djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
2,995 Commits 30 Branches 34 Tags
Commit Graph

963 Commits

Author SHA1 Message Date
Monis Khan
8c387f977c
wip005 
Signed-off-by: Monis Khan <mok@vmware.com>
 2022-07-20 15:41:05 -04:00
Monis Khan
a4fb53e131
wip004 
Signed-off-by: Monis Khan <mok@vmware.com>
 2022-07-15 16:11:10 -04:00
Monis Khan
983c6116ef
wip003 
Signed-off-by: Monis Khan <mok@vmware.com>
 2022-07-15 11:55:30 -04:00
Monis Khan
2e36cea786
wip002 
Signed-off-by: Monis Khan <mok@vmware.com>
 2022-07-15 08:53:20 -04:00
Monis Khan
6c199abcde
wip001 
Signed-off-by: Monis Khan <mok@vmware.com>
 2022-07-15 08:53:20 -04:00
Ryan Richard
be85e1ed0a TotalClientSecrets field gets omitempty and becomes int32 2022-07-14 09:30:03 -07:00
Ryan Richard
93939ccbd8 OIDCClient watcher controller updates based on PR feedback 2022-07-06 10:34:24 -07:00
Monis Khan
f13c5e3f06
Fix supervisor scheme comment 
Signed-off-by: Monis Khan <mok@vmware.com>
 2022-06-24 09:56:44 -04:00
Margo Crawford
a010e72b29 Merge branch 'dynamic_clients' into require-groups-scope 2022-06-22 14:27:06 -07:00
Margo Crawford
dac0395680 Add a couple tests, address pr comments 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-06-22 14:19:55 -07:00
Margo Crawford
f2005b4c7f Merge branch 'dynamic_clients' into require-groups-scope 2022-06-22 12:30:54 -07:00
Margo Crawford
c70a0b99a8 Don't do ldap group search when group scope not specified 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-06-22 10:58:08 -07:00
Margo Crawford
9903c5f79e Handle refresh requests without groups scope 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-06-22 08:21:16 -07:00
Ryan Richard
5aa0d91267
New controller watches OIDCClients and updates validation Conditions 2022-06-17 13:11:26 -04:00
Monis Khan
36a5c4c20d
Fix TestOIDCClientStaticValidation on old servers 
Signed-off-by: Monis Khan <mok@vmware.com>
 2022-06-17 09:04:03 -04:00
Mo Khan
4bf734061d
Merge pull request #1190 from vmware-tanzu/client-secret-api-noop 
aggregated api for oidcclientsecretrequest
 2022-06-16 10:30:13 -04:00
Margo Crawford
64cd8b0b9f Add e2e test for groups scope 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-06-15 13:41:22 -07:00
Monis Khan
59d67322d3
Static validation for OIDC clients 
The following validation is enforced:

1. Names must start with client.oauth.pinniped.dev-
2. Redirect URIs must start with https://
   or http://127.0.0.1
   or http://::1
3. All spec lists must not have duplicates

Added an integration test to assert all static validations.

Signed-off-by: Monis Khan <mok@vmware.com>
 2022-06-15 15:09:40 -04:00
Margo Crawford
424f925a14 Merge branch 'dynamic_clients' into client-secret-api-noop 2022-06-15 09:38:55 -07:00
Margo Crawford
c117329553 Updates based on code review 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-06-15 09:38:21 -07:00
Margo Crawford
4d0c2e16f4 require groups scope to get groups back from supervisor 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-06-15 08:00:17 -07:00
Margo Crawford
8f4285dbff Change group names 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-06-13 14:28:05 -07:00
Ryan Richard
b9272b2729 Reserve all of *.pinniped.dev for requested aud in token exchanges 
Our previous plan was to reserve only *.oauth.pinniped.dev but we
changed our minds during PR review.
 2022-06-13 12:08:11 -07:00
Margo Crawford
ba371423d9 Add integration test for OIDCClientSecretRequest 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-06-10 13:56:15 -07:00
Margo Crawford
889348e999 WIP aggregated api for oidcclientsecretrequest 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-06-09 13:47:19 -07:00
Ryan Richard
321abfc98d Merge branch 'dynamic_clients' into token_exchange_aud 2022-06-08 09:03:29 -07:00
Ryan Richard
ea45e5dfef Disallow certain requested audience strings in token exchange 2022-06-07 16:32:19 -07:00
Mo Khan
472ab229e7
Merge branch 'main' into auth_handler_form_post_csp 2022-06-07 18:26:52 -04:00
Ryan Richard
7751c0bf59
Bump project deps, including kube 0.23.6->0.24.1 and Go 1.18.1->1.18.3 
Several API changes in Kube required changes in Pinniped code.

Signed-off-by: Monis Khan <mok@vmware.com>
 2022-06-07 15:26:30 -04:00
Ryan Richard
b99c4773a2 Use CSP headers in auth handler response 
When response_mode=form_post is requested, some error cases will be
returned to the client using the form_post web page to POST the result
back to the client's redirect URL.
 2022-06-02 09:23:34 -07:00
Monis Khan
0674215ef3
Switch to go.uber.org/zap for JSON formatted logging 
Signed-off-by: Monis Khan <mok@vmware.com>
 2022-05-24 11:17:42 -04:00
Ryan Richard
39fd9ba270 Small refactors and comments for LDAP/AD UI 2022-05-19 16:02:08 -07:00
Ryan Richard
0f2a984308 Merge branch 'main' into ldap-login-ui 2022-05-11 11:32:15 -07:00
Ryan Richard
aa732a41fb Add LDAP browser flow login failure tests to supervisor_login_test.go 
Also do some refactoring to share more common test setup code in
supervisor_login_test.go.
 2022-05-10 16:28:08 -07:00
Ryan Richard
4c44f583e9 Don't add pinniped_idp_name pinniped_idp_type params into upstream state 2022-05-06 12:00:46 -07:00
Ryan Richard
ec22b5715b Add Pinniped favicon to login UI page 🦭 2022-05-05 14:46:07 -07:00
Ryan Richard
cffa353ffb Login page styling/structure for users, screen readers, passwd managers 
Also:
- Add CSS to login page
- Refactor login page HTML and CSS into a new package
- New custom CSP headers for the login page, because the requirements
  are different from the form_post page
 2022-05-05 13:13:25 -07:00
Ryan Richard
6ca7c932ae Add unit test for rendering form_post response from POST /login 2022-05-05 13:13:25 -07:00
Ryan Richard
656f221fb7 Merge branch 'main' into ldap-login-ui 2022-05-04 09:29:15 -07:00
Ryan Richard
2e031f727b Use security headers for the form_post page in the POST /login endpoint 
Also use more specific test assertions where security headers are
expected. And run the unit tests for the login package in parallel.
 2022-05-03 16:46:09 -07:00
Ryan Richard
acc6c50e48 More unit tests for LDAP DNs which contain special chars 
Adding explicit coverage for PerformRefresh().
 2022-05-03 15:43:01 -07:00
Margo Crawford
388cdb6ddd Fix bug where form was posting to the wrong path 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-05-03 15:18:38 -07:00
Ryan Richard
c74dea6405 Escape special characters in LDAP DNs when used in search filters 2022-05-02 13:37:32 -07:00
Ryan Richard
69e5169fc5 Implement post_login_handler.go to accept form post and auth to LDAP/AD 
Also extract some helpers from auth_handler.go so they can be shared
with the new handler.
 2022-04-29 16:02:00 -07:00
Margo Crawford
646c6ec9ed Show error message on login page 
Also add autocomplete attribute and title element

Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-04-29 10:36:13 -07:00
Margo Crawford
453c69af7d Fix some errors and pass state as form element 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-04-28 12:07:04 -07:00
Margo Crawford
07b2306254 Add basic outline of login get handler 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-04-28 11:51:36 -07:00
Margo Crawford
ae60d4356b Some refactoring of shared code between OIDC and LDAP browser flows 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-04-27 08:51:37 -07:00
Margo Crawford
379a803509 when password header but not username is sent to password grant, error 
also add more unit tests

Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-04-26 16:46:58 -07:00
Ryan Richard
65eed7e742 Implement login_handler.go to defer to other handlers 
The other handlers for GET and POST requests are not yet implemented in
this commit. The shared handler code in login_handler.go takes care of
things checking the method, checking the CSRF cookie, decoding the state
param, and adding security headers on behalf of both the GET and POST
handlers.

Some code has been extracted from callback_handler.go to be shared.
 2022-04-26 15:37:30 -07:00