Margo Crawford
8396937503
Updates to tests and some error assertions
2021-11-05 14:22:43 -07:00
Margo Crawford
2c4dc2951d
resolved a couple of testing related todos
2021-11-05 14:22:43 -07:00
Margo Crawford
7a58086040
Check that username and subject remain the same for ldap refresh
2021-11-05 14:22:43 -07:00
Margo Crawford
19281313dd
Basic upstream LDAP/AD refresh
...
This stores the user DN in the session data upon login and checks that
the entry still exists upon refresh. It doesn't check anything
else about the entry yet.
2021-11-05 14:22:42 -07:00
Mo Khan
71f7ea686d
Fix typo in community meeting time
2021-11-04 12:02:46 -04:00
Mo Khan
d5d957f6ee
Fix CONTRIBUTING zoom link
2021-11-04 11:53:14 -04:00
Mo Khan
e371c34237
Fix README zoom link
2021-11-04 11:52:28 -04:00
Mo Khan
b5be763631
Fix typo in community meeting time
2021-11-04 08:38:33 -04:00
Mo Khan
f03e5f4fef
Merge pull request #883 from enj/enj/i/dockerfile_tweaks
...
Dockerfile: build all files and trim file system paths
2021-11-03 14:45:23 -04:00
Monis Khan
a042f74a88
Dockerfile: build all files and trim file system paths
...
Use "..." instead of "main.go" as the build target since we may have
extra files in the future.
https://pkg.go.dev/cmd/go#hdr-Compile_packages_and_dependencies
-trimpath
remove all file system paths from the resulting executable.
Instead of absolute file system paths, the recorded file names
will begin with either "go" (for the standard library),
or a module path@version (when using modules),
or a plain import path (when using GOPATH).
Signed-off-by: Monis Khan <mok@vmware.com>
2021-11-03 10:26:13 -04:00
Mo Khan
aae586b4ef
Merge pull request #879 from vmware-tanzu/dependabot/docker/distroless/static-bca3c20
...
Bump distroless/static from `07869ab` to `bca3c20`
2021-11-02 09:54:48 -04:00
dependabot[bot]
1c3545e234
Bump distroless/static from 07869ab
to bca3c20
...
Bumps distroless/static from `07869ab` to `bca3c20`.
---
updated-dependencies:
- dependency-name: distroless/static
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
2021-10-28 01:02:33 +00:00
anjalitelang
c494f65b84
Update ROADMAP.md
...
Updating roadmap to reflect dates when we will have Upstream Refresh released
2021-10-27 10:43:31 -04:00
Margo Crawford
6c47c3327a
Add hint to hack/prepare-for-integration-tests.sh
...
I keep forgetting the name of the --get-active-directory-vars flag.
2021-10-26 16:25:34 -07:00
Mo Khan
3f698d24e5
Merge pull request #878 from enj/enj/i/cli_link
...
Change default install hint to use get.pinniped.dev/cli
2021-10-26 17:42:53 -04:00
Monis Khan
2ba5d51120
Change default install hint to use get.pinniped.dev/cli
...
This avoids a hard link against a docs page that may change over
time.
Signed-off-by: Monis Khan <mok@vmware.com>
2021-10-26 17:14:13 -04:00
Margo Crawford
c3060e3474
Merge pull request #872 from anjaltelang/main
...
Architecture should be on top on the documentation webpage
2021-10-26 13:41:17 -07:00
Anjali Telang
59256264ec
Changing the architecture.md weight back to 100
...
Signed-off-by: Anjali Telang <atelang@vmware.com>
2021-10-26 16:34:32 -04:00
Mo Khan
3aa14accd7
Merge pull request #875 from siddhant94/add-install-hint-kubeconfig
...
Add --install-hint flag to `get kubeconfig` command
2021-10-26 15:38:39 -04:00
Anjali Telang
f93cdcb9c5
Merge remote-tracking branch 'upstream/main' into main
2021-10-26 15:29:56 -04:00
vagrant
1b6b4106db
Add --install-hint flag to get kubeconfig
command
...
This populates the installHint attribute in the exec section of the
generated kubeconfig.
For more details, see installHint documentation:
https://kubernetes.io/docs/reference/access-authn-authz/authentication/#configuration
Reviewed-by: Monis Khan <mok@vmware.com>
2021-10-26 14:26:47 -04:00
Mo Khan
f25d2870ce
Merge pull request #874 from enj/enj/i/distroless_nonroot
...
Use 65532 instead of 1001 as non-root user
2021-10-25 16:54:47 -04:00
Monis Khan
7921a58988
Use 65532 instead of 1001 as non-root user
...
Signed-off-by: Monis Khan <mok@vmware.com>
2021-10-25 16:21:54 -04:00
Mo Khan
7d30bfc22c
Start using CodeQL
2021-10-25 16:05:12 -04:00
Mo Khan
bdb199c53a
Merge pull request #858 from vmware-tanzu/upstream_refresh
...
For OIDCIdenitityProviders perform an upstream refresh during downstream refresh
2021-10-25 12:32:35 -04:00
Monis Khan
1e17418585
TestSupervisorUpstreamOIDCDiscovery: include AdditionalAuthorizeParametersValid condition
...
Signed-off-by: Monis Khan <mok@vmware.com>
2021-10-25 10:21:51 -04:00
Ryan Richard
303b1f07d3
Fix mistake in previous commit
2021-10-22 14:06:31 -07:00
Ryan Richard
e0db59fd09
More small updates based on PR feedback
2021-10-22 10:23:21 -07:00
Ryan Richard
867853016f
Merge branch 'main' into upstream_refresh
2021-10-22 09:23:52 -07:00
anjalitelang
be6c335bb8
Update ROADMAP.md
...
Minor changes
2021-10-21 10:16:54 -04:00
anjalitelang
b3a1dcd634
Update ROADMAP.md
...
Updated roadmap to reflect current focus of Pinniped project
2021-10-21 10:10:19 -04:00
Ryan Richard
dec43289f6
Lots of small updates based on PR feedback
2021-10-20 15:53:25 -07:00
Ryan Richard
7ec0304472
Add offline_access scope for integration tests when using Dex
2021-10-19 12:25:51 -07:00
Anjali Telang
a22507f835
Architecture should be on top of the docs page
...
Signed-off-by: Anjali Telang <atelang@vmware.com>
2021-10-19 13:46:30 -04:00
Ryan Richard
d3ade82f3f
Update docs
2021-10-19 09:48:40 -07:00
Ryan Richard
c43e019d3a
Change default of additionalScopes and disallow "hd" in additionalAuthorizeParameters
2021-10-18 16:41:31 -07:00
Ryan Richard
d68bebeb49
Merge branch 'main' into upstream_refresh
2021-10-18 15:35:46 -07:00
Ryan Richard
c51d7c08b9
Add a comment that might be useful some day
2021-10-18 15:35:22 -07:00
Ryan Richard
ddb23bd2ed
Add upstream refresh related config to OIDCIdentityProvider CRD
...
Also update related docs.
2021-10-14 15:49:44 -07:00
Ryan Richard
9e05d175a7
Add integration test: upstream refresh failure during downstream refresh
2021-10-13 15:12:19 -07:00
Ryan Richard
a34dae549b
When performing an upstream refresh, use the configured http client
...
Otherwise, the CA and proxy settings will not be used for the call
to the upstream token endpoint while performing the refresh. This
mistake was exposed by the TestSupervisorLogin integration test, so
it has test coverage.
2021-10-13 14:05:00 -07:00
Ryan Richard
79ca1d7fb0
Perform an upstream refresh during downstream refresh for OIDC upstreams
...
- If the upstream refresh fails, then fail the downstream refresh
- If the upstream refresh returns an ID token, then validate it (we
use its claims in the future, but not in this commit)
- If the upstream refresh returns a new refresh token, then save it
into the user's session in storage
- Pass the provider cache into the token handler so it can use the
cached providers to perform upstream refreshes
- Handle unexpected errors in the token handler where the user's session
does not contain the expected data. These should not be possible
in practice unless someone is manually editing the storage, but
handle them anyway just to be safe.
- Refactor to share the refresh code between the CLI and the token
endpoint by moving it into the UpstreamOIDCIdentityProviderI
interface, since the token endpoint needed it to be part of that
interface anyway
2021-10-13 12:31:20 -07:00
Mo Khan
bc6da55e96
Merge pull request #860 from vmware-tanzu/dependabot/docker/golang-1.17.2
...
Bump golang from 1.17.1 to 1.17.2
2021-10-11 13:23:37 -04:00
Margo Crawford
1bd346cbeb
Require refresh tokens for upstream OIDC and save more session data
...
- Requiring refresh tokens to be returned from upstream OIDC idps
- Storing refresh tokens (for oidc) and idp information (for all idps) in custom session data during authentication
- Don't pass access=offline all the time
2021-10-08 15:48:21 -07:00
dependabot[bot]
d1d954bb3b
Bump golang from 1.17.1 to 1.17.2
...
Bumps golang from 1.17.1 to 1.17.2.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
2021-10-08 01:03:52 +00:00
Margo Crawford
43244b6599
Do not pass through downstream prompt param
...
- throw an error when prompt=none because the spec says we can't ignore
it
- ignore the other prompt params
Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-10-06 16:30:30 -07:00
Ryan Richard
c6f1d29538
Use PinnipedSession type instead of fosite's DefaultSesssion type
...
This will allow us to store custom data inside the fosite session
storage for all downstream OIDC sessions.
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-06 15:28:13 -07:00
Margo Crawford
a2cafb251a
Merge pull request #857 from vmware-tanzu/impersonation-proxy-supported-clusters
...
Change description of impersonation proxy strategy in supported clusters
2021-10-06 11:40:24 -07:00
Margo Crawford
e0b62a46bb
Merge branch 'main' into impersonation-proxy-supported-clusters
2021-10-06 11:36:45 -07:00
Margo Crawford
4aa66b9667
Update site/content/docs/reference/supported-clusters.md
...
Co-authored-by: Mo Khan <i@monis.app>
2021-10-06 11:23:29 -07:00