djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
781 Commits 30 Branches 34 Tags 22 MiB
8321773a22
Commit Graph

217 Commits

Author SHA1 Message Date
Andrew Keesler
8321773a22
auth_handler.go: fix lint error 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-12 12:24:40 -05:00
Andrew Keesler
3a943a3b9a
auth_handler.go: ignore encoding timestamp for deterministic tests 
Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-11-12 12:14:50 -05:00
Ryan Richard
6d380c629a
auth_handler.go: use encryption in tests 
Our unit tests are gonna touch a lot more corner cases than our
integration tests, so let's make them run as close to the real
implementation as possible.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-12 12:14:49 -05:00
Monis Khan
9c8b081906
Prevent multiple pinnipeds from thrashing on the API service 
Signed-off-by: Monis Khan <mok@vmware.com>
 2020-11-11 20:09:49 -05:00
Monis Khan
db6fc234b7 Add NullStorage for the authorize endpoint to use 
We want to run all of the fosite validations in the authorize
endpoint, but we don't need to store anything yet because
we are storing what we need for later in the upstream state
parameter.

Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-11-11 14:49:24 -08:00
Ryan Richard
4b8c1de647 Add unit test to auth_handler_test.go for non-openid authorize requests 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-11 13:13:57 -08:00
Andrew Keesler
c2262773e6 Finish the WIP from the previous commit for saving authorize endpoint state 
Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-11-11 12:29:14 -08:00
Monis Khan
dd190dede6 WIP for saving authorize endpoint state into upstream state param 
Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-11-10 17:58:00 -08:00
Andrew Keesler
005225d5f9 Use the new plog pkg in auth_handler.go 
- Add a new helper method to plog to make a consistent way to log
  expected errors at the info level (as opposed to unexpected
  system errors that would be logged using plog.Error)

Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-11-10 10:33:52 -08:00
Ryan Richard
b21c27b219 Merge branch 'main' into authorize_endpoint 2020-11-10 09:24:19 -08:00
Monis Khan
1c60e09f13
Make race detector happy by removing parallelism 
Signed-off-by: Monis Khan <mok@vmware.com>
 2020-11-10 11:23:42 -05:00
Monis Khan
15a5332428
Reduce log spam 
Signed-off-by: Monis Khan <mok@vmware.com>
 2020-11-10 10:22:27 -05:00
Monis Khan
a5643e3738
Add log level support 
Signed-off-by: Monis Khan <mok@vmware.com>
 2020-11-10 10:22:27 -05:00
Monis Khan
9356f64c55
Remove global klog --log-flush-frequency flag 
Signed-off-by: Monis Khan <mok@vmware.com>
 2020-11-10 08:48:42 -05:00
Ryan Richard
246471bc91 Also run OIDC validations in supervisor authorize endpoint 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-06 14:44:58 -08:00
Ryan Richard
33ce79f89d Expose the Supervisor OIDC authorization endpoint to the public 2020-11-04 17:06:47 -08:00
Andrew Keesler
a36f7c6c07 Test that the port of localhost redirect URI is ignored during validation 
Also move definition of our oauth client and the general fosite
configuration to a helper so we can use the same config to construct
the handler for both test and production code.

Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-11-04 15:04:50 -08:00
Ryan Richard
ba688f56aa Supervisor authorize endpoint errors when PKCE code_challenge_method is invalid 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-04 12:29:43 -08:00
Andrew Keesler
2564d1be42 Supervisor authorize endpoint errors when missing PKCE params 
Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-11-04 12:19:07 -08:00
Matt Moyer
4da3d93f6e
The supervisor JWKS observer and TLS cert controllers use the ctx after all, whoops. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-04 13:08:50 -06:00
Ryan Richard
0045ce4286 Refactor auth_handler_test.go's creation of paths and urls to use helpers 2020-11-04 09:58:40 -08:00
Monis Khan
418f4d20ae
Use parent func to indicate when the controller queue is a singleton 
This prevents unnecessary sync loop runs when the controller is
running with a single worker.  When the controller is running with
more than one worker, it prevents subtle bugs that can cause the
controller to go "back in time."

