Commit Graph

3229 Commits

Author SHA1 Message Date
Ryan Richard
ba98c8cc14 Enhance Kube middleware to rewrite API group of ownerRefs on update verb
When oidcclientsecretstorage.Set() wants to update the contents of the
storage Secret, it also wants to keep the original ownerRef of the
storage Secret, so it needs the middleware to rewrite the API group
of the ownerRef again during the update (just like it had initially done
during the create of the Secret).
2022-09-21 21:30:44 -07:00
Ryan Richard
31716358a9 Make the assertNoRestartsDuringTest() helper ignore terminating pods 2022-09-21 21:27:02 -07:00
Ryan Richard
12b3079377 integration tests for oidcclientsecretrequest endpoint
Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
2022-09-21 16:25:41 -07:00
Benjamin A. Petersen
a7ca2cf2dd fix test name in clientsecretrequest unit tests
Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
2022-09-21 15:17:23 -07:00
Ryan Richard
b49dcc7d45 Resolve a todo in oidcclientsecretstorage.go 2022-09-21 15:17:21 -07:00
Ryan Richard
90f13225ef Update integration test helper to call new OIDCClientSecretRequest API 2022-09-21 15:17:21 -07:00
Ryan Richard
ee3515f23b Create OIDCClientSecretRequest returns metadata
Sets the Name, Namespace, CreationTimestamp fields in the object meta
of the return value.

Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
2022-09-21 15:17:10 -07:00
Ryan Richard
7997285b19 Make fields optional on OIDCClientSecretRequest 2022-09-21 15:17:08 -07:00
Benjamin A. Petersen
6d863a159b Add unit tests for clientsecretrequest logs
Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
2022-09-21 15:17:02 -07:00
Benjamin A. Petersen
5e3a912200 Add unit tests for clientsecretrequest
Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
2022-09-21 15:16:48 -07:00
Benjamin A. Petersen
a812646dd1 Update pre-commit-config
Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
2022-09-21 15:16:39 -07:00
Benjamin A. Petersen
488296a480 adding tests
Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
2022-09-21 15:16:12 -07:00
Benjamin A. Petersen
55fb62d060 Fix OIDCClientSecretStorage.Get to check version, add tests for OIDCClientSecretStorage
Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
2022-09-21 15:15:50 -07:00
Ryan Richard
af01c3aeb6 Make kubectl explain work for Pinniped aggregated APIs
- Change update-codegen.sh script to also generated openapi code for the
  aggregated API types
- Update both aggregated API servers' configuration to make them serve
  the openapi docs for the aggregated APIs
- Add new integration test which runs `kubectl explain` for all Pinniped
  API resources, and all fields and subfields of those resources
- Update some the comments on the API structs
- Change some names of the tmpl files to make the filename better match
  the struct names
2022-09-21 15:15:37 -07:00
Ryan Richard
1c296e5c4c Implement the OIDCClientSecretRequest API
This commit is a WIP commit because it doesn't include many tests
for the new feature.

Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
2022-09-21 15:15:07 -07:00
Ryan Richard
b564454bab Make Pinniped compatible with Kube clusters which have enabled PSAs
Where possible, use securityContext settings which will work with the
most restrictive Pod Security Admission policy level (as of Kube 1.25).
Where privileged containers are needed, use the namespace-level
annotation to allow them.

