Commit Graph

2607 Commits

Author SHA1 Message Date
Ryan Richard
78bdb1928a
Merge branch 'main' into upstream-oidc-refresh-groups 2022-01-18 16:03:14 -08:00
Mo Khan
956f6f1eab
Merge pull request #945 from enj/enj/i/supervisor_ports
Allow configuration of supervisor endpoints
2022-01-18 18:52:32 -05:00
Monis Khan
1e1789f6d1
Allow configuration of supervisor endpoints
This change allows configuration of the http and https listeners
used by the supervisor.

TCP (IPv4 and IPv6 with any interface and port) and Unix domain
socket based listeners are supported.  Listeners may also be
disabled.

Binding the http listener to TCP addresses other than 127.0.0.1 or
::1 is deprecated.

The deployment now uses https health checks.  The supervisor is
always able to complete a TLS connection with the use of a bootstrap
certificate that is signed by an in-memory certificate authority.

To support sidecar containers used by service meshes, Unix domain
socket based listeners include ACLs that allow writes to the socket
file from any runAsUser specified in the pod's containers.

Signed-off-by: Monis Khan <mok@vmware.com>
2022-01-18 17:43:45 -05:00
Ryan Richard
70bd831099
Merge branch 'main' into upstream-oidc-refresh-groups 2022-01-18 14:36:18 -08:00
Ryan Richard
01a7978387
Merge pull request #940 from vmware-tanzu/ldap_and_activedirectory_status_conditions_bug
Fix bug where LDAP or AD status conditions were not updated correctly
2022-01-18 14:35:49 -08:00
Ryan Richard
1a2514f417
Merge branch 'main' into ldap_and_activedirectory_status_conditions_bug 2022-01-18 10:09:14 -08:00
Ryan Richard
6143d66504 Increase timeout on linter for when CI gets slow 2022-01-18 10:07:36 -08:00
Ryan Richard
1602fca5ed Increase timeout on linter for when CI gets slow 2022-01-18 10:06:53 -08:00
anjalitelang
ebcf71c30c
Update ROADMAP.md
Proposed changes based on multiple tracks of work- Compliance, IDP features
2022-01-18 10:34:09 -05:00
Ryan Richard
88f3b29515 Merge branch 'main' into upstream-oidc-refresh-groups 2022-01-14 16:51:12 -08:00
Ryan Richard
75e4093067 Merge branch 'main' into ldap_and_activedirectory_status_conditions_bug 2022-01-14 16:50:34 -08:00
Ryan Richard
619b0ba052
Merge pull request #904 from vmware-tanzu/upstream_access_revocation_during_gc
Revoke upstream OIDC access tokens during downstream session garbage collection
2022-01-14 16:45:29 -08:00
Ryan Richard
548977f579 Update group memberships during refresh for upstream OIDC providers
Update the user's group memberships when possible. Note that we won't
always have enough information to be able to update it (see code
comments).
2022-01-14 16:38:21 -08:00
Ryan Richard
7551af3eb8 Fix code that did not auto-merge correctly in previous merge from main 2022-01-14 10:59:39 -08:00
Ryan Richard
814399324f Merge branch 'main' into upstream_access_revocation_during_gc 2022-01-14 10:49:22 -08:00
Margo Crawford
50e4871d65
Merge pull request #944 from vmware-tanzu/refresh-with-no-refresh-token
Access Token based OIDC refresh by checking the UserInfo endpoint
2022-01-14 10:23:41 -08:00
Ryan Richard
db0a765b98 Merge branch 'main' into ldap_and_activedirectory_status_conditions_bug 2022-01-14 10:06:16 -08:00
Ryan Richard
092a80f849 Refactor some variable names and update one comment
Change variable names to match previously renamed interface name.
2022-01-14 10:06:00 -08:00
Margo Crawford
5b161be334 Refactored oidcUpstreamRefresh
Various style changes, updated some comments and variable names and
extracted a helper function for validation.
2022-01-12 18:05:22 -08:00
Margo Crawford
62be761ef1 Perform access token based refresh by fetching the userinfo 2022-01-12 18:05:10 -08:00
Ryan Richard
651d392b00 Refuse logins when no upstream refresh token and no userinfo endpoint
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-01-12 18:03:25 -08:00
Margo Crawford
6f3977de9d Store access token when refresh not available for authcode flow.
Also refactor oidc downstreamsessiondata code to be shared between
callback handler and auth handler.

Signed-off-by: Ryan Richard <richardry@vmware.com>
2022-01-12 18:03:25 -08:00
Ryan Richard
91924ec685 Revert adding allowAccessTokenBasedRefresh flag to OIDCIdentityProvider
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-01-12 18:03:25 -08:00
Margo Crawford
683a2c5b23 WIP adding access token to storage upon login 2022-01-12 18:03:25 -08:00
Ryan Richard
1f146f905a Add struct field for storing upstream access token in downstream session 2022-01-12 18:03:25 -08:00
Mo Khan
82f54b5556
Merge pull request #917 from vmware-tanzu/oidc-refresh-user-info-checks
OIDC refresh user info checks
2022-01-12 20:27:00 -05:00
Margo Crawford
2b744b2eef Add back comment about deferring validation when id token subject is missing 2022-01-12 11:19:43 -08:00
Ryan Richard
438b58193d Empty commit to trigger CI 2022-01-10 13:47:13 -08:00
Margo Crawford
2958461970 Addressing PR feedback
store issuer and subject in storage for refresh
Clean up some constants

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-01-10 11:03:37 -08:00
Margo Crawford
f2d2144932 rename ValidateToken to ValidateTokenAndMergeWithUserInfo to better reflect what it's doing
Also changed a few comments and small things
2022-01-10 11:03:37 -08:00
Margo Crawford
c9cf13a01f Check for issuer if available
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-01-10 11:03:37 -08:00
Margo Crawford
0cd086cf9c Check username claim is unchanged for oidc.
Also add integration tests for claims changing.
2022-01-10 11:03:37 -08:00
Margo Crawford
b098435290 Refactor validatetoken to handle refresh case without id token
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-01-10 11:03:37 -08:00
Margo Crawford
74b007ff66 Validate that issuer url and urls returned from discovery are https
and that they have no query or fragment

Signed-off-by: Ryan Richard <richardry@vmware.com>
2022-01-10 11:03:37 -08:00
Margo Crawford
ed96b597c7 Check for subject matching with upstream refresh
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-01-10 11:03:37 -08:00
Ryan Richard
6b9fc7aa59 Merge branch 'main' into ldap_and_activedirectory_status_conditions_bug 2022-01-10 09:23:09 -08:00
Mo Khan
d438bfbc99
Merge pull request #939 from vmware-tanzu/dependabot/go_modules/github.com/ory/x-0.0.331
Bump github.com/ory/x from 0.0.330 to 0.0.331
2022-01-09 12:04:56 -05:00
Ryan Richard
7f99d78462 Fix bug where LDAP or AD status conditions were not updated correctly
When the LDAP and AD IDP watcher controllers encountered an update error
while trying to update the status conditions of the IDP resources, then
they would drop the computed desired new value of the condition on the
ground. Next time the controller ran it would not try to update the
condition again because it wants to use the cached settings and had
already forgotten the desired new value of the condition computed during
the previous run of the controller. This would leave the outdated value
of the condition on the IDP resource.

This bug would manifest in CI as random failures in which the expected
condition message and the actual condition message would refer to
different versions numbers of the bind secret. The actual condition
message would refer to an older version of the bind secret because the
update failed and then the new desired message got dropped on the
ground.

This commit changes the in-memory caching strategy to also cache the
computed condition messages, allowing the conditions to be updated
on the IDP resource during future calls to Sync() in the case of a
failed update.
2022-01-07 17:19:13 -08:00
dependabot[bot]
a7ff638f4c
Bump github.com/ory/x from 0.0.330 to 0.0.331
Bumps [github.com/ory/x](https://github.com/ory/x) from 0.0.330 to 0.0.331.
- [Release notes](https://github.com/ory/x/releases)
- [Commits](https://github.com/ory/x/compare/v0.0.330...v0.0.331)

---
updated-dependencies:
- dependency-name: github.com/ory/x
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-01-07 13:45:37 +00:00
Mo Khan
287d5094ec
Merge pull request #938 from vmware-tanzu/dependabot/docker/golang-1.17.6
Bump golang from 1.17.5 to 1.17.6
2022-01-07 08:13:16 -05:00
dependabot[bot]
f2b4d667d1
Bump golang from 1.17.5 to 1.17.6
Bumps golang from 1.17.5 to 1.17.6.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-01-07 01:04:10 +00:00
Mo Khan
fff27a4270
Merge pull request #935 from enj/enj/i/bump_0001
Bump all deps to latest
2022-01-03 19:48:08 -05:00
Monis Khan
f90f173826
Bump all deps to latest
Ran:

go get -u ./... && go mod tidy

Pinned all go.opentelemetry.io deps to match k/k.
This is needed to make the go get command work.

Signed-off-by: Monis Khan <mok@vmware.com>
2022-01-03 17:48:59 -05:00
Mo Khan
cc88d2a334
Merge pull request #931 from vmware-tanzu/dependabot/docker/distroless/static-80c956f
Bump distroless/static from `bca3c20` to `80c956f`
2022-01-03 10:49:08 -05:00
dependabot[bot]
a0ddf4a945
Bump distroless/static from bca3c20 to 80c956f
Bumps distroless/static from `bca3c20` to `80c956f`.

---
updated-dependencies:
- dependency-name: distroless/static
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-12-27 01:17:24 +00:00
Mo Khan
05277a5579
Merge pull request #925 from enj/enj/i/flexible_cli_redirect
pinniped CLI: allow all forms of http redirects
2021-12-17 15:51:44 -05:00
Monis Khan
c155c6e629
Clean up nits in AD code
- Make everything private
- Drop unused AuthTime field
- Use %q format string instead of "%s"
- Only rely on GetRawAttributeValues in AttributeUnchangedSinceLogin

Signed-off-by: Monis Khan <mok@vmware.com>
2021-12-17 08:53:44 -05:00
Monis Khan
a6085c9678
Drop unsafe unwrapper for exec.roundTripper
exec.roundTripper now implements utilnet.RoundTripperWrapper so this
unsafe hack is no longer needed.

Signed-off-by: Monis Khan <mok@vmware.com>
2021-12-17 08:28:30 -05:00
Monis Khan
86f2bea8c5
pinniped CLI: allow all forms of http redirects
For password based login on the CLI (i.e. no browser), this change
relaxes the response code check to allow for any redirect code
handled by the Go standard library.  In the future, we can drop the
rewriteStatusSeeOtherToStatusFoundForBrowserless logic from the
server side code.

Signed-off-by: Monis Khan <mok@vmware.com>
2021-12-17 08:28:29 -05:00
Mo Khan
adf04d29f7
Merge pull request #914 from enj/enj/i/bump_0.23.0
Update all deps to latest where possible, bump Kube deps to v0.23.1
2021-12-16 21:45:32 -05:00