djpbessems
/
ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
3,146 Commits 30 Branches 34 Tags 22 MiB
Commit Graph

993 Commits

Author SHA1 Message Date
Margo Crawford 4d0c2e16f4 require groups scope to get groups back from supervisor 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-06-15 08:00:17 -07:00
Margo Crawford 8f4285dbff Change group names 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-06-13 14:28:05 -07:00
Ryan Richard b9272b2729 Reserve all of *.pinniped.dev for requested aud in token exchanges 
Our previous plan was to reserve only *.oauth.pinniped.dev but we
changed our minds during PR review.
 2022-06-13 12:08:11 -07:00
Margo Crawford ba371423d9 Add integration test for OIDCClientSecretRequest 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-06-10 13:56:15 -07:00
Margo Crawford 889348e999 WIP aggregated api for oidcclientsecretrequest 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-06-09 13:47:19 -07:00
Ryan Richard 321abfc98d Merge branch 'dynamic_clients' into token_exchange_aud 2022-06-08 09:03:29 -07:00
Ryan Richard ea45e5dfef Disallow certain requested audience strings in token exchange 2022-06-07 16:32:19 -07:00
Mo Khan 472ab229e7
Merge branch 'main' into auth_handler_form_post_csp 2022-06-07 18:26:52 -04:00
Ryan Richard 7751c0bf59
Bump project deps, including kube 0.23.6->0.24.1 and Go 1.18.1->1.18.3 
Several API changes in Kube required changes in Pinniped code.

Signed-off-by: Monis Khan <mok@vmware.com>
 2022-06-07 15:26:30 -04:00
Ryan Richard b99c4773a2 Use CSP headers in auth handler response 
When response_mode=form_post is requested, some error cases will be
returned to the client using the form_post web page to POST the result
back to the client's redirect URL.
 2022-06-02 09:23:34 -07:00
Monis Khan 0674215ef3
Switch to go.uber.org/zap for JSON formatted logging 
Signed-off-by: Monis Khan <mok@vmware.com>
 2022-05-24 11:17:42 -04:00
Ryan Richard 39fd9ba270 Small refactors and comments for LDAP/AD UI 2022-05-19 16:02:08 -07:00
Ryan Richard 0f2a984308 Merge branch 'main' into ldap-login-ui 2022-05-11 11:32:15 -07:00
Ryan Richard aa732a41fb Add LDAP browser flow login failure tests to supervisor_login_test.go 
Also do some refactoring to share more common test setup code in
supervisor_login_test.go.
 2022-05-10 16:28:08 -07:00
Ryan Richard 4c44f583e9 Don't add pinniped_idp_name pinniped_idp_type params into upstream state 2022-05-06 12:00:46 -07:00
Ryan Richard ec22b5715b Add Pinniped favicon to login UI page 🦭 2022-05-05 14:46:07 -07:00
Ryan Richard cffa353ffb Login page styling/structure for users, screen readers, passwd managers 
Also:
- Add CSS to login page
- Refactor login page HTML and CSS into a new package
- New custom CSP headers for the login page, because the requirements
  are different from the form_post page
 2022-05-05 13:13:25 -07:00
Ryan Richard 6ca7c932ae Add unit test for rendering form_post response from POST /login 2022-05-05 13:13:25 -07:00
Ryan Richard 656f221fb7 Merge branch 'main' into ldap-login-ui 2022-05-04 09:29:15 -07:00
Ryan Richard 2e031f727b Use security headers for the form_post page in the POST /login endpoint 
Also use more specific test assertions where security headers are
expected. And run the unit tests for the login package in parallel.
 2022-05-03 16:46:09 -07:00
Ryan Richard acc6c50e48 More unit tests for LDAP DNs which contain special chars 
Adding explicit coverage for PerformRefresh().
 2022-05-03 15:43:01 -07:00
Margo Crawford 388cdb6ddd Fix bug where form was posting to the wrong path 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-05-03 15:18:38 -07:00
Ryan Richard c74dea6405 Escape special characters in LDAP DNs when used in search filters 2022-05-02 13:37:32 -07:00
Ryan Richard 69e5169fc5 Implement post_login_handler.go to accept form post and auth to LDAP/AD 
Also extract some helpers from auth_handler.go so they can be shared
with the new handler.
 2022-04-29 16:02:00 -07:00
Margo Crawford 646c6ec9ed Show error message on login page 
Also add autocomplete attribute and title element

Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-04-29 10:36:13 -07:00
Margo Crawford 453c69af7d Fix some errors and pass state as form element 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-04-28 12:07:04 -07:00
Margo Crawford 07b2306254 Add basic outline of login get handler 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-04-28 11:51:36 -07:00
Margo Crawford ae60d4356b Some refactoring of shared code between OIDC and LDAP browser flows 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-04-27 08:51:37 -07:00
Margo Crawford 379a803509 when password header but not username is sent to password grant, error 
also add more unit tests

Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-04-26 16:46:58 -07:00
Ryan Richard 65eed7e742 Implement login_handler.go to defer to other handlers 
The other handlers for GET and POST requests are not yet implemented in
this commit. The shared handler code in login_handler.go takes care of
things checking the method, checking the CSRF cookie, decoding the state
param, and adding security headers on behalf of both the GET and POST
handlers.

Some code has been extracted from callback_handler.go to be shared.
 2022-04-26 15:37:30 -07:00
Margo Crawford eb1d3812ec Update authorization endpoint to redirect to new login page 
Also fix some test failures on the callback handler, register the
new login handler in manager.go and add a (half baked) integration test

Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-04-26 12:51:56 -07:00
Margo Crawford 8832362b94 WIP: Add login handler for LDAP/AD web login 
Also change state param to include IDP type
 2022-04-25 16:41:55 -07:00
Margo Crawford 694e4d6df6 Advertise browser_authcode flow in ldap idp discovery 
To keep this backwards compatible, this PR changes how
the cli deals with ambiguous flows. Previously, if there
was more than one flow advertised, the cli would require users
to set the flag --upstream-identity-provider-flow. Now it
chooses the first one in the list.

Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-04-25 14:54:21 -07:00
Ryan Richard 0ec5e57114
Merge pull request #1131 from vmware-tanzu/bump_some_deps 
Bump some deps
 2022-04-19 13:29:28 -07:00
Margo Crawford 0b72f7084c JWTAuthenticator distributed claims resolution honors tls config 
Kube 1.23 introduced a new field on the OIDC Authenticator which
allows us to pass in a client with our own TLS config. See
https://github.com/kubernetes/kubernetes/pull/106141.

Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-04-19 11:36:46 -07:00
Ryan Richard 132d2aac72 add a code comment 2022-04-19 11:35:46 -07:00
Ryan Richard 2d4f4e4efd Merge branch 'main' into bump_some_deps 2022-04-19 11:32:53 -07:00
Ryan Richard fb8083d024 bump some direct deps 2022-04-19 11:09:24 -07:00
hectorj2f a3f7afaec4 oidc: add code challenge supported methods 
Signed-off-by: hectorj2f <hectorf@vmware.com>
 2022-04-19 01:21:39 +02:00
Margo Crawford d5337c9c19 Error format of untrusted certificate errors should depend on OS 
Go 1.18.1 started using MacOS' x509 verification APIs on Macs
rather than Go's own. The error messages are different.

Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-04-14 17:37:36 -07:00
Margo Crawford 03f19da21c the http2RoundTripper should only use http2 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-04-14 10:51:25 -07:00
Monis Khan e0886c6948
Only emit FIPS startup log when running a server component 
Signed-off-by: Monis Khan <mok@vmware.com>
 2022-04-13 18:31:02 -04:00
Monis Khan 8fd77b72df
Bump to go1.18.1 and fix linter errors 
Signed-off-by: Monis Khan <mok@vmware.com>
 2022-04-13 16:43:06 -04:00
Ryan Richard 53348b8464 Add custom prefix to downstream access and refresh tokens and authcodes 2022-04-13 10:13:27 -07:00
Monis Khan 6b4fbb6e0e
Use klog to make sure FIPS init log is emitted 
We cannot use plog until the log level config has been setup, but
that occurs after this init function has run.

Signed-off-by: Monis Khan <mok@vmware.com>
 2022-04-12 14:36:06 -04:00
Ryan Richard 25d20d4081 Merge branch 'main' into disable_http 2022-04-05 09:00:26 -07:00
Monis Khan 07066e020d
Explicitly set defaultServing ciphers in FIPS mode 
This is a no-op today, but could change in the future when we add
support for FIPS in non-strict mode.

Signed-off-by: Monis Khan <mok@vmware.com>
 2022-04-01 10:59:47 -04:00
Monis Khan 3f0753ec5a
Remove duplication in secure TLS tests 
Signed-off-by: Monis Khan <mok@vmware.com>
 2022-04-01 10:56:38 -04:00
Monis Khan 15bc6a4a67
Add more details to FIPS comments 
Signed-off-by: Monis Khan <mok@vmware.com>
 2022-04-01 10:56:38 -04:00
Ryan Richard 51c527a965 Change to camel-case for insecureAcceptExternalUnencryptedHttpRequests 
- Use camel-case in the static configmap
- Parse the value into a boolean in the go struct instead of a string
- Add test for when unsupported value is used in the configmap
- Run the config_test.go tests in parallel
- Update some paragraphs in configure-supervisor.md for clarity
 2022-03-31 16:23:45 -07:00
Ryan Richard ae7aac020a Merge branch 'main' into disable_http 2022-03-30 11:30:32 -07:00
Margo Crawford 53597bb824 Introduce FIPS compatibility 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-03-29 16:58:41 -07:00
Ryan Richard 488f08dd6e Provide a way to override the new HTTP loopback-only validation 
Add new deprecated_insecure_accept_external_unencrypted_http_requests
value in values.yaml. Allow it to be a boolean or a string to make it
easier to use (both --data-value and --data-value-yaml will work).

Also:
- Consider "ip6-localhost" and "ip6-loopback" to be loopback addresses
  for the validation
- Remove unused env.SupervisorHTTPAddress var
- Deprecate the `service_http_*` values in values.yaml by renaming them
  and causing a ytt render error when the old names are used
 2022-03-28 17:03:23 -07:00
Ryan Richard 8d12c1b674 HTTP listener: default disabled and may only bind to loopback interfaces 2022-03-24 15:46:10 -07:00
Ryan Richard 48c5a625a5 Remove our direct dependency on ory/x 
ory/x has new releases very often, sometimes multiple times per week,
causing a lot of noise from dependabot. We were barely using it
directly, so replace our direct usages with equivalent code.
 2022-03-24 10:24:54 -07:00
Ryan Richard fffcb7f5b4 Update to github.com/golangci/golangci-lint/cmd/golangci-lint@v1.44.2 
- Two of the linters changed their names
- Updated code and nolint comments to make all linters pass with 1.44.2
- Added a new hack/install-linter.sh script to help developers install
  the expected version of the linter for local development
 2022-03-08 12:28:09 -08:00
Monis Khan eae55a8595
Fix typo in group removed warning 
Signed-off-by: Monis Khan <mok@vmware.com>
 2022-03-02 12:58:30 -05:00
Margo Crawford 609b55a6d7 Pinniped Supervisor should issue a warning when groups change during refresh 2022-03-01 14:01:57 -08:00
Margo Crawford fdac4d16f0 Only run group refresh when the skipGroupRefresh boolean isn't set 
for AD and LDAP
 2022-02-17 12:50:28 -08:00
Margo Crawford 662f2cef9c Integration test for updating group search base 
Also a small change to a comment
 2022-02-17 11:29:59 -08:00
Margo Crawford ca523b1f20 Always update groups even if it's nil 
Also de-dup groups and various small formatting changes
 2022-02-17 11:29:59 -08:00
Margo Crawford c28602f275 Add unit tests for group parsing overrides 2022-02-17 11:29:59 -08:00
Margo Crawford dd11c02b6a Add back entries because I think it's actually necessary 2022-02-17 11:29:59 -08:00
Margo Crawford f890fad90c Rename a function, sort strings inside searchGroupsForUserDN 2022-02-17 11:29:59 -08:00
Margo Crawford cd7538861a Add integration test where we don't get groups back 2022-02-17 11:29:59 -08:00
Margo Crawford 013b521838 Upstream ldap group refresh: 
- Doing it inline on the refresh request
 2022-02-17 11:29:59 -08:00
Ryan Richard e5a60a8c84 Update a comment 2022-02-16 11:09:05 -08:00
Monis Khan 49e88dd74a
Change some single quotes to double quotes in minified JS 
Signed-off-by: Monis Khan <mok@vmware.com>
 2022-02-10 16:15:26 -05:00
Ryan Richard 5d79d4b9dc Fix form_post.js mistake from recent commit; Better CORS on callback 2022-02-08 17:30:48 -08:00
Ryan Richard 6781bfd7d8 Fix JS bug: form post UI shows manual copy/paste UI upon failed callback 
When the POST to the CLI's localhost callback endpoint results in a
non-2XX status code, then treat that as a failed login attempt and
automatically show the manual copy/paste UI.
 2022-02-07 16:21:23 -08:00
Margo Crawford b30dad72ed Fix new refresh token grace period test to have warnings 2022-01-20 14:54:59 -08:00
Margo Crawford 31cdd808ac
Merge pull request #951 from vmware-tanzu/short-session-warning 
Supervisor should emit a warning when access token lifetime is too short
 2022-01-20 14:44:32 -08:00
Ryan Richard e85a6c09f6
Merge pull request #953 from vmware-tanzu/dependabot/go_modules/github.com/tdewolff/minify/v2-2.9.29 
Bump github.com/tdewolff/minify/v2 from 2.9.26 to 2.9.29
 2022-01-20 14:16:05 -08:00
Margo Crawford 38d184fe81 Integration test + making sure we get the session correctly in token handler 2022-01-20 13:48:50 -08:00
Margo Crawford b0ea7063c7 Supervisor should emit a warning when access token lifetime is too short 2022-01-20 13:48:50 -08:00
Ryan Richard db789dc2bf
Merge branch 'main' into dependabot/go_modules/github.com/tdewolff/minify/v2-2.9.29 2022-01-20 12:10:24 -08:00
Ryan Richard 6ddc953989
Merge branch 'main' into dependabot/go_modules/github.com/ory/fosite-0.42.0 2022-01-20 12:10:01 -08:00
Ryan Richard dff53b8144 Changes for Fosite's new RevokeRefreshTokenMaybeGracePeriod() interface 
Fosite v0.42.0 introduced a new RevokeRefreshTokenMaybeGracePeriod()
interface function. Updated our code to support this change. We didn't
support grace periods on refresh tokens before, so implemented it by
making the new RevokeRefreshTokenMaybeGracePeriod() method just call
the old RevokeRefreshToken() method, therefore keeping our old behavior.
 2022-01-19 13:57:01 -08:00
Ryan Richard 3b1cc30e8d Update unit test to match new JS minify output after minify upgrade 2022-01-19 13:29:07 -08:00
Ryan Richard a4ca44ca14 Improve error handling when upstream groups is invalid during refresh 2022-01-19 12:57:47 -08:00
Ryan Richard 78bdb1928a
Merge branch 'main' into upstream-oidc-refresh-groups 2022-01-18 16:03:14 -08:00
Monis Khan 1e1789f6d1
Allow configuration of supervisor endpoints 
This change allows configuration of the http and https listeners
used by the supervisor.

