djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
1,042 Commits 30 Branches 34 Tags 22 MiB
91af51d38e
Commit Graph

1042 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Ryan Richard
91af51d38e Fix integration tests to work with the username and sub claims 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2020-12-15 17:16:08 -08:00
Margo Crawford
a10d219049 Pass through custom groups claim and username claim 
Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-12-15 16:11:53 -08:00
Ryan Richard
05ab8f375e Default to "username" claim in jwtcachefiller 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2020-12-15 14:37:38 -08:00
Margo Crawford
720bc7ae42 jwtcachefiller_test.go: refactor and remove "if short skip" check 
- Refactor the test to avoid testing a private method and instead
  always test the results of running the controller.
- Also remove the `if testing.Short()` check because it will always
  be short when running unit tests. This prevented the unit test
  from ever running, both locally and in CI.

Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-12-15 13:33:49 -08:00
Ryan Richard
0e60c93cef Add UsernameClaim and GroupsClaim to JWTAuthenticator CRD spec 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2020-12-15 10:36:19 -08:00
Ryan Richard
43bb7117b7 Allow upstream group claim values to be either arrays or strings 2020-12-15 08:34:24 -08:00
Ryan Richard
16dfab0aff token_handler_test.go: Add tests for username and groups custom claims 2020-12-14 18:27:14 -08:00
Margo Crawford
afcd5e3e36 WIP: Adjust subject and username claims 
Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-12-14 17:05:53 -08:00
Ryan Richard
a5c07042c1
Merge pull request #279 from vmware-tanzu/fosite-settings 
Update more fosite settings
 2020-12-11 18:19:50 -08:00
Ryan Richard
7cda6628a6
Merge branch 'main' into fosite-settings 2020-12-11 18:19:37 -08:00
Ryan Richard
020fbcf190 Adjust some expectations about the state and nonce lengths 2020-12-11 17:39:58 -08:00
Ryan Richard
791c50fd33
Merge pull request #278 from vmware-tanzu/fosite-storage-gc 
Garbage collect the fosite secrets to limit amount of storage used
 2020-12-11 17:17:15 -08:00
Margo Crawford
2a19dd0d2e Pass prompt through to upstream login request 
Signed-off-by: Ryan Richard <rrichard@vmware.com>
 2020-12-11 17:13:27 -08:00
Margo Crawford
ded28dff15 Update the fosite settings 
- AudienceMatchingStrategy: we want to use the default matcher from
  fosite, so remove that line
- AllowedPromptValues: We can use the default if we add a small
  change to the auth_handler.go to account for it (in a future commit)
- MinParameterEntropy: Use the fosite default to make it more likely
  that off the shelf OIDC clients can work with the supervisor

Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-12-11 16:15:50 -08:00
Ryan Richard
baa1a4a2fc Supervisor storage garbage collection controller enabled in production 
- Also add more log statements to the controller
- Also have the controller apply a rate limit to itself, to avoid
  having a very chatty controller that runs way more often than is
  needed.
- Also add an integration test for the controller's behavior.

Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2020-12-11 15:21:34 -08:00
Margo Crawford
ed9b3ffce5 Add controller for garbage collecting secrets 
Signed-off-by: Ryan Richard <rrichard@vmware.com>
 2020-12-10 17:34:05 -08:00
Ryan Richard
afd216308b KubeStorage annotates every Secret with garbage-collect-after timestamp 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2020-12-10 14:47:58 -08:00
Margo Crawford
b0c354637d WIP passing lifetime through to storage, unit tests are failing 
Signed-off-by: Ryan Richard <rrichard@vmware.com>
 2020-12-10 12:15:40 -08:00
Ryan Richard
c001bb876e
Merge pull request #275 from vmware-tanzu/fosite-storage-gc-prefactor 
Fosite storage garbage collection prefactor
 2020-12-10 10:50:29 -08:00
Ryan Richard
3c6d1a1924 Merge branch 'main' into fosite-storage-gc 2020-12-10 10:45:26 -08:00
Margo Crawford
6f40dcb471 Increase the RefreshTokenSessionStorageLifetime 
- Make it more likely that the end user will get the more specific error
  message saying that their refresh token has expired the first time
  that they try to use an expired refresh token

Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-12-10 10:44:27 -08:00
Ryan Richard
a561fd21d9 Consolidate the supervisor's timeout settings into a single struct 
- This struct represents the configuration of all timeouts. These
  timeouts are all interrelated to declare them all in one place.
  This should also make it easier to allow the user to override
  our defaults if we would like to implement such a feature in the
  future.

Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2020-12-10 10:14:54 -08:00
Matt Moyer
40c9e8472c
Merge pull request #272 from mattmoyer/default-cli-scopes 
Tweak default CLI `--scopes` parameter to match supervisor use case.
 2020-12-10 11:41:22 -06:00
Matt Moyer
e7338da3dc
Tweak default CLI --scopes parameter to match supervisor use case. 
This should be a better default for most cases.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-10 10:48:11 -06:00
Matt Moyer
0c52739997
Merge pull request #271 from mattmoyer/fix-cli-content-type-parsing 
Fix bug in handling response content-type in oidcclient.
 2020-12-10 10:46:10 -06:00
Matt Moyer
9d3c98232b
Fix bug in handling response content-type in oidcclient. 
Before this, we weren't properly parsing the `Content-Type` header. This breaks in integration with the Supervisor since it sends an extra encoding parameter like `application/json;charset=UTF-8`.

This change switches to properly parsing with the `mime.ParseMediaType` function, and adds test cases to match the supervisor behavior.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-10 10:12:56 -06:00
Matt Moyer
5a0918afde
Merge pull request #270 from mattmoyer/default-cli-client-id 
Add a default --client-id in `pinniped login oidc` command.
 2020-12-10 10:12:28 -06:00
Matt Moyer
4395d5a0ca
Add a default --client-id in pinniped login oidc command. 
This default matches the static client we have defined in the supervisor, which will be the correct value in most cases.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-10 09:46:07 -06:00
Andrew Keesler
d83927ae75
Merge pull request #268 from vmware-tanzu/secret-generation-prefactor 
Secret generation prefactor
 2020-12-10 08:39:32 -05:00
aram price
86c75b7a80 CSRF cookie is no longer encrypted 2020-12-09 17:34:02 -08:00
aram price
f1f8ffa456 Distinct Encoder's use distinct keys 2020-12-09 17:34:02 -08:00
aram price
4a5f8e30a8 Use distinct Encoder for state and csrf data 2020-12-09 17:34:02 -08:00
aram price
e111ca02da Use the narrowest possible interface 2020-12-09 17:34:02 -08:00
aram price
6ec3589112 Use recorder Cookies() helper 
- replaces hand-parsing of cookie strings
 2020-12-09 17:34:02 -08:00
Margo Crawford
2ddba8d825
Merge pull request #267 from vmware-tanzu/token-exchange-endpoint 
Implement RFC8693 token exchange handler in the supervisor
 2020-12-09 17:13:28 -08:00
Margo Crawford
218f27306c Integration test for refresh grant 
Signed-off-by: Ryan Richard <rrichard@vmware.com>
 2020-12-09 17:07:37 -08:00
Margo Crawford
fde2e6fa97 Merge remote-tracking branch 'origin/main' into token-exchange-endpoint 2020-12-09 15:22:54 -08:00
Ryan Richard
4d82ec1283
Merge pull request #262 from vmware-tanzu/token-refresh 
Support for the refresh grant in the supervisor's token endpoint
 2020-12-09 15:22:02 -08:00
Ryan Richard
5b7c510577 Fixed error handling for token exchange when openid scope missing 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2020-12-09 15:15:50 -08:00
Ryan Richard
0abadddb1a token_handler_test.go: modify a test about refresh request scopes param 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2020-12-09 15:03:52 -08:00
Margo Crawford
5f6e7de785 Merge branch 'token-refresh' into token-exchange-endpoint 
Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-12-09 14:56:41 -08:00
Ryan Richard
64631d5780 token_handler_test.go: add even more test cases for refresh grant 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2020-12-09 14:53:39 -08:00
Ryan Richard
0386658d26 token_handler_test.go: add more test cases for refresh grant 2020-12-09 14:12:00 -08:00
Matt Moyer
167d440b65
Remove this unneccesary go113 nolint directives. 
We disabled this linter across the project.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-09 14:51:27 -06:00
Matt Moyer
3e6ebab389
Clean up TestTokenExchange a bit. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-09 14:49:44 -06:00
Matt Moyer
f90b5d48de
Merge branch 'token-refresh' of github.com:vmware-tanzu/pinniped into token-exchange-endpoint 2020-12-09 14:46:57 -06:00
Matt Moyer
016b0e9a8e
Satisfy the pedantic linter config 🙃. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-09 14:41:27 -06:00
Ryan Richard
51c828382f Supervisor token endpoint supports refresh grant type 
- This commit does not include the sad path tests for the refresh
  grant type, which will come in a future commit.
 2020-12-09 12:12:59 -08:00
Matt Moyer
02d96d731f
Finish TestTokenExchange unit tests and add missing scope check. 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2020-12-09 13:56:53 -06:00
Ryan Richard
cac3a3520f Merge branch 'main' into token-refresh 2020-12-09 09:58:21 -08:00