djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
913 Commits 30 Branches 34 Tags 22 MiB
954591d2db
Commit Graph

913 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Matt Moyer
954591d2db
Add some debugging logs to our proxy client code. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-03 10:25:26 -06:00
Matt Moyer
d7b1ab8e43
Try to capture more logs from the TestSupervisorLogin test. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-03 09:39:33 -06:00
Matt Moyer
1d44a0cdfa
Add a small integration test library to dump pod logs on test failures. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-03 09:39:33 -06:00
Matt Moyer
1fa41c4d0a
Merge remote-tracking branch 'origin/main' into callback-endpoint 2020-12-03 08:50:31 -06:00
Matt Moyer
0deb7cc09a
Merge pull request #250 from mattmoyer/fix-ipv6-test-regression 
Fix a test regression with IPv6 localhost interfaces.
 2020-12-03 08:48:57 -06:00
Ryan Richard
95093ab0af Use kube storage for the supervisor callback endpoint's fosite sessions 2020-12-02 17:40:01 -08:00
Matt Moyer
64ef53402d
In TestSupervisorLogin, wrap the discovery request in an Eventually(). 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-02 18:07:52 -06:00
Matt Moyer
37c5e121c4
Fix a test issue with IPv6 localhost interfaces. 
This fixes a regression introduced by 24c4bc0dd4. It could occasionally cause the tests to fail when run on a machine with an IPv6 localhost interface. As a fix I added a wrapper for the new Go 1.15 `LookupIP()` method, and created a partially-functional backport for Go 1.14. This should be easy to delete in the future.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-02 17:49:21 -06:00
Matt Moyer
879525faac
Clean up the browsertest package a bit. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-02 17:20:24 -06:00
Ryan Richard
6ed9107df0 Remove a couple of todos that will be resolved in Slack conversations 2020-12-02 14:20:18 -08:00
Ryan Richard
c320132289 Back-fill some more unit tests on authorizationcode_test.go 2020-12-02 14:20:18 -08:00
Matt Moyer
ae9bdc1d61
Fix a lint warning by simplifying this append operation. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-02 16:11:40 -06:00
Matt Moyer
c0f13ef4ac
Merge remote-tracking branch 'origin/main' into callback-endpoint 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-02 16:09:08 -06:00
Matt Moyer
f40144e1a9
Update TestSupervisorLogin to test the callback flow using a browser. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-02 15:55:35 -06:00
Matt Moyer
0ccf14801e
Expose the MaskTokens function so other test code can use it. 
This is just a small helper to make test output more readable.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-02 15:55:34 -06:00
Matt Moyer
273ac62ec2
Extend the test client helpers in ./test/library/client.go. 
This adds a few new "create test object" helpers and extends `CreateTestOIDCProvider()` to optionally wait for the created OIDCProvider to enter some expected status condition.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-02 15:55:34 -06:00
Matt Moyer
545c26e5fe
Refactor browser-related test functions to a ./test/library/browsertest package. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-02 15:55:34 -06:00
Matt Moyer
22953cdb78
Add a CA.Pool() method to ./internal/certauthority. 
This is convenient for at least one test and is simple enough to write and test.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-02 15:55:34 -06:00
Matt Moyer
fe0481c304
In integration test env, deploy a ClusterIP service and register that with Dex. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-02 15:55:33 -06:00
Matt Moyer
fde56164cd
Add a redirectURI parameter to ExchangeAuthcodeAndValidateTokens() method. 
We missed this in the original interface specification, but the `grant_type=authorization_code` requires it, per RFC6749 (https://tools.ietf.org/html/rfc6749#section-4.1.3).

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-02 15:55:33 -06:00
Matt Moyer
4fe691de92
Save an http.Client with each upstreamoidc.ProviderConfig object. 
This allows the token exchange request to be performed with the correct TLS configuration.

We go to a bit of extra work to make sure the `http.Client` object is cached between reconcile operations so that connection pooling works as expected.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-02 15:55:33 -06:00
Matt Moyer
c23c54f500
Add an explicit Path=/; to our CSRF cookie, per the spec. 
> [...] a cookie named "__Host-cookie1" MUST contain a "Path" attribute with a value of "/".

https://tools.ietf.org/html/draft-ietf-httpbis-cookie-prefixes-00#section-3.2

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-02 15:55:33 -06:00
Margo Crawford
d60c184424 Add pkce and openidconnect storage 
- Also refactor authorizationcode_test

Signed-off-by: Ryan Richard <rrichard@vmware.com>
 2020-12-01 17:18:32 -08:00
Ryan Richard
f38c150f6a Finished tests for pkce storage and added it to kubestorage 
- Also fixed some lint errors with v1.33.0 of the linter

Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2020-12-01 14:53:22 -08:00
Margo Crawford
c8eaa3f383 WIP towards using k8s fosite storage in the supervisor's callback endpoint 
- Note that this WIP commit includes a failing unit test, which will
  be addressed in the next commit

Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-12-01 11:01:42 -08:00
Matt Moyer
be8f11fe5a
Merge pull request #246 from mattmoyer/build-on-go-1.14 
Tweak some stdlib usage so we compile under Go 1.14.
 2020-11-30 17:38:19 -06:00
Matt Moyer
b272b3f331
Refactor oidcclient.Login to use new upstreamoidc package. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-30 17:37:14 -06:00
Matt Moyer
4b60c922ef
Add generated mock of UpstreamOIDCIdentityProviderI. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-30 17:37:14 -06:00
Matt Moyer
25ee99f93a
Add ValidateToken method to UpstreamOIDCIdentityProviderI interface. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-30 17:37:14 -06:00
Matt Moyer
d32583dd7f
Move OIDC Token structs into a new oidctypes package. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-30 17:02:03 -06:00
Matt Moyer
d64acbb5a9
Add upstreamoidc.ProviderConfig type implementing provider.UpstreamOIDCIdentityProviderI. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-30 15:22:56 -06:00
Matt Moyer
24c4bc0dd4
Tweak some stdlib usage so we compile under Go 1.14. 
Mainly, avoid using some `testing` helpers that were added in 1.14, as well as a couple of other niceties we can live without.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-30 10:11:41 -06:00
Andrew Keesler
58a3e35c51
Revert "test/integration: skip TestSupervisorLogin until new callback logic is on main" 
This reverts commit eae6d355f8.

We have added the new callback path logic (see b21f003), so we can stop skipping
this test.
 2020-11-30 11:07:25 -05:00
Andrew Keesler
25bbd28527
Merge remote-tracking branch 'upstream/main' into callback-endpoint 2020-11-30 11:06:20 -05:00
Andrew Keesler
385d2db445
Merge pull request #245 from ankeesler/fix-supervisor-login-test 
Run TestSupervisorLogin only on valid HTTP/HTTPS supervisor addresