djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
2,983 Commits 30 Branches 34 Tags 22 MiB
8adc1ce345
Commit Graph

759 Commits

Author SHA1 Message Date
Margo Crawford
8adc1ce345 Fix failing active directory integration test 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-06-22 16:16:32 -07:00
Margo Crawford
a010e72b29 Merge branch 'dynamic_clients' into require-groups-scope 2022-06-22 14:27:06 -07:00
Margo Crawford
f2005b4c7f Merge branch 'dynamic_clients' into require-groups-scope 2022-06-22 12:30:54 -07:00
Margo Crawford
c70a0b99a8 Don't do ldap group search when group scope not specified 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-06-22 10:58:08 -07:00
Margo Crawford
9903c5f79e Handle refresh requests without groups scope 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-06-22 08:21:16 -07:00
Ryan Richard
5aa0d91267
New controller watches OIDCClients and updates validation Conditions 2022-06-17 13:11:26 -04:00
Monis Khan
36a5c4c20d
Fix TestOIDCClientStaticValidation on old servers 
Signed-off-by: Monis Khan <mok@vmware.com>
 2022-06-17 09:04:03 -04:00
Mo Khan
4bf734061d
Merge pull request #1190 from vmware-tanzu/client-secret-api-noop 
aggregated api for oidcclientsecretrequest
 2022-06-16 10:30:13 -04:00
Margo Crawford
64cd8b0b9f Add e2e test for groups scope 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-06-15 13:41:22 -07:00
Monis Khan
59d67322d3
Static validation for OIDC clients 
The following validation is enforced:

1. Names must start with client.oauth.pinniped.dev-
2. Redirect URIs must start with https://
   or http://127.0.0.1
   or http://::1
3. All spec lists must not have duplicates

Added an integration test to assert all static validations.

Signed-off-by: Monis Khan <mok@vmware.com>
 2022-06-15 15:09:40 -04:00
Margo Crawford
424f925a14 Merge branch 'dynamic_clients' into client-secret-api-noop 2022-06-15 09:38:55 -07:00
Margo Crawford
c117329553 Updates based on code review 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-06-15 09:38:21 -07:00
Margo Crawford
4d0c2e16f4 require groups scope to get groups back from supervisor 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-06-15 08:00:17 -07:00
Mo Khan
c77bee67c1
Merge pull request #1189 from vmware-tanzu/token_exchange_aud 
Disallow certain requested audience strings in token exchange
 2022-06-14 16:41:51 -04:00
Margo Crawford
104e08b0f6 Merge branch 'dynamic_clients' into client-secret-api-noop 2022-06-13 15:52:34 -07:00
Margo Crawford
0c1f48cbc1 Move oidcclient into config.supervisor.pinniped.dev 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-06-13 15:48:54 -07:00
Margo Crawford
8f4285dbff Change group names 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-06-13 14:28:05 -07:00
Ryan Richard
b9272b2729 Reserve all of *.pinniped.dev for requested aud in token exchanges 
Our previous plan was to reserve only *.oauth.pinniped.dev but we
changed our minds during PR review.
 2022-06-13 12:08:11 -07:00
Margo Crawford
ba371423d9 Add integration test for OIDCClientSecretRequest 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-06-10 13:56:15 -07:00
Ryan Richard
e7096c61a8 Merge branch 'main' into dynamic_clients 2022-06-10 12:52:59 -07:00
Margo Crawford
889348e999 WIP aggregated api for oidcclientsecretrequest 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-06-09 13:47:19 -07:00
Ryan Richard
ec533cd781 Skip some recently added integration tests when LDAP is unavailable 
Also refactor to use shared test helper for skipping LDAP and AD tests.
 2022-06-08 12:57:00 -07:00
Ryan Richard
dd61ada540 Allow new warning messages about GCP plugin in TestGetPinnipedCategory 2022-06-08 10:22:15 -07:00
Ryan Richard
321abfc98d Merge branch 'dynamic_clients' into token_exchange_aud 2022-06-08 09:03:29 -07:00
Ryan Richard
97d17bbda8 Merge branch 'main' into dynamic_clients 2022-06-08 09:03:06 -07:00
Ryan Richard
ea45e5dfef Disallow certain requested audience strings in token exchange 2022-06-07 16:32:19 -07:00
Ryan Richard
8170889aef Update CSP header expectations in TestSupervisorLogin_Browser int test 2022-06-07 11:20:59 -07:00
Margo Crawford
ca3da0bc90 Fix some disallowed kubebuilder annotations, fix kube api discovery test 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-06-04 21:04:40 -07:00
Ryan Richard
cb8685b942 Add e2e test for PINNIPED_UPSTREAM_IDENTITY_PROVIDER_FLOW env var 2022-06-02 11:27:54 -07:00
Ryan Richard
0f2a984308 Merge branch 'main' into ldap-login-ui 2022-05-11 11:32:15 -07:00
Ryan Richard
aa732a41fb Add LDAP browser flow login failure tests to supervisor_login_test.go 
Also do some refactoring to share more common test setup code in
supervisor_login_test.go.
 2022-05-10 16:28:08 -07:00
Ryan Richard
0b106c245e Add LDAP browser flow login test to supervisor_login_test.go 2022-05-10 12:54:40 -07:00
Ryan Richard
ab302cf2b7 Add AD via browser login e2e test and refactor e2e tests to share code 2022-05-10 10:30:32 -07:00
Ryan Richard
a4e32d8f3d Extract browsertest.LoginToUpstreamLDAP() integration test helper 2022-05-09 15:43:36 -07:00
Ryan Richard
6e6e1f4add Update login page CSS selectors in e2e test 2022-05-05 13:56:38 -07:00
Margo Crawford
329d41aac7 Add the full end to end test for ldap web ui 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-05-05 08:49:58 -07:00
Margo Crawford
eb891d77a5 Tiny fix: pinninpeds->pinnipeds 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-05-04 12:42:55 -07:00
Margo Crawford
07b2306254 Add basic outline of login get handler 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-04-28 11:51:36 -07:00
Margo Crawford
eb1d3812ec Update authorization endpoint to redirect to new login page 
Also fix some test failures on the callback handler, register the
new login handler in manager.go and add a (half baked) integration test

Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-04-26 12:51:56 -07:00
hectorj2f
a3f7afaec4 oidc: add code challenge supported methods 
Signed-off-by: hectorj2f <hectorf@vmware.com>
 2022-04-19 01:21:39 +02:00
Margo Crawford
d5337c9c19 Error format of untrusted certificate errors should depend on OS 
Go 1.18.1 started using MacOS' x509 verification APIs on Macs
rather than Go's own. The error messages are different.

Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-04-14 17:37:36 -07:00
Ryan Richard
53348b8464 Add custom prefix to downstream access and refresh tokens and authcodes 2022-04-13 10:13:27 -07:00
Monis Khan
3f0753ec5a
Remove duplication in secure TLS tests 
Signed-off-by: Monis Khan <mok@vmware.com>
 2022-04-01 10:56:38 -04:00
Monis Khan
15bc6a4a67
Add more details to FIPS comments 
Signed-off-by: Monis Khan <mok@vmware.com>
 2022-04-01 10:56:38 -04:00
Margo Crawford
53597bb824 Introduce FIPS compatibility 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-03-29 16:58:41 -07:00
Ryan Richard
cf471d6422 Remove unused env.SupervisorHTTPAddress integration test var 2022-03-29 09:13:44 -07:00
Ryan Richard
bedf4e5a39 Try to avoid getting a second username prompt in a test in e2e_test.go 2022-03-22 14:23:50 -07:00
Ryan Richard
2715741c2c Increase a test timeout in e2e_test.go 2022-03-22 12:13:10 -07:00
Ryan Richard
d162e294ed Split up the context timeouts per test in e2e_test.go 2022-03-22 10:17:45 -07:00
Monis Khan
8fac6cb9a4
Rework or remove tests that rely on the http port 
Signed-off-by: Monis Khan <mok@vmware.com>
 2022-03-10 19:43:12 -05:00