7e76b66639
LDAP upstream watcher controller tries using both TLS and StartTLS
...
- Automatically try to fall back to using StartTLS when using TLS
doesn't work. Only complain when both don't work.
- Remember (in-memory) which one worked and keeping using that one
in the future (unless the pod restarts).
2021-05-20 12:46:33 -07:00
025b37f839
upstreamldap.New() now supports a StartTLS config option
...
- This enhances our LDAP client code to make it possible to optionally
dial an LDAP server without TLS and then use StartTLS to upgrade
the connection to TLS.
- The controller for LDAPIdentityProviders is not using this option
yet. That will come in a future commit.
2021-05-19 17:17:44 -07:00
94d6b76958
Merge branch 'initial_ldap_group_support' into ldap_starttls
2021-05-19 13:12:56 -07:00
424c112bbc
Merge branch 'main' into initial_ldap_group_support
2021-05-19 13:12:17 -07:00
b5063e59ab
Merge branch 'initial_ldap_group_support' into ldap_starttls
2021-05-18 16:39:59 -07:00
a6f95cfff1
Configure openldap to disallow non-TLS clients
...
- For testing purposes, we would like to ensure that when we connect
to the LDAP server we cannot accidentally avoid using TLS or StartTLS.
- Also enabled the openldap `memberOf` overlay in case we want to
support group search using `memberOf` in the future.
- This required changes to the docker.io/bitnami/openldap container
image, so we're using our own fork for now. Will submit a PR to
bitnami/openldap to see if they will accept it (or something similar)
upstream.
2021-05-18 16:38:12 -07:00
efeb25b8eb
Merge pull request #619 from vmware-tanzu/dependabot/go_modules/github.com/creack/pty-1.1.12
...
Bump github.com/creack/pty from 1.1.11 to 1.1.12
2021-05-18 09:16:27 -05:00
f595e81dbb
Bump github.com/creack/pty from 1.1.11 to 1.1.12
...
Bumps [github.com/creack/pty](https://github.com/creack/pty ) from 1.1.11 to 1.1.12.
- [Release notes](https://github.com/creack/pty/releases )
- [Commits](https://github.com/creack/pty/compare/v1.1.11...v1.1.12 )
Signed-off-by: dependabot[bot] <support@github.com>
2021-05-18 05:56:45 +00:00
0f5f72829b
Merge pull request #594 from enj/enj/i/tcr_strict_user_info
...
cred req: disallow lossy user info translations
2021-05-17 19:28:21 -04:00
f40fd29c7c
local-user-authenticator: stop setting UID
...
Signed-off-by: Monis Khan <mok@vmware.com>
2021-05-17 19:03:45 -04:00
35479e2978
cred req: disallow lossy user info translations
...
Signed-off-by: Monis Khan <mok@vmware.com>
2021-05-17 19:03:44 -04:00
742b70d6a4
Merge branch 'main' into initial_ldap_group_support
2021-05-17 14:24:56 -07:00
dab5ff3788
ldap_client_test.go: Forgot to change an assertion related to groups
2021-05-17 14:21:57 -07:00
99099fd32f
Yet more debugging of tests which only fail in main CI
2021-05-17 14:20:41 -07:00
65cab53a11
Merge branch 'main' into initial_ldap_group_support
2021-05-17 14:12:20 -07:00
8c660f09bc
More debugging of tests which only fail in main CI
2021-05-17 13:53:17 -07:00
ac431ddc6d
Add more to failure message in test which only fails in main CI
2021-05-17 12:57:34 -07:00
3e1e8880f7
Initial support for upstream LDAP group membership
...
Reflect the upstream group membership into the Supervisor's
downstream tokens, so they can be added to the user's
identity on the workload clusters.
LDAP group search is configurable on the
LDAPIdentityProvider resource.
2021-05-17 11:10:26 -07:00
14b8fcc472
Merge pull request #555 from vmware-tanzu/initial_ldap
...
Initial `LDAPIdentityProvider` support for the Supervisor and CLI
2021-05-17 10:40:50 -07:00
20b1c41bf5
Experiment to see if we can ignore `read /dev/ptmx: input/output error`
...
This error seems to always happen on linux, but never on MacOS.
2021-05-13 16:02:24 -07:00
f5bf8978a3
Cache ResourceVersion of the validated bind Secret in memory
...
...instead of caching it in the text of the Condition message
2021-05-13 15:22:36 -07:00
514ee5b883
Merge branch 'main' into initial_ldap
2021-05-13 14:24:10 -07:00
39d7f8b6eb
Merge pull request #614 from vmware-tanzu/gc-bug-tests
...