TCP (IPv4 and IPv6 with any interface and port) and Unix domain
socket based listeners are supported.  Listeners may also be
disabled.

Binding the http listener to TCP addresses other than 127.0.0.1 or
::1 is deprecated.

The deployment now uses https health checks.  The supervisor is
always able to complete a TLS connection with the use of a bootstrap
certificate that is signed by an in-memory certificate authority.

To support sidecar containers used by service meshes, Unix domain
socket based listeners include ACLs that allow writes to the socket
file from any runAsUser specified in the pod's containers.

Signed-off-by: Monis Khan <mok@vmware.com>
 2022-01-18 17:43:45 -05:00
Ryan Richard 70bd831099
Merge branch 'main' into upstream-oidc-refresh-groups 2022-01-18 14:36:18 -08:00
Ryan Richard 88f3b29515 Merge branch 'main' into upstream-oidc-refresh-groups 2022-01-14 16:51:12 -08:00
Ryan Richard 75e4093067 Merge branch 'main' into ldap_and_activedirectory_status_conditions_bug 2022-01-14 16:50:34 -08:00
Ryan Richard 548977f579 Update group memberships during refresh for upstream OIDC providers 
Update the user's group memberships when possible. Note that we won't
always have enough information to be able to update it (see code
comments).
 2022-01-14 16:38:21 -08:00
Ryan Richard 7551af3eb8 Fix code that did not auto-merge correctly in previous merge from main 2022-01-14 10:59:39 -08:00
Ryan Richard 814399324f Merge branch 'main' into upstream_access_revocation_during_gc 2022-01-14 10:49:22 -08:00
Ryan Richard db0a765b98 Merge branch 'main' into ldap_and_activedirectory_status_conditions_bug 2022-01-14 10:06:16 -08:00
Ryan Richard 092a80f849 Refactor some variable names and update one comment 
Change variable names to match previously renamed interface name.
 2022-01-14 10:06:00 -08:00
Margo Crawford 5b161be334 Refactored oidcUpstreamRefresh 
Various style changes, updated some comments and variable names and
extracted a helper function for validation.
 2022-01-12 18:05:22 -08:00
Margo Crawford 62be761ef1 Perform access token based refresh by fetching the userinfo 2022-01-12 18:05:10 -08:00
Ryan Richard 651d392b00 Refuse logins when no upstream refresh token and no userinfo endpoint 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-01-12 18:03:25 -08:00
Margo Crawford 6f3977de9d Store access token when refresh not available for authcode flow. 
Also refactor oidc downstreamsessiondata code to be shared between
callback handler and auth handler.

Signed-off-by: Ryan Richard <richardry@vmware.com>
 2022-01-12 18:03:25 -08:00
Ryan Richard 91924ec685 Revert adding allowAccessTokenBasedRefresh flag to OIDCIdentityProvider 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-01-12 18:03:25 -08:00
Margo Crawford 683a2c5b23 WIP adding access token to storage upon login 2022-01-12 18:03:25 -08:00
Ryan Richard 1f146f905a Add struct field for storing upstream access token in downstream session 2022-01-12 18:03:25 -08:00
Margo Crawford 2b744b2eef Add back comment about deferring validation when id token subject is missing 2022-01-12 11:19:43 -08:00
Margo Crawford 2958461970 Addressing PR feedback 
store issuer and subject in storage for refresh
Clean up some constants

Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-01-10 11:03:37 -08:00
Margo Crawford f2d2144932 rename ValidateToken to ValidateTokenAndMergeWithUserInfo to better reflect what it's doing 
Also changed a few comments and small things
 2022-01-10 11:03:37 -08:00