6f3977de9d
Store access token when refresh not available for authcode flow.
...
Also refactor oidc downstreamsessiondata code to be shared between
callback handler and auth handler.
Signed-off-by: Ryan Richard <richardry@vmware.com>
2022-01-12 18:03:25 -08:00
91924ec685
Revert adding allowAccessTokenBasedRefresh flag to OIDCIdentityProvider
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-01-12 18:03:25 -08:00
683a2c5b23
WIP adding access token to storage upon login
2022-01-12 18:03:25 -08:00
1f146f905a
Add struct field for storing upstream access token in downstream session
2022-01-12 18:03:25 -08:00
82f54b5556
Merge pull request #917 from vmware-tanzu/oidc-refresh-user-info-checks
...
OIDC refresh user info checks
2022-01-12 20:27:00 -05:00
2b744b2eef
Add back comment about deferring validation when id token subject is missing
2022-01-12 11:19:43 -08:00
2958461970
Addressing PR feedback
...
store issuer and subject in storage for refresh
Clean up some constants
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-01-10 11:03:37 -08:00
f2d2144932
rename ValidateToken to ValidateTokenAndMergeWithUserInfo to better reflect what it's doing
...
Also changed a few comments and small things
2022-01-10 11:03:37 -08:00
c9cf13a01f
Check for issuer if available
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-01-10 11:03:37 -08:00
0cd086cf9c
Check username claim is unchanged for oidc.
...
Also add integration tests for claims changing.
2022-01-10 11:03:37 -08:00
b098435290
Refactor validatetoken to handle refresh case without id token
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-01-10 11:03:37 -08:00
74b007ff66
Validate that issuer url and urls returned from discovery are https
...
and that they have no query or fragment
Signed-off-by: Ryan Richard <richardry@vmware.com>
2022-01-10 11:03:37 -08:00
ed96b597c7
Check for subject matching with upstream refresh
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-01-10 11:03:37 -08:00
d438bfbc99
Merge pull request #939 from vmware-tanzu/dependabot/go_modules/github.com/ory/x-0.0.331
...
Bump github.com/ory/x from 0.0.330 to 0.0.331
2022-01-09 12:04:56 -05:00
a7ff638f4c
Bump github.com/ory/x from 0.0.330 to 0.0.331
...
Bumps [github.com/ory/x](https://github.com/ory/x ) from 0.0.330 to 0.0.331.
- [Release notes](https://github.com/ory/x/releases )
- [Commits](https://github.com/ory/x/compare/v0.0.330...v0.0.331 )
---
updated-dependencies:
- dependency-name: github.com/ory/x
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
2022-01-07 13:45:37 +00:00
287d5094ec
Merge pull request #938 from vmware-tanzu/dependabot/docker/golang-1.17.6
...
Bump golang from 1.17.5 to 1.17.6
2022-01-07 08:13:16 -05:00
f2b4d667d1
Bump golang from 1.17.5 to 1.17.6
...
Bumps golang from 1.17.5 to 1.17.6.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
2022-01-07 01:04:10 +00:00
fff27a4270
Merge pull request #935 from enj/enj/i/bump_0001
...
Bump all deps to latest
2022-01-03 19:48:08 -05:00
f90f173826
Bump all deps to latest
...
Ran:
go get -u ./... && go mod tidy
Pinned all go.opentelemetry.io deps to match k/k.
This is needed to make the go get command work.
Signed-off-by: Monis Khan <mok@vmware.com>
2022-01-03 17:48:59 -05:00
cc88d2a334
Merge pull request #931 from vmware-tanzu/dependabot/docker/distroless/static-80c956f
...
Bump distroless/static from `bca3c20` to `80c956f`
2022-01-03 10:49:08 -05:00
a0ddf4a945
Bump distroless/static from `bca3c20` to `80c956f`
...
Bumps distroless/static from `bca3c20` to `80c956f`.
---
updated-dependencies:
- dependency-name: distroless/static
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
2021-12-27 01:17:24 +00:00
05277a5579
Merge pull request #925 from enj/enj/i/flexible_cli_redirect
...
pinniped CLI: allow all forms of http redirects
2021-12-17 15:51:44 -05:00
c155c6e629
Clean up nits in AD code
...
- Make everything private
- Drop unused AuthTime field
- Use %q format string instead of "%s"
- Only rely on GetRawAttributeValues in AttributeUnchangedSinceLogin
Signed-off-by: Monis Khan <mok@vmware.com>
2021-12-17 08:53:44 -05:00
a6085c9678
Drop unsafe unwrapper for exec.roundTripper
...
exec.roundTripper now implements utilnet.RoundTripperWrapper so this
unsafe hack is no longer needed.
Signed-off-by: Monis Khan <mok@vmware.com>
2021-12-17 08:28:30 -05:00
86f2bea8c5
pinniped CLI: allow all forms of http redirects
...
For password based login on the CLI (i.e. no browser), this change
relaxes the response code check to allow for any redirect code
handled by the Go standard library. In the future, we can drop the
rewriteStatusSeeOtherToStatusFoundForBrowserless logic from the
server side code.
Signed-off-by: Monis Khan <mok@vmware.com>
2021-12-17 08:28:29 -05:00
adf04d29f7
Merge pull request #914 from enj/enj/i/bump_0.23.0
...
Update all deps to latest where possible, bump Kube deps to v0.23.1
2021-12-16 21:45:32 -05:00
9599ffcfb9
Update all deps to latest where possible, bump Kube deps to v0.23.1
...
Highlights from this dep bump:
1. Made a copy of the v0.4.0 github.com/go-logr/stdr implementation
for use in tests. We must bump this dep as Kube code uses a
newer version now. We would have to rewrite hundreds of test log
assertions without this copy.
2. Use github.com/felixge/httpsnoop to undo the changes made by
ory/fosite#636 for CLI based login flows. This is required for
backwards compatibility with older versions of our CLI. A
separate change after this will update the CLI to be more
flexible (it is purposefully not part of this change to confirm
that we did not break anything). For all browser login flows, we
now redirect using http.StatusSeeOther instead of http.StatusFound.
3. Drop plog.RemoveKlogGlobalFlags as klog no longer mutates global
process flags
4. Only bump github.com/ory/x to v0.0.297 instead of the latest
v0.0.321 because v0.0.298+ pulls in a newer version of
go.opentelemetry.io/otel/semconv which breaks k8s.io/apiserver.
We should update k8s.io/apiserver to use the newer code.
5. Migrate all code from k8s.io/apimachinery/pkg/util/clock to
k8s.io/utils/clock and k8s.io/utils/clock/testing
6. Delete testutil.NewDeleteOptionsRecorder and migrate to the new
kubetesting.NewDeleteActionWithOptions
7. Updated ExpectedAuthorizeCodeSessionJSONFromFuzzing caused by
fosite's new rotated_secrets OAuth client field. This new field
is currently not relevant to us as we have no private clients.
Signed-off-by: Monis Khan <mok@vmware.com>
2021-12-16 21:15:27 -05:00
69d5951296
Merge pull request #919 from microwavables/updating-community-details
...
Updated community and resources pages
2021-12-16 17:14:21 -05:00
b148359337
Merge pull request #918 from vmware-tanzu/replace_reflections
...
Replace reflections in go.mod
2021-12-16 17:10:28 -05:00
e31a410096
Updated community and resources pages
2021-12-16 16:02:47 -06:00
6bf67f44ef
replace reflections in go.mod
2021-12-16 11:15:24 -08:00
fdc91ec56c
Merge pull request #909 from vmware-tanzu/dependabot/docker/golang-1.17.5
...
Bump golang from 1.17.4 to 1.17.5
2021-12-10 12:41:02 -05:00
884d18bade
Bump golang from 1.17.4 to 1.17.5
...
Bumps golang from 1.17.4 to 1.17.5.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
2021-12-10 17:03:50 +00:00
ca2ee26c86
Merge pull request #884 from vmware-tanzu/upstream-ad-refresh
...
Upstream active directory refresh checks for password changes, deactivated and locked users
2021-12-09 20:51:46 -05:00
59d999956c
Move ad specific stuff to controller
...
also make extra refresh attributes a separate field rather than part of
Extra
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-09 16:16:36 -08:00
acaad05341
Make pwdLastSet stuff more generic and not require parsing the timestamp
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-09 16:16:36 -08:00
65f3464995
Fix issue with very high integer value parsing, add unit tests
...
also add comment about urgent replication
2021-12-09 16:16:36 -08:00
ee4f725209
Incorporate PR feedback
2021-12-09 16:16:36 -08:00
ef5a04c7ce
Check for locked users on ad upstream refresh
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-09 16:16:36 -08:00
f62e9a2d33
Active directory checks for deactivated user
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-09 16:16:36 -08:00
da9b4620b3
Active Directory checks whether password has changed recently during
...
upstream refresh
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-09 16:16:35 -08:00
8db0203839
Add test for upstream ldap idp not found, wrong idp uid, and malformed
...
fosite session storage
2021-12-09 16:16:35 -08:00
4110297a8f
Update ROADMAP.md
...
Updated roadmap to reflect current velocity
2021-12-09 16:59:09 -05:00
7a3b5e3571
Merge pull request #908 from vmware-tanzu/microwavables-main
...
Added GOVERNANCE.md file to repo
2021-12-08 14:38:21 -05:00
505bc47ae1
Added GOVERNANCE.md file to repo
...
Signed-off-by: Nanci Lancaster <nancil@vmware.com>
2021-12-08 14:29:16 -05:00
2c5b74c960
Merge pull request #905 from vmware-tanzu/dependabot/docker/golang-1.17.4
...
Bump golang from 1.17.3 to 1.17.4
2021-12-06 15:44:42 -05:00
db68fc3a2b
Bump golang from 1.17.3 to 1.17.4
...
Bumps golang from 1.17.3 to 1.17.4.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
2021-12-06 01:14:25 +00:00
29490ee665
ran go mod tidy
2021-12-03 16:40:01 -08:00
edd3547977
Merge pull request #903 from vmware-tanzu/code-walkthrough-doc
...
Add first draft of code walk-through doc
2021-12-03 12:19:29 -08:00
aa361a70a7
clarifications to code walkthrough doc
2021-12-03 10:50:02 -08:00
Margo Crawford