Matt Moyer
8c3be3ffb2
Refactor UpstreamOIDCIdentityProviderI claim handling.
...
This refactors the `UpstreamOIDCIdentityProviderI` interface and its implementations to pass ID token claims through a `*oidctypes.Token` return parameter rather than as a third return parameter.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-04 15:35:35 -06:00
Matt Moyer
014d760f3d
Add validated ID token claims to the oidctypes.Token structure.
...
This is just a more convenient copy of these values which are already stored inside the ID token. This will save us from having to pass them around seprately or re-parse them later.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-04 15:18:41 -06:00
Matt Moyer
7b088d611d
Merge pull request #252 from mattmoyer/fix-csrf-cookie-same-site
...
Switch CSRF cookie from `Same-Site=Strict` to `Same-Site=Lax`.
2020-12-03 21:53:24 -06:00
Matt Moyer
f0ebd808d7
Switch CSRF cookie from Same-Site=Strict
to Same-Site=Lax
.
...
This CSRF cookie needs to be included on the request to the callback endpoint triggered by the redirect from the OIDC upstream provider. This is not allowed by `Same-Site=Strict` but is allowed by `Same-Site=Lax` because it is a "cross-site top-level navigation" [1].
We didn't catch this earlier with our Dex-based tests because the upstream and downstream issuers were on the same parent domain `*.svc.cluster.local` so the cookie was allowed even with `Strict` mode.
[1]: https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00#section-3.2
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-03 21:30:00 -06:00
Matt Moyer
fa94ebfbd1
Merge pull request #229 from vmware-tanzu/callback-endpoint
...
Implement supervisor OIDC upstream callback endpoint used during authorize flow
2020-12-03 16:28:02 -06:00
Matt Moyer
c18c670765
Merge remote-tracking branch 'origin/main' into callback-endpoint
2020-12-03 14:53:26 -06:00
Matt Moyer
f410da0ed2
Merge pull request #242 from rajat404/refactor-docs
...
Remove duplicate docs from the repo and change all links to point to …
2020-12-03 14:52:51 -06:00
Matt Moyer
c8abc79d9b
Fix this comment (and retrigger CI).
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-03 14:24:26 -06:00
Matt Moyer
9455a66be8
This trailing dash is now taken care of by the library method.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-03 13:56:24 -06:00
Matt Moyer
8563c05baf
Tweak these timeouts to be a bit faster (and retrigger CI).
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-03 13:22:27 -06:00
Matt Moyer
408fbe4f76
Parameterize the supervisor_redirect_uri
in the test env Dex.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-03 12:45:56 -06:00
Matt Moyer
cb5e494815
Dump out proxy access logs in TestSupervisorLogin.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-03 11:28:48 -06:00
Matt Moyer
954591d2db
Add some debugging logs to our proxy client code.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-03 10:25:26 -06:00
Matt Moyer
d7b1ab8e43
Try to capture more logs from the TestSupervisorLogin test.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-03 09:39:33 -06:00
Matt Moyer
1d44a0cdfa
Add a small integration test library to dump pod logs on test failures.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-03 09:39:33 -06:00
Matt Moyer
1fa41c4d0a
Merge remote-tracking branch 'origin/main' into callback-endpoint
2020-12-03 08:50:31 -06:00
Matt Moyer
0deb7cc09a
Merge pull request #250 from mattmoyer/fix-ipv6-test-regression
...
Fix a test regression with IPv6 localhost interfaces.
2020-12-03 08:48:57 -06:00
Ryan Richard
95093ab0af
Use kube storage for the supervisor callback endpoint's fosite sessions
2020-12-02 17:40:01 -08:00
Matt Moyer
64ef53402d
In TestSupervisorLogin, wrap the discovery request in an Eventually()
.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 18:07:52 -06:00
Matt Moyer
37c5e121c4
Fix a test issue with IPv6 localhost interfaces.
...
This fixes a regression introduced by 24c4bc0dd4
. It could occasionally cause the tests to fail when run on a machine with an IPv6 localhost interface. As a fix I added a wrapper for the new Go 1.15 `LookupIP()` method, and created a partially-functional backport for Go 1.14. This should be easy to delete in the future.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 17:49:21 -06:00
Matt Moyer
879525faac
Clean up the browsertest package a bit.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 17:20:24 -06:00
Ryan Richard
6ed9107df0
Remove a couple of todos that will be resolved in Slack conversations
2020-12-02 14:20:18 -08:00
Ryan Richard
c320132289
Back-fill some more unit tests on authorizationcode_test.go
2020-12-02 14:20:18 -08:00
Matt Moyer
ae9bdc1d61
Fix a lint warning by simplifying this append operation.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 16:11:40 -06:00
Matt Moyer
c0f13ef4ac
Merge remote-tracking branch 'origin/main' into callback-endpoint
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 16:09:08 -06:00
Matt Moyer
f40144e1a9
Update TestSupervisorLogin to test the callback flow using a browser.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 15:55:35 -06:00
Matt Moyer
0ccf14801e
Expose the MaskTokens function so other test code can use it.
...
This is just a small helper to make test output more readable.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 15:55:34 -06:00
Matt Moyer
273ac62ec2
Extend the test client helpers in ./test/library/client.go.
...
This adds a few new "create test object" helpers and extends `CreateTestOIDCProvider()` to optionally wait for the created OIDCProvider to enter some expected status condition.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 15:55:34 -06:00
Matt Moyer
545c26e5fe
Refactor browser-related test functions to a ./test/library/browsertest
package.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 15:55:34 -06:00
Matt Moyer
22953cdb78
Add a CA.Pool() method to ./internal/certauthority.
...
This is convenient for at least one test and is simple enough to write and test.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 15:55:34 -06:00
Matt Moyer
fe0481c304
In integration test env, deploy a ClusterIP service and register that with Dex.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 15:55:33 -06:00
Matt Moyer
fde56164cd
Add a redirectURI
parameter to ExchangeAuthcodeAndValidateTokens() method.
...
We missed this in the original interface specification, but the `grant_type=authorization_code` requires it, per RFC6749 (https://tools.ietf.org/html/rfc6749#section-4.1.3 ).
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 15:55:33 -06:00
Matt Moyer
4fe691de92
Save an http.Client with each upstreamoidc.ProviderConfig object.
...
This allows the token exchange request to be performed with the correct TLS configuration.
We go to a bit of extra work to make sure the `http.Client` object is cached between reconcile operations so that connection pooling works as expected.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 15:55:33 -06:00
Matt Moyer
c23c54f500
Add an explicit Path=/;
to our CSRF cookie, per the spec.
...
> [...] a cookie named "__Host-cookie1" MUST contain a "Path" attribute with a value of "/".
https://tools.ietf.org/html/draft-ietf-httpbis-cookie-prefixes-00#section-3.2
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 15:55:33 -06:00
Rajat Goyal
7e78c9322c
Remove duplicate documentation images from the repo and change all links to point to the Hugo site
2020-12-02 23:58:19 +05:30
Rajat Goyal
31810a97e1
Remove duplicate docs from the repo and change all links to point to the Hugo site
2020-12-02 23:58:19 +05:30
Margo Crawford
d60c184424
Add pkce and openidconnect storage
...
- Also refactor authorizationcode_test
Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-01 17:18:32 -08:00
Ryan Richard
f38c150f6a
Finished tests for pkce storage and added it to kubestorage
...
- Also fixed some lint errors with v1.33.0 of the linter
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-01 14:53:22 -08:00
Margo Crawford
c8eaa3f383
WIP towards using k8s fosite storage in the supervisor's callback endpoint
...
- Note that this WIP commit includes a failing unit test, which will
be addressed in the next commit
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-01 11:01:42 -08:00
Matt Moyer
be8f11fe5a
Merge pull request #246 from mattmoyer/build-on-go-1.14
...
Tweak some stdlib usage so we compile under Go 1.14.
2020-11-30 17:38:19 -06:00
Matt Moyer
b272b3f331
Refactor oidcclient.Login to use new upstreamoidc package.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-30 17:37:14 -06:00
Matt Moyer
4b60c922ef
Add generated mock of UpstreamOIDCIdentityProviderI.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-30 17:37:14 -06:00
Matt Moyer
25ee99f93a
Add ValidateToken method to UpstreamOIDCIdentityProviderI interface.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-30 17:37:14 -06:00
Matt Moyer
d32583dd7f
Move OIDC Token structs into a new oidctypes
package.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-30 17:02:03 -06:00
Matt Moyer
d64acbb5a9
Add upstreamoidc.ProviderConfig type implementing provider.UpstreamOIDCIdentityProviderI.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-30 15:22:56 -06:00
Matt Moyer
24c4bc0dd4
Tweak some stdlib usage so we compile under Go 1.14.
...
Mainly, avoid using some `testing` helpers that were added in 1.14, as well as a couple of other niceties we can live without.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-30 10:11:41 -06:00
Andrew Keesler
58a3e35c51
Revert "test/integration: skip TestSupervisorLogin until new callback logic is on main"
...
This reverts commit eae6d355f8
.
We have added the new callback path logic (see b21f003
), so we can stop skipping
this test.
2020-11-30 11:07:25 -05:00
Andrew Keesler
25bbd28527
Merge remote-tracking branch 'upstream/main' into callback-endpoint
2020-11-30 11:06:20 -05:00
Andrew Keesler
385d2db445
Merge pull request #245 from ankeesler/fix-supervisor-login-test
...
Run TestSupervisorLogin only on valid HTTP/HTTPS supervisor addresses
2020-11-30 11:05:43 -05:00
Andrew Keesler
eae6d355f8
test/integration: skip TestSupervisorLogin until new callback logic is on main
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-30 10:12:03 -05:00