Also adjust some integration tests to make similar changes to allow the
integration tests to pass on test clusters which use restricted PSAs.
2022-09-15 14:58:15 -07:00
Ryan Richard
7c247e9000 Merge branch 'main' into dynamic_clients 2022-09-15 12:00:41 -07:00
anjalitelang
6b3a2e87c0
Update ROADMAP.md 2022-09-09 11:18:48 -04:00
anjalitelang
3c2820fdae
Update ROADMAP.md
Updating the roadmap based on current needs of users 9/9/2022
2022-09-09 11:18:19 -04:00
Pinny
4441ac0600 Updated versions in docs for v0.19.0 release 2022-08-26 20:08:48 +00:00
Ryan Richard
dc39162597 Rerun codegen after merging main into dynamic_clients
Needed to update the new v1.25 generated code to include the new APIs
that were added in the dynamic_clients branch.
2022-08-26 12:13:53 -07:00
Ryan Richard
8d8f980e86 Merge branch 'main' into dynamic_clients 2022-08-26 11:35:35 -07:00
Ryan Richard
a5ac710831 Add unit test for expired refresh tokens used in refresh flow 2022-08-26 09:23:25 -07:00
Ryan Richard
5246ff9005 Give more time for slow envs to update in concierge_api_serving_certs_test.go
This test is a little flaky in slow Kubernetes clusters. Try giving a
little more time for things to update before failing the test, to
hopefully make this test a little more reliable.
2022-08-25 11:20:54 -07:00
Ryan Richard
24a3588eb0 Run codegen again using Go 1.19, causes whitespace diffs in generated code 2022-08-25 09:36:54 -07:00
Ryan Richard
8f27219ac9 Change allowed gcp auth plugin is deprecation warning text
It seems that google changed it from "the gcp auth plugin is deprecated
in v1.22+, unavailable in v1.25+; use gcloud instead" to instead say
"unavailable in v1.26+". Make the matcher in category_test.go more loose
to allow both to match.
2022-08-25 08:11:37 -07:00
Ryan Richard
736b385d7b
Merge pull request #1264 from vmware-tanzu/access_token_validation
Improve token exchange error messages and error test cases
2022-08-24 17:53:53 -07:00
Ryan Richard
c40465127e Merge branch 'main' into access_token_validation 2022-08-24 16:50:21 -07:00
Ryan Richard
af7cf673e0
Merge pull request #1192 from vmware-tanzu/dependabot/docker/distroless/static-66cd130
Bump distroless/static from `2556293` to `66cd130`
2022-08-24 16:49:37 -07:00
Ryan Richard
ee99106160
Merge pull request #1193 from vmware-tanzu/dependabot/docker/hack/distroless/static-66cd130
Bump distroless/static from `2556293` to `66cd130` in /hack
2022-08-24 16:49:18 -07:00
Ryan Richard
65197d0f9d Merge branch 'main' into access_token_validation 2022-08-24 16:41:12 -07:00
dependabot[bot]
f320a04125
Bump distroless/static from 2556293 to 66cd130
Bumps distroless/static from `2556293` to `66cd130`.

---
updated-dependencies:
- dependency-name: distroless/static
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-24 23:40:35 +00:00
dependabot[bot]
036c937db5
Bump distroless/static from 2556293 to 66cd130 in /hack
Bumps distroless/static from `2556293` to `66cd130`.

---
updated-dependencies:
- dependency-name: distroless/static
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-24 23:40:34 +00:00
Ryan Richard
4e8601e73b
Merge pull request #1272 from vmware-tanzu/bump_deps_aug_2022
Bump all deps
2022-08-24 16:39:45 -07:00
Ryan Richard
138f1d263f Rerun godegen using Go 1.19, causes whitespace diffs in generated code 2022-08-24 16:06:42 -07:00
Ryan Richard
43af297b44 Add codegen for Kube 1.25, and update patch versions on older codegen 2022-08-24 15:13:21 -07:00
Ryan Richard
c6c2c525a6 Upgrade the linter and fix all new linter warnings
Also fix some tests that were broken by bumping golang and dependencies
in the previous commits.

