jonasrosland
332ed8e50b
Fix landing page use cases
...
Signed-off-by: jonasrosland <jrosland@vmware.com>
2020-11-16 12:00:06 -05:00
Andrew Keesler
4138c9244f
callback_handler.go: write 2 invalid cookie tests
...
Also common-ize some more constants shared between the auth and callback
endpoints.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-16 11:47:49 -05:00
Michael Nelson
57a2dc9fc1
Update default namespace for pinniped-concierge to match install-pinniped-concierge.yaml
2020-11-16 11:05:53 +11:00
Michael Nelson
9bb9402e89
Updated doc/demo.md with required namespace
2020-11-16 11:05:53 +11:00
Andrew Keesler
3ef1171667
Tiny bit more code for Supervisor's callback_handler.go
...
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-13 15:59:51 -08:00
Matt Moyer
84b61fac88
Merge pull request #215 from mattmoyer/fix-upstream-oidc-provider
...
Fix some issues in the UpstreamOIDCProvider CRD and controller
2020-11-13 17:23:10 -06:00
Matt Moyer
c10393b495
Mask the raw error messages from go-oidc, since they are dangerous.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-13 16:22:34 -06:00
Matt Moyer
d3d8ef44a0
Make more fields in UpstreamOIDCProvider optional.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-13 15:28:37 -06:00
Mo Khan
d5ee925e62
Merge pull request #213 from mattmoyer/more-categories
...
Add our TokenCredentialRequest to the "pinniped" API category as well.
2020-11-13 15:51:42 -05:00
Mo Khan
47d216caae
Merge pull request #209 from alexbrand/doc-fixes
...
Fix broken links in the project's website
2020-11-13 15:51:13 -05:00
Alexander Brand
406d6b5544
docs/scope.md: Fix link to contrib guide
...
Signed-off-by: Alexander Brand <alexbrand09@gmail.com>
2020-11-13 15:25:01 -05:00
Matt Moyer
ab87977c08
Put our TokenCredentialRequest API into the "pinniped" category.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-13 14:22:26 -06:00
Matt Moyer
f4dfc22f8e
Merge pull request #212 from enj/enj/i/restore_cert_ttl
...
Reduce client cert TTL back to 5 mins
2020-11-13 14:11:44 -06:00
Matt Moyer
785a1d14fb
Merge pull request #199 from mattmoyer/add-oidc-upstream-crd
...
Add UpstreamOIDCProvider API and initial controller.
2020-11-13 13:01:13 -06:00
Matt Moyer
d68a4b85f4
Add integration tests for UpstreamOIDCProvider status.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-13 12:30:38 -06:00
Matt Moyer
cbd71df574
Add "upstream-watcher" controller to supervisor.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-13 12:30:38 -06:00
Monis Khan
c05cbca0b0
Reduce client cert TTL back to 5 mins
...
Signed-off-by: Monis Khan <mok@vmware.com>
2020-11-13 13:30:02 -05:00
Matt Moyer
2e7d869ccc
Add generated API/client code for new UpstreamOIDCProvider CRD.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-13 11:38:50 -06:00
Matt Moyer
bac3c19bec
Add UpstreamOIDCProvider API type definition.
...
This is essentially just a copy of Andrew's work from https://github.com/vmware-tanzu/pinniped/pull/135 .
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-13 11:38:49 -06:00
Andrew Keesler
81b9a48437
callback_handler.go: initial API/test shape with 1 test
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-13 12:32:35 -05:00
Alexander Brand
271640b66d
docs/architecture.md: Fix broken link
2020-11-13 09:17:47 -05:00
Alexander Brand
6b0d4184d5
docs/architecture.md: Fix broken link
2020-11-13 09:15:46 -05:00
Ryan Richard
d351ef430c
Merge pull request #206 from vmware-tanzu/authorize_endpoint_reuse_cookie
...
Supervisor authorize endpoint reuses existing CSRF cookies and signs new ones
2020-11-12 16:26:01 -08:00
Matt Moyer
e6f128e2a7
Merge pull request #205 from mattmoyer/more-careful-categories
...
Put all of our APIs into a "pinniped" category, and never use "all".
2020-11-12 17:37:20 -06:00
Andrew Keesler
080bb594b2
Supervisor authorize endpoint reuses existing CSRF cookies and signs new ones
...
- To better support having multiple downstream providers configured,
the authorize endpoint will share a CSRF cookie between all
downstream providers' authorize endpoints. The first time a
user's browser hits the authorize endpoint of any downstream
provider, that endpoint will set the cookie. Then if the user
starts an authorize flow with that same downstream provider or with
any other downstream provider which shares the same domain name
(i.e. differentiated by issuer path), then the same cookie will be
submitted and respected.
- Just in case we are sharing the domain name with some other app,
we sign the value of any new CSRF cookie and check the signature
when we receive the cookie. This wasn't strictly necessary since
we probably won't share a domain name with other apps, but it
wasn't hard to add this cookie signing.