Tests for garbage collection behavior for access and refresh tokens
2021-05-13 13:08:07 -07:00
609883c49e
Update TestSupervisorOIDCDiscovery for versioned IDP discovery endpoint
2021-05-13 13:07:31 -07:00
f15fc66e06
`pinniped get kubeconfig` refactor to use oidc.NewProvider for discovery
...
- Note that this adds an extra check of the response, which is that
the issuer string in the response must match issuer of the requested
URL.
- Some of the error messages also changed to match the errors provided
by oidc.NewProvider
2021-05-13 12:27:42 -07:00
6479015caf
Remove timeout so this test doesnt take forever
2021-05-13 10:23:44 -07:00
67dca688d7
Add an API version to the Supervisor IDP discovery endpoint
...
Also rename one of the new functional opts in login.go to more
accurately reflect the intention of the opt.
2021-05-13 10:05:56 -07:00
b391d5ae02
Also check that the authcode storage is around for a while
2021-05-12 14:22:14 -07:00
29ca8acab4
oidc_upstream_watcher.go: two methods become private funcs
2021-05-12 14:05:08 -07:00
1ae3c6a1ad
Split package upstreamwatchers into four packages
2021-05-12 14:00:39 -07:00
22092e9aed
Missed a usage of int64Ptr in previous commit
2021-05-12 14:00:26 -07:00
874f938fc7
unit test for garbage collection time for refresh and access tokens
2021-05-12 13:55:54 -07:00
4804c837d4
Insignificant change in ldap_upstream_watcher_test.go
2021-05-12 13:37:01 -07:00
f0652c1ce1
Replace all usages of strPtr() with pointer.StringPtr()
2021-05-12 13:20:00 -07:00
044443f315
Rename `X-Pinniped-Idp-*` headers to `Pinniped-*`
...
See RFC6648 which asks that people stop using `X-` on header names.
Also Matt preferred not mentioning "IDP" in the header name.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-12 13:06:08 -07:00
9ca72fcd30
login.go: Respect `overallTimeout` for LDAP login-related http requests
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-12 12:57:10 -07:00
3008d1a85c
Log slow LDAP authentication attempts for debugging purposes
2021-05-12 11:59:48 -07:00
6c2a775c9b
Use proxy for `pinniped get kubeconfig` in hack/prepare-supervisor-on-kind.sh
...
Because the command now calls the discovery endpoint,
so it needs to go through the proxy to resolve the
hostname.
2021-05-12 11:34:16 -07:00
41d3e3b6ec
Fix lint error in e2e_test.go
2021-05-12 11:24:00 -07:00
20b86ac0a9
Merge pull request #589 from vmware-tanzu/ldap-get-kubeconfig
...
WIP: Support for Supervisor upstream LDAP IDPs in `pinniped get kubeconfig`
2021-05-12 10:10:49 -07:00
df0e715bb7
Add integration test that waits for access token expiry
2021-05-12 09:05:13 -07:00
6723ed9fd8
Add end-to-end integration test for CLI-based LDAP login
2021-05-11 13:55:46 -07:00
f98aa96ed3
Merge branch 'initial_ldap' into ldap-get-kubeconfig
2021-05-11 11:10:25 -07:00
675bbb2aba
Merge branch 'main' into initial_ldap
2021-05-11 11:09:37 -07:00
e25eb05450
Move Supervisor IDP discovery to its own new endpoint
2021-05-11 10:31:33 -07:00
dbde150c38
Update CLI docs for v0.8.0 release
2021-05-10 22:01:16 +00:00
c0fcd27594
Fix typo in test/integration/e2e_test.go
...
Co-authored-by: Mo Khan <i@monis.app>
2021-05-10 12:51:56 -07:00
1ddc85495f
Merge pull request #610 from enj/enj/t/eks_extra_nested_impersonation
...
impersonation proxy test: handle admin users with mixed case extra keys
2021-05-10 13:49:24 -04:00
716659b74a
impersonation proxy test: handle admin users with mixed case extra keys
...
Signed-off-by: Monis Khan <mok@vmware.com>
2021-05-10 13:22:51 -04:00
696c2b9133
Merge pull request #609 from enj/enj/t/eks_uid_nested_impersonation
...
impersonation proxy test: handle admin users with UID such as on EKS
2021-05-10 10:35:26 -04:00
Ryan Richard