djpbessems
/
ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
1,033 Commits 30 Branches 34 Tags 22 MiB
Commit Graph

1033 Commits

Author SHA1 Message Date
aram price 72bc458c8e Manager uses secret.Cach with hardcoded values 2020-12-10 17:32:55 -08:00
Andrew Keesler e067892ffc Add secret.Cache to hold crypto inputs 2020-12-10 17:32:55 -08:00
aram price 2f87be3f94 Manager uses dynamiccodec.Codec for cookie encoding 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-10 17:32:55 -08:00
Andrew Keesler 1291380611 dynamiccodec.Codec uses securecookie.JSONEncoder 
Signed-off-by: aram price <pricear@vmware.com>
 2020-12-10 17:32:55 -08:00
aram price ccac124b7a Fix broken test 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-10 17:32:55 -08:00
Andrew Keesler d8212d1337 Whitespace 
Signed-off-by: aram price <pricear@vmware.com>
 2020-12-10 17:32:55 -08:00
aram price 030edaf72d KeyFunc no longer uses multi-value return 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-10 17:32:55 -08:00
Andrew Keesler c3f73ffb57 Check in some musings on a symmetric key generator controller 
There is still a test failing, but I am sure it is a simple fix hiding in the
code. I think this is the general shape of the controller that we want.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-10 17:32:55 -08:00
Andrew Keesler 3e112fb1ac internal/oidc/dynamiccodec: first draft 
Note that we don't cache the securecookie.SecureCookie that we use in our
implementation. This was purely because of laziness. We should think about
caching this value in the future.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-10 17:32:55 -08:00
Ryan Richard c001bb876e
Merge pull request #275 from vmware-tanzu/fosite-storage-gc-prefactor 
Fosite storage garbage collection prefactor
 2020-12-10 10:50:29 -08:00
Ryan Richard 3c6d1a1924 Merge branch 'main' into fosite-storage-gc 2020-12-10 10:45:26 -08:00
Margo Crawford 6f40dcb471 Increase the RefreshTokenSessionStorageLifetime 
- Make it more likely that the end user will get the more specific error
  message saying that their refresh token has expired the first time
  that they try to use an expired refresh token

Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-12-10 10:44:27 -08:00
Ryan Richard a561fd21d9 Consolidate the supervisor's timeout settings into a single struct 
- This struct represents the configuration of all timeouts. These
  timeouts are all interrelated to declare them all in one place.
  This should also make it easier to allow the user to override
  our defaults if we would like to implement such a feature in the
  future.

Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2020-12-10 10:14:54 -08:00
Matt Moyer 40c9e8472c
Merge pull request #272 from mattmoyer/default-cli-scopes 
Tweak default CLI `--scopes` parameter to match supervisor use case.
 2020-12-10 11:41:22 -06:00
Matt Moyer e7338da3dc
Tweak default CLI `--scopes` parameter to match supervisor use case. 
This should be a better default for most cases.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-10 10:48:11 -06:00
Matt Moyer 0c52739997
Merge pull request #271 from mattmoyer/fix-cli-content-type-parsing 
Fix bug in handling response content-type in oidcclient.
 2020-12-10 10:46:10 -06:00
Matt Moyer 9d3c98232b
Fix bug in handling response content-type in oidcclient. 
Before this, we weren't properly parsing the `Content-Type` header. This breaks in integration with the Supervisor since it sends an extra encoding parameter like `application/json;charset=UTF-8`.