Signed-off-by: Monis Khan <mok@vmware.com>
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-04 11:08:10 -06:00
Ryan Richard
8a7e22e63e @ankeesler: Maybe, but not this time ;) 2020-11-04 08:43:45 -08:00
Andrew Keesler
9e4ffd1cce
One of these days I will get here.Doc() spacing correct 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-04 11:29:33 -05:00
Andrew Keesler
6fe455c687
auth_handler.go: comment out currently unused fosite wiring 
See e8f4336 for why this is here in the first place.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-04 11:20:03 -05:00
Andrew Keesler
d8c8f04860
auth_handler.go: write some more negative tests 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-04 11:12:26 -05:00
Andrew Keesler
e8f433643f
auth_handler.go: only inject oauth store into handler 
Previously we were injecting the whole oauth handler chain into this function,
which meant we were essentially writing unit tests to test our tests. Let's push
some of this logic into the source code.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-04 10:35:26 -05:00
Andrew Keesler
4f95e6a372
auth_handler.go: add test for invalid downstream redirect uri 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-04 10:30:53 -05:00
Andrew Keesler
259ffb5267
Checkpoint: write a single negative test using fosite 
Bringing in fosite to our go.mod introduced those other go.mod changes.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-04 10:15:19 -05:00
Ryan Richard
c34e5a727d Starting the implementation of an OIDC authorization endpoint handler 
Does not validate incoming request parameters yet. Also is not
served on the http/https ports yet. Those will come in future commits.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-03 16:17:38 -08:00
Andrew Keesler
0d8477ea8a Add a type for in-memory caching of upstream OIDC Identity Providers 
Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-11-03 12:06:07 -08:00
Matt Moyer
2bf5c8b48b
Replace the OIDCProvider field SNICertificateSecretName with a TLS.SecretName field. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-02 18:15:03 -06:00
Matt Moyer
2b8773aa54
Rename OIDCProviderConfig to OIDCProvider. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-02 17:40:39 -06:00
Matt Moyer
59263ea733
Rename CredentialIssuerConfig to CredentialIssuer. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-02 17:39:42 -06:00
Ryan Richard
75c35e74cc Refactor and add unit tests for previous commit to run agent pod as root 2020-11-02 15:03:37 -08:00
Ryan Richard
a01921012d
kubecertagent: explicitly run as root 
We need root here because the files that this pod reads are
most likely restricted to root access.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-02 16:33:46 -05:00
Andrew Keesler
fcea48c8f9
Run as non-root 
I tried to follow a principle of encapsulation here - we can still default to
peeps making connections to 80/443 on a Service object, but internally we will
use 8080/8443.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-02 12:51:15 -05:00
Ryan Richard
ab5c04b1f3
Merge pull request #176 from vmware-tanzu/agent_pod_additional_label_handling 
Handle custom labels better in the agent pod controllers
 2020-11-02 09:08:42 -08:00
Ryan Richard
7597b12a51 Small unit test changes for deleter_test.go 2020-11-02 08:40:39 -08:00
Ryan Richard
f76b9857da Don't use custom labels when selecting an agent pod 
And delete the agent pod when it needs its custom labels to be
updated, so that the creator controller will notice that it is missing
and immediately create it with the new custom labels.
 2020-10-30 17:41:17 -07:00
Matt Moyer
9e1922f1ed
Split the config CRDs into two API groups. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-10-30 19:22:46 -05:00
Matt Moyer
34da8c7877
Rename existing references to "IDP" and "Identity Provider". 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-10-30 15:12:01 -05:00
Matt Moyer
f3a83882a4
Rename the IdentityProvider field to Authenticator in TokenCredentialRequest. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-10-30 15:11:53 -05:00
Matt Moyer
0f25657a35
Rename WebhookIdentityProvider to WebhookAuthenticator. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-10-30 15:11:53 -05:00
Matt Moyer
e69183aa8a
Rename idp.concierge.pinniped.dev to authentication.concierge.pinniped.dev. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-10-30 14:07:40 -05:00
Matt Moyer
81390bba89
Rename idp.pinniped.dev to idp.concierge.pinniped.dev. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-10-30 14:07:39 -05:00
Matt Moyer
f0320dfbd8
Rename login API to login.concierge.pinniped.dev. 
This is the first of a few related changes that re-organize our API after the big recent changes that introduced the supervisor component.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-10-30 09:58:28 -05:00
Ryan Richard
8ff64d4c1a Require https scheme for OIDCProviderConfig Issuer field 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-10-28 12:49:41 -07:00
Ryan Richard
29e0ce5662 Configure name of the supervisor default TLS cert secret via ConfigMap 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-10-28 11:56:50 -07:00
Ryan Richard
170d3a3993 Forgot to commit some test fixtures in a prior commit 2020-10-27 17:00:00 -07:00