Note that in addition to changes made to satisfy the linter which do not
impact the behavior of the code, this commit also adds ReadHeaderTimeout
to all usages of http.Server to satisfy the linter (and because it
seemed like a good suggestion).
2022-08-24 14:45:55 -07:00
Ryan Richard
03694d78a8 Implement new Destroy() interface from rest.Storage from Kube v1.25 2022-08-24 12:04:38 -07:00
Ryan Richard
fe083f73fc Bump to golang 1.19.0 and to latest distroless base image
For fips dockerfile, the fips 1.19 compiler has not been released yet,
so bump to the latest available.
2022-08-24 11:18:53 -07:00
Ryan Richard
c1ebf5b737 Run go mod tidy -compat=1.17 2022-08-24 10:06:56 -07:00
Ryan Richard
dd7902faa0 bump golang deps 2022-08-24 10:03:09 -07:00
Ryan Richard
1384f75731 Improve token exchange error messages and error test cases 2022-08-23 17:20:30 -07:00
Ryan Richard
91cf439b31
Merge pull request #1249 from vmware-tanzu/username_scope
Add the new `username` scope to the Supervisor and exclude usernames from dynamic clients which are not granted the scope, and other dynamic client related changes
2022-08-19 10:21:45 -07:00
Ryan Richard
02a27e0186 Add docs for dynamic clients 2022-08-11 14:35:18 -07:00
Ryan Richard
0bb2c7beb7 Always add the azp claim to ID tokens to show the original client ID
When the token exchange grant type is used to get a cluster-scoped
ID token, the returned token has a new audience value. The client ID
of the client which performed the authorization was lost. This didn't
matter before, since the only client was `pinniped-cli`, but now that
dynamic clients can be registered, the information would be lost in the
cluster-scoped ID token. It could be useful for logging, tracing, or
auditing, so preserve the information by putting the client ID into the
`azp` claim in every ID token (authcode exchange, clsuter-scoped, and
refreshed ID tokens).
2022-08-09 16:07:23 -07:00
Ryan Richard
8a5db99abf get kubeconfig cmd errors on audience values with reserved substring 2022-08-09 09:12:25 -07:00
Ryan Richard
22fbced863 Create username scope, required for clients to get username in ID token
- For backwards compatibility with older Pinniped CLIs, the pinniped-cli
  client does not need to request the username or groups scopes for them
  to be granted. For dynamic clients, the usual OAuth2 rules apply:
  the client must be allowed to request the scopes according to its
  configuration, and the client must actually request the scopes in the
  authorization request.
- If the username scope was not granted, then there will be no username
  in the ID token, and the cluster-scoped token exchange will fail since
  there would be no username in the resulting cluster-scoped ID token.
- The OIDC well-known discovery endpoint lists the username and groups
  scopes in the scopes_supported list, and lists the username and groups
  claims in the claims_supported list.
- Add username and groups scopes to the default list of scopes
  put into kubeconfig files by "pinniped get kubeconfig" CLI command,
  and the default list of scopes used by "pinniped login oidc" when
  no list of scopes is specified in the kubeconfig file
- The warning header about group memberships changing during upstream
  refresh will only be sent to the pinniped-cli client, since it is
  only intended for kubectl and it could leak the username to the
  client (which may not have the username scope granted) through the
  warning message text.
- Add the user's username to the session storage as a new field, so that
  during upstream refresh we can compare the original username from the
  initial authorization to the refreshed username, even in the case when
  the username scope was not granted (and therefore the username is not
  stored in the ID token claims of the session storage)
- Bump the Supervisor session storage format version from 2 to 3
  due to the username field being added to the session struct
- Extract commonly used string constants related to OIDC flows to api
  package.
- Change some import names to make them consistent:
  - Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc"
  - Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc
    as "oidcapi"
  - Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 16:29:22 -07:00
Ryan Richard
6b29082c27
Merge pull request #1236 from vmware-tanzu/dynamic_clients_in_downstream_flows
Allow dynamic clients to be used in downstream OIDC flows
2022-07-26 11:18:15 -07:00
Ryan Richard
bda233482d Merge branch 'dynamic_clients' into dynamic_clients_in_downstream_flows 2022-07-26 09:31:39 -07:00
Ryan Richard
57f8e18dbc Merge branch 'main' into dynamic_clients 2022-07-26 09:31:18 -07:00