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-12 15:36:59 -08:00
Matt Moyer
f1696411d9
Test that Pinniped APis do not have short names, either.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-12 17:13:52 -06:00
Matt Moyer
5580ca82ac
Merge pull request #204 from mattmoyer/cleanup-update-script
...
Remove CRD count check, since we can now use wildcards.
2020-11-12 16:28:24 -06:00
Matt Moyer
7f2c43cd62
Put all of our APIs into a "pinniped" category, and never use "all".
...
We want to have our APIs respond to `kubectl get pinniped`, and we shouldn't use `all` because we don't think most average users should have permission to see our API types, which means if we put our types there, they would get an error from `kubectl get all`.
I also added some tests to assert these properties on all `*.pinniped.dev` API resources.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-12 16:26:34 -06:00
Matt Moyer
372cfe1601
Remove CRD count check, since we can now use wildcards.
...
This check predates the API renaming we did. Now that our API groups have `concierge`/`supervisor` in the name, we don't need to maintain a specific set of `cp` commands and keep them in sync, so we don't really need this check.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-12 15:48:03 -06:00
Mo Khan
d73fdb1d33
Merge pull request #202 from mattmoyer/remove-internal-crd-packages
...
Remove extraneous internal packages for CRD APIs.
2020-11-12 15:29:29 -05:00
Matt Moyer
821190004c
Remove extraneous internal packages for CRD APIs.
...
These only really make sense for aggregated API types where we need `conversion-gen` to do version conversion.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-12 14:04:53 -06:00
Andrew Keesler
8321773a22
auth_handler.go: fix lint error
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-12 12:24:40 -05:00
Andrew Keesler
3a943a3b9a
auth_handler.go: ignore encoding timestamp for deterministic tests
...
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-12 12:14:50 -05:00
Ryan Richard
6d380c629a
auth_handler.go: use encryption in tests
...
Our unit tests are gonna touch a lot more corner cases than our
integration tests, so let's make them run as close to the real
implementation as possible.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-12 12:14:49 -05:00
Matt Moyer
5fd105496f
Merge pull request #201 from amymanion/am-dev
...
Style updates
2020-11-12 09:12:24 -06:00
Matt Moyer
b3e622c914
Merge pull request #200 from jonasrosland/website-fixes
...
Website fixes for broken links, formatting, and more
2020-11-12 09:10:28 -06:00
Amy Manion
c4ed768c9e
Adjust hero font size
2020-11-12 09:46:44 -05:00
Amy Manion
ef11f97a75
Style updates
...
-adjust font sizes
-fix ordered lists
Signed-off-by: Amy Manion <amy.manion@principlestudios.com>
2020-11-12 09:35:17 -05:00
Jonas Rosland
0b41469527
Website fixes for broken links, formatting, and more
...
Signed-off-by: Jonas Rosland <jrosland@vmware.com>
2020-11-11 21:40:49 -05:00
Mo Khan
8859172025
Merge pull request #198 from enj/enj/i/multi_api_service
...
Prevent multiple pinnipeds from thrashing on the API service
2020-11-11 20:44:42 -05:00
Monis Khan
9c8b081906
Prevent multiple pinnipeds from thrashing on the API service
...
Signed-off-by: Monis Khan <mok@vmware.com>
2020-11-11 20:09:49 -05:00
Ryan Richard
300d522eb0
Merge pull request #185 from vmware-tanzu/authorize_endpoint
2020-11-11 16:03:15 -08:00
Ryan Richard
203e040be1
Remove an unfinished integration test
...
This commit is meant to be reverted when we are unblocked and
ready to start working on this integration test again. Temporarily
remove it so we can merge this PR to main.
Note: I had tried using t.Skip() in the test, but then that caused lint
failures, so decided to just remove it for now.
2020-11-11 15:40:40 -08:00
Matt Moyer
fdcea0de05
Merge pull request #197 from jonasrosland/a-seal-of-approval
...
Add first blog post
2020-11-11 17:33:40 -06:00
Monis Khan
db6fc234b7
Add NullStorage for the authorize endpoint to use
...
We want to run all of the fosite validations in the authorize
endpoint, but we don't need to store anything yet because
we are storing what we need for later in the upstream state
parameter.
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-11 14:49:24 -08:00
jonasrosland
e6838ace6b
Add first blog post
...
Signed-off-by: jonasrosland <jrosland@vmware.com>
2020-11-11 17:06:36 -05:00
Ryan Richard
4b8c1de647
Add unit test to auth_handler_test.go for non-openid authorize requests
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-11 13:13:57 -08:00
Andrew Keesler
c2262773e6
Finish the WIP from the previous commit for saving authorize endpoint state
...
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-11 12:29:14 -08:00
Andrew Keesler
f806768039
Merge pull request #196 from ankeesler/ytt-logging
...
Add YTT template value for log level
2020-11-11 09:29:24 -05:00
Andrew Keesler
83a156d72b
Enable debug logging in all testing scenarios
...
It is really helpful to have verbose logs during test debugging.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-11 09:01:43 -05:00