Commit Graph

1019 Commits

Author SHA1 Message Date
Ryan Richard
65197d0f9d Merge branch 'main' into access_token_validation 2022-08-24 16:41:12 -07:00
Ryan Richard
c6c2c525a6 Upgrade the linter and fix all new linter warnings
Also fix some tests that were broken by bumping golang and dependencies
in the previous commits.

Note that in addition to changes made to satisfy the linter which do not
impact the behavior of the code, this commit also adds ReadHeaderTimeout
to all usages of http.Server to satisfy the linter (and because it
seemed like a good suggestion).
2022-08-24 14:45:55 -07:00
Ryan Richard
03694d78a8 Implement new Destroy() interface from rest.Storage from Kube v1.25 2022-08-24 12:04:38 -07:00
Ryan Richard
1384f75731 Improve token exchange error messages and error test cases 2022-08-23 17:20:30 -07:00
Ryan Richard
0bb2c7beb7 Always add the azp claim to ID tokens to show the original client ID
When the token exchange grant type is used to get a cluster-scoped
ID token, the returned token has a new audience value. The client ID
of the client which performed the authorization was lost. This didn't
matter before, since the only client was `pinniped-cli`, but now that
dynamic clients can be registered, the information would be lost in the
cluster-scoped ID token. It could be useful for logging, tracing, or
auditing, so preserve the information by putting the client ID into the
`azp` claim in every ID token (authcode exchange, clsuter-scoped, and
refreshed ID tokens).
2022-08-09 16:07:23 -07:00
Ryan Richard
22fbced863 Create username scope, required for clients to get username in ID token
- For backwards compatibility with older Pinniped CLIs, the pinniped-cli
  client does not need to request the username or groups scopes for them
  to be granted. For dynamic clients, the usual OAuth2 rules apply:
  the client must be allowed to request the scopes according to its
  configuration, and the client must actually request the scopes in the
  authorization request.
- If the username scope was not granted, then there will be no username
  in the ID token, and the cluster-scoped token exchange will fail since
  there would be no username in the resulting cluster-scoped ID token.
- The OIDC well-known discovery endpoint lists the username and groups
  scopes in the scopes_supported list, and lists the username and groups
  claims in the claims_supported list.
- Add username and groups scopes to the default list of scopes
  put into kubeconfig files by "pinniped get kubeconfig" CLI command,
  and the default list of scopes used by "pinniped login oidc" when
  no list of scopes is specified in the kubeconfig file
- The warning header about group memberships changing during upstream
  refresh will only be sent to the pinniped-cli client, since it is
  only intended for kubectl and it could leak the username to the
  client (which may not have the username scope granted) through the
  warning message text.
- Add the user's username to the session storage as a new field, so that
  during upstream refresh we can compare the original username from the
  initial authorization to the refreshed username, even in the case when
  the username scope was not granted (and therefore the username is not
  stored in the ID token claims of the session storage)
- Bump the Supervisor session storage format version from 2 to 3
  due to the username field being added to the session struct
- Extract commonly used string constants related to OIDC flows to api
  package.
- Change some import names to make them consistent:
  - Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc"
  - Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc
    as "oidcapi"
  - Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 16:29:22 -07:00
Ryan Richard
88f611d31a Be extra defensive and don't lookup dynamic client ID's lacking prefix 2022-07-22 15:19:19 -07:00
Ryan Richard
0495286f97 Fix lint error and remove accidental direct dep on ory/x
Fixing some mistakes from previous commit on feature branch.
2022-07-21 13:50:33 -07:00
Ryan Richard
e42f5488fa More unit tests for dynamic clients
- Add dynamic client unit tests for the upstream OIDC callback and
  POST login endpoints.
- Enhance a few log statements to print the full fosite error messages
  into the logs where they were previously only printing the name of
  the error type.
2022-07-21 09:26:00 -07:00
Ryan Richard
34509e7430 Add more unit tests for dynamic clients and enhance token exchange
- Enhance the token exchange to check that the same client is used
  compared to the client used during the original authorization and
  token requests, and also check that the client has the token-exchange
  grant type allowed in its configuration.
- Reduce the minimum required bcrypt cost for OIDCClient secrets
  because 15 is too slow for real-life use, especially considering
  that every login and every refresh flow will require two client auths.
- In unit tests, use bcrypt hashes with a cost of 4, because bcrypt
  slows down by 13x when run with the race detector, and we run our
  tests with the race detector enabled, causing the tests to be
  unacceptably slow. The production code uses a higher minimum cost.
- Centralize all pre-computed bcrypt hashes used by unit tests to a
  single place. Also extract some other useful test helpers for
  unit tests related to OIDCClients.
- Add tons of unit tests for the token endpoint related to dynamic
  clients for authcode exchanges, token exchanges, and refreshes.
2022-07-20 13:55:56 -07:00
Ryan Richard
e0ecdc004b Allow dynamic clients to be used in downstream OIDC flows
This is only a first commit towards making this feature work.
- Hook dynamic clients into fosite by returning them from the storage
  interface (after finding and validating them)
- In the auth endpoint, prevent the use of the username and password
  headers for dynamic clients to force them to use the browser-based
  login flows for all the upstream types
- Add happy path integration tests in supervisor_login_test.go
- Add lots of comments (and some small refactors) in
  supervisor_login_test.go to make it much easier to understand
- Add lots of unit tests for the auth endpoint regarding dynamic clients
  (more unit tests to be added for other endpoints in follow-up commits)
- Enhance crud.go to make lifetime=0 mean never garbage collect,
  since we want client secret storage Secrets to last forever
- Move the OIDCClient validation code to a package where it can be
  shared between the controller and the fosite storage interface
- Make shared test helpers for tests that need to create OIDC client
  secret storage Secrets
- Create a public const for "pinniped-cli" now that we are using that
  string in several places in the production code
2022-07-14 09:51:11 -07:00
Ryan Richard
be85e1ed0a TotalClientSecrets field gets omitempty and becomes int32 2022-07-14 09:30:03 -07:00
Ryan Richard
93939ccbd8 OIDCClient watcher controller updates based on PR feedback 2022-07-06 10:34:24 -07:00
Monis Khan
f13c5e3f06
Fix supervisor scheme comment
Signed-off-by: Monis Khan <mok@vmware.com>
2022-06-24 09:56:44 -04:00
Margo Crawford
a010e72b29 Merge branch 'dynamic_clients' into require-groups-scope 2022-06-22 14:27:06 -07:00
Margo Crawford
dac0395680 Add a couple tests, address pr comments
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-22 14:19:55 -07:00
Margo Crawford
f2005b4c7f Merge branch 'dynamic_clients' into require-groups-scope 2022-06-22 12:30:54 -07:00
Margo Crawford
c70a0b99a8 Don't do ldap group search when group scope not specified
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-22 10:58:08 -07:00
Margo Crawford
9903c5f79e Handle refresh requests without groups scope
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-22 08:21:16 -07:00
Ryan Richard
5aa0d91267
New controller watches OIDCClients and updates validation Conditions 2022-06-17 13:11:26 -04:00
Monis Khan
36a5c4c20d
Fix TestOIDCClientStaticValidation on old servers
Signed-off-by: Monis Khan <mok@vmware.com>
2022-06-17 09:04:03 -04:00
Mo Khan
4bf734061d
Merge pull request #1190 from vmware-tanzu/client-secret-api-noop
aggregated api for oidcclientsecretrequest
2022-06-16 10:30:13 -04:00
Margo Crawford
64cd8b0b9f Add e2e test for groups scope
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-15 13:41:22 -07:00
Monis Khan
59d67322d3
Static validation for OIDC clients
The following validation is enforced:

1. Names must start with client.oauth.pinniped.dev-
2. Redirect URIs must start with https://
   or http://127.0.0.1
   or http://::1
3. All spec lists must not have duplicates

Added an integration test to assert all static validations.

Signed-off-by: Monis Khan <mok@vmware.com>
2022-06-15 15:09:40 -04:00
Margo Crawford
424f925a14 Merge branch 'dynamic_clients' into client-secret-api-noop 2022-06-15 09:38:55 -07:00
Margo Crawford
c117329553 Updates based on code review
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-15 09:38:21 -07:00
Margo Crawford
4d0c2e16f4 require groups scope to get groups back from supervisor
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-15 08:00:17 -07:00
Margo Crawford
8f4285dbff Change group names
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-13 14:28:05 -07:00
Ryan Richard
b9272b2729 Reserve all of *.pinniped.dev for requested aud in token exchanges
Our previous plan was to reserve only *.oauth.pinniped.dev but we
changed our minds during PR review.
2022-06-13 12:08:11 -07:00
Margo Crawford
ba371423d9 Add integration test for OIDCClientSecretRequest
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-10 13:56:15 -07:00
Margo Crawford
889348e999 WIP aggregated api for oidcclientsecretrequest
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-09 13:47:19 -07:00
Ryan Richard
321abfc98d Merge branch 'dynamic_clients' into token_exchange_aud 2022-06-08 09:03:29 -07:00
Ryan Richard
ea45e5dfef Disallow certain requested audience strings in token exchange 2022-06-07 16:32:19 -07:00
Mo Khan
472ab229e7
Merge branch 'main' into auth_handler_form_post_csp 2022-06-07 18:26:52 -04:00
Ryan Richard
7751c0bf59
Bump project deps, including kube 0.23.6->0.24.1 and Go 1.18.1->1.18.3
Several API changes in Kube required changes in Pinniped code.

Signed-off-by: Monis Khan <mok@vmware.com>
2022-06-07 15:26:30 -04:00
Ryan Richard
b99c4773a2 Use CSP headers in auth handler response
When response_mode=form_post is requested, some error cases will be
returned to the client using the form_post web page to POST the result
back to the client's redirect URL.
2022-06-02 09:23:34 -07:00
Monis Khan
0674215ef3
Switch to go.uber.org/zap for JSON formatted logging
Signed-off-by: Monis Khan <mok@vmware.com>
2022-05-24 11:17:42 -04:00
Ryan Richard
39fd9ba270 Small refactors and comments for LDAP/AD UI 2022-05-19 16:02:08 -07:00
Ryan Richard
0f2a984308 Merge branch 'main' into ldap-login-ui 2022-05-11 11:32:15 -07:00
Ryan Richard
aa732a41fb Add LDAP browser flow login failure tests to supervisor_login_test.go
Also do some refactoring to share more common test setup code in
supervisor_login_test.go.
2022-05-10 16:28:08 -07:00
Ryan Richard
4c44f583e9 Don't add pinniped_idp_name pinniped_idp_type params into upstream state 2022-05-06 12:00:46 -07:00
Ryan Richard
ec22b5715b Add Pinniped favicon to login UI page 🦭 2022-05-05 14:46:07 -07:00
Ryan Richard
cffa353ffb Login page styling/structure for users, screen readers, passwd managers
Also:
- Add CSS to login page
- Refactor login page HTML and CSS into a new package
- New custom CSP headers for the login page, because the requirements
  are different from the form_post page
2022-05-05 13:13:25 -07:00
Ryan Richard
6ca7c932ae Add unit test for rendering form_post response from POST /login 2022-05-05 13:13:25 -07:00
Ryan Richard
656f221fb7 Merge branch 'main' into ldap-login-ui 2022-05-04 09:29:15 -07:00
Ryan Richard
2e031f727b Use security headers for the form_post page in the POST /login endpoint
Also use more specific test assertions where security headers are
expected. And run the unit tests for the login package in parallel.
2022-05-03 16:46:09 -07:00
Ryan Richard
acc6c50e48 More unit tests for LDAP DNs which contain special chars
Adding explicit coverage for PerformRefresh().
2022-05-03 15:43:01 -07:00
Margo Crawford
388cdb6ddd Fix bug where form was posting to the wrong path
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-05-03 15:18:38 -07:00
Ryan Richard
c74dea6405 Escape special characters in LDAP DNs when used in search filters 2022-05-02 13:37:32 -07:00
Ryan Richard
69e5169fc5 Implement post_login_handler.go to accept form post and auth to LDAP/AD
Also extract some helpers from auth_handler.go so they can be shared
with the new handler.
2022-04-29 16:02:00 -07:00
Margo Crawford
646c6ec9ed Show error message on login page
Also add autocomplete attribute and title element

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-29 10:36:13 -07:00
Margo Crawford
453c69af7d Fix some errors and pass state as form element
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-28 12:07:04 -07:00
Margo Crawford
07b2306254 Add basic outline of login get handler
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-28 11:51:36 -07:00
Margo Crawford
ae60d4356b Some refactoring of shared code between OIDC and LDAP browser flows
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-27 08:51:37 -07:00
Margo Crawford
379a803509 when password header but not username is sent to password grant, error
also add more unit tests

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-26 16:46:58 -07:00
Ryan Richard
65eed7e742 Implement login_handler.go to defer to other handlers
The other handlers for GET and POST requests are not yet implemented in
this commit. The shared handler code in login_handler.go takes care of
things checking the method, checking the CSRF cookie, decoding the state
param, and adding security headers on behalf of both the GET and POST
handlers.

Some code has been extracted from callback_handler.go to be shared.
2022-04-26 15:37:30 -07:00
Margo Crawford
eb1d3812ec Update authorization endpoint to redirect to new login page
Also fix some test failures on the callback handler, register the
new login handler in manager.go and add a (half baked) integration test

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-26 12:51:56 -07:00
Margo Crawford
8832362b94 WIP: Add login handler for LDAP/AD web login
Also change state param to include IDP type
2022-04-25 16:41:55 -07:00
Margo Crawford
694e4d6df6 Advertise browser_authcode flow in ldap idp discovery
To keep this backwards compatible, this PR changes how
the cli deals with ambiguous flows. Previously, if there
was more than one flow advertised, the cli would require users
to set the flag --upstream-identity-provider-flow. Now it
chooses the first one in the list.

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-25 14:54:21 -07:00
Ryan Richard
0ec5e57114
Merge pull request #1131 from vmware-tanzu/bump_some_deps
Bump some deps
2022-04-19 13:29:28 -07:00
Margo Crawford
0b72f7084c JWTAuthenticator distributed claims resolution honors tls config
Kube 1.23 introduced a new field on the OIDC Authenticator which
allows us to pass in a client with our own TLS config. See
https://github.com/kubernetes/kubernetes/pull/106141.

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-19 11:36:46 -07:00
Ryan Richard
132d2aac72 add a code comment 2022-04-19 11:35:46 -07:00
Ryan Richard
2d4f4e4efd Merge branch 'main' into bump_some_deps 2022-04-19 11:32:53 -07:00
Ryan Richard
fb8083d024 bump some direct deps 2022-04-19 11:09:24 -07:00
hectorj2f
a3f7afaec4 oidc: add code challenge supported methods
Signed-off-by: hectorj2f <hectorf@vmware.com>
2022-04-19 01:21:39 +02:00
Margo Crawford
d5337c9c19 Error format of untrusted certificate errors should depend on OS
Go 1.18.1 started using MacOS' x509 verification APIs on Macs
rather than Go's own. The error messages are different.

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-14 17:37:36 -07:00
Margo Crawford
03f19da21c the http2RoundTripper should only use http2
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-14 10:51:25 -07:00
Monis Khan
e0886c6948
Only emit FIPS startup log when running a server component
Signed-off-by: Monis Khan <mok@vmware.com>
2022-04-13 18:31:02 -04:00
Monis Khan
8fd77b72df
Bump to go1.18.1 and fix linter errors
Signed-off-by: Monis Khan <mok@vmware.com>
2022-04-13 16:43:06 -04:00
Ryan Richard
53348b8464 Add custom prefix to downstream access and refresh tokens and authcodes 2022-04-13 10:13:27 -07:00
Monis Khan
6b4fbb6e0e
Use klog to make sure FIPS init log is emitted
We cannot use plog until the log level config has been setup, but
that occurs after this init function has run.

Signed-off-by: Monis Khan <mok@vmware.com>
2022-04-12 14:36:06 -04:00
Ryan Richard
25d20d4081 Merge branch 'main' into disable_http 2022-04-05 09:00:26 -07:00
Monis Khan
07066e020d
Explicitly set defaultServing ciphers in FIPS mode
This is a no-op today, but could change in the future when we add
support for FIPS in non-strict mode.

Signed-off-by: Monis Khan <mok@vmware.com>
2022-04-01 10:59:47 -04:00
Monis Khan
3f0753ec5a
Remove duplication in secure TLS tests
Signed-off-by: Monis Khan <mok@vmware.com>
2022-04-01 10:56:38 -04:00
Monis Khan
15bc6a4a67
Add more details to FIPS comments
Signed-off-by: Monis Khan <mok@vmware.com>
2022-04-01 10:56:38 -04:00
Ryan Richard
51c527a965 Change to camel-case for insecureAcceptExternalUnencryptedHttpRequests
- Use camel-case in the static configmap
- Parse the value into a boolean in the go struct instead of a string
- Add test for when unsupported value is used in the configmap
- Run the config_test.go tests in parallel
- Update some paragraphs in configure-supervisor.md for clarity
2022-03-31 16:23:45 -07:00
Ryan Richard
ae7aac020a Merge branch 'main' into disable_http 2022-03-30 11:30:32 -07:00
Margo Crawford
53597bb824 Introduce FIPS compatibility
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-03-29 16:58:41 -07:00
Ryan Richard
488f08dd6e Provide a way to override the new HTTP loopback-only validation
Add new deprecated_insecure_accept_external_unencrypted_http_requests
value in values.yaml. Allow it to be a boolean or a string to make it
easier to use (both --data-value and --data-value-yaml will work).

Also:
- Consider "ip6-localhost" and "ip6-loopback" to be loopback addresses
  for the validation
- Remove unused env.SupervisorHTTPAddress var
- Deprecate the `service_http_*` values in values.yaml by renaming them
  and causing a ytt render error when the old names are used
2022-03-28 17:03:23 -07:00
Ryan Richard
8d12c1b674 HTTP listener: default disabled and may only bind to loopback interfaces 2022-03-24 15:46:10 -07:00
Ryan Richard
48c5a625a5 Remove our direct dependency on ory/x
ory/x has new releases very often, sometimes multiple times per week,
causing a lot of noise from dependabot. We were barely using it
directly, so replace our direct usages with equivalent code.
2022-03-24 10:24:54 -07:00
Ryan Richard
fffcb7f5b4 Update to github.com/golangci/golangci-lint/cmd/golangci-lint@v1.44.2
- Two of the linters changed their names
- Updated code and nolint comments to make all linters pass with 1.44.2
- Added a new hack/install-linter.sh script to help developers install
  the expected version of the linter for local development
2022-03-08 12:28:09 -08:00
Monis Khan
eae55a8595
Fix typo in group removed warning
Signed-off-by: Monis Khan <mok@vmware.com>
2022-03-02 12:58:30 -05:00
Margo Crawford
609b55a6d7 Pinniped Supervisor should issue a warning when groups change during refresh 2022-03-01 14:01:57 -08:00
Margo Crawford
fdac4d16f0 Only run group refresh when the skipGroupRefresh boolean isn't set
for AD and LDAP
2022-02-17 12:50:28 -08:00
Margo Crawford
662f2cef9c Integration test for updating group search base
Also a small change to a comment
2022-02-17 11:29:59 -08:00
Margo Crawford
ca523b1f20 Always update groups even if it's nil
Also de-dup groups and various small formatting changes
2022-02-17 11:29:59 -08:00
Margo Crawford
c28602f275 Add unit tests for group parsing overrides 2022-02-17 11:29:59 -08:00
Margo Crawford
dd11c02b6a Add back entries because I think it's actually necessary 2022-02-17 11:29:59 -08:00
Margo Crawford
f890fad90c Rename a function, sort strings inside searchGroupsForUserDN 2022-02-17 11:29:59 -08:00
Margo Crawford
cd7538861a Add integration test where we don't get groups back 2022-02-17 11:29:59 -08:00
Margo Crawford
013b521838 Upstream ldap group refresh:
- Doing it inline on the refresh request
2022-02-17 11:29:59 -08:00
Ryan Richard
e5a60a8c84 Update a comment 2022-02-16 11:09:05 -08:00
Monis Khan
49e88dd74a
Change some single quotes to double quotes in minified JS
Signed-off-by: Monis Khan <mok@vmware.com>
2022-02-10 16:15:26 -05:00
Ryan Richard
5d79d4b9dc Fix form_post.js mistake from recent commit; Better CORS on callback 2022-02-08 17:30:48 -08:00
Ryan Richard
6781bfd7d8 Fix JS bug: form post UI shows manual copy/paste UI upon failed callback
When the POST to the CLI's localhost callback endpoint results in a
non-2XX status code, then treat that as a failed login attempt and
automatically show the manual copy/paste UI.
2022-02-07 16:21:23 -08:00
Margo Crawford
b30dad72ed Fix new refresh token grace period test to have warnings 2022-01-20 14:54:59 -08:00
Margo Crawford
31cdd808ac
Merge pull request #951 from vmware-tanzu/short-session-warning
Supervisor should emit a warning when access token lifetime is too short
2022-01-20 14:44:32 -08:00
Ryan Richard
e85a6c09f6
Merge pull request #953 from vmware-tanzu/dependabot/go_modules/github.com/tdewolff/minify/v2-2.9.29
Bump github.com/tdewolff/minify/v2 from 2.9.26 to 2.9.29
2022-01-20 14:16:05 -08:00
Margo Crawford
38d184fe81 Integration test + making sure we get the session correctly in token handler 2022-01-20 13:48:50 -08:00