This change switches to properly parsing with the `mime.ParseMediaType` function, and adds test cases to match the supervisor behavior.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-10 10:12:56 -06:00
Matt Moyer 5a0918afde
Merge pull request #270 from mattmoyer/default-cli-client-id 
Add a default --client-id in `pinniped login oidc` command.
 2020-12-10 10:12:28 -06:00
Matt Moyer 4395d5a0ca
Add a default --client-id in `pinniped login oidc` command. 
This default matches the static client we have defined in the supervisor, which will be the correct value in most cases.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-10 09:46:07 -06:00
Andrew Keesler d83927ae75
Merge pull request #268 from vmware-tanzu/secret-generation-prefactor 
Secret generation prefactor
 2020-12-10 08:39:32 -05:00
aram price 86c75b7a80 CSRF cookie is no longer encrypted 2020-12-09 17:34:02 -08:00
aram price f1f8ffa456 Distinct `Encoder`'s use distinct keys 2020-12-09 17:34:02 -08:00
aram price 4a5f8e30a8 Use distinct `Encoder` for state and csrf data 2020-12-09 17:34:02 -08:00
aram price e111ca02da Use the narrowest possible interface 2020-12-09 17:34:02 -08:00
aram price 6ec3589112 Use recorder `Cookies()` helper 
- replaces hand-parsing of cookie strings
 2020-12-09 17:34:02 -08:00
Margo Crawford 2ddba8d825
Merge pull request #267 from vmware-tanzu/token-exchange-endpoint 
Implement RFC8693 token exchange handler in the supervisor
 2020-12-09 17:13:28 -08:00
Margo Crawford 218f27306c Integration test for refresh grant 
Signed-off-by: Ryan Richard <rrichard@vmware.com>
 2020-12-09 17:07:37 -08:00
Margo Crawford fde2e6fa97 Merge remote-tracking branch 'origin/main' into token-exchange-endpoint 2020-12-09 15:22:54 -08:00
Ryan Richard 4d82ec1283
Merge pull request #262 from vmware-tanzu/token-refresh 
Support for the refresh grant in the supervisor's token endpoint
 2020-12-09 15:22:02 -08:00
Ryan Richard 5b7c510577 Fixed error handling for token exchange when openid scope missing 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2020-12-09 15:15:50 -08:00
Ryan Richard 0abadddb1a token_handler_test.go: modify a test about refresh request scopes param 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2020-12-09 15:03:52 -08:00
Margo Crawford 5f6e7de785 Merge branch 'token-refresh' into token-exchange-endpoint 
Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-12-09 14:56:41 -08:00
Ryan Richard 64631d5780 token_handler_test.go: add even more test cases for refresh grant 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2020-12-09 14:53:39 -08:00
Ryan Richard 0386658d26 token_handler_test.go: add more test cases for refresh grant 2020-12-09 14:12:00 -08:00
Matt Moyer 167d440b65
Remove this unneccesary go113 `nolint` directives. 
We disabled this linter across the project.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-09 14:51:27 -06:00
Matt Moyer 3e6ebab389
Clean up TestTokenExchange a bit. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-09 14:49:44 -06:00
Matt Moyer f90b5d48de
Merge branch 'token-refresh' of github.com:vmware-tanzu/pinniped into token-exchange-endpoint 2020-12-09 14:46:57 -06:00
Matt Moyer 016b0e9a8e
Satisfy the pedantic linter config 🙃. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-09 14:41:27 -06:00
Ryan Richard 51c828382f Supervisor token endpoint supports refresh grant type 
- This commit does not include the sad path tests for the refresh
  grant type, which will come in a future commit.
 2020-12-09 12:12:59 -08:00
Matt Moyer 02d96d731f
Finish TestTokenExchange unit tests and add missing scope check. 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2020-12-09 13:56:53 -06:00
Ryan Richard cac3a3520f Merge branch 'main' into token-refresh 2020-12-09 09:58:21 -08:00
Matt Moyer b04db6ad2b
Fix some false positive gosec warnings. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-09 10:42:37 -06:00
Matt Moyer f1aff2faab
Start extending TestSupervisorLogin to test the token exchange flow (WIP). 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-09 10:23:10 -06:00
Matt Moyer b1542be7b1
In oidcclient token exchange request, pass client_id but don't bother with authorization header. 
I think this should be more correct. In the server we're authenticating the request primarily via the `subject_token` parameter anyway, and Fosite needs the `client_id` to be set.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-09 10:08:41 -06:00
Matt Moyer 1db2ae3a45
Add more parameter validations and refactor internal/oidc/token_exchange.go. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-09 10:04:58 -06:00
Matt Moyer e25d090ca9
Merge branch 'main' of github.com:vmware-tanzu/pinniped into token-exchange-endpoint 2020-12-09 10:00:54 -06:00
Andrew Keesler 5f4348c57d
Merge pull request #266 from ankeesler/fix-jwt-auth-ca-bundle 
Fix `JWTAuthenticator` CA bundle
 2020-12-09 10:43:33 -05:00
Matt Moyer 644cb687b9
Grant the Pinniped STS scope in authorize/callback handlers. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-09 09:36:45 -06:00
Matt Moyer bebe25c32e
Merge branch 'main' of github.com:vmware-tanzu/pinniped into token-exchange-endpoint 2020-12-09 09:25:58 -06:00
Andrew Keesler 4c0fb12cf6
test/integration: only set JWTAuthenticator CA bundle when it exists 
See comment in code.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-09 10:15:53 -05:00