type
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-08 15:41:48 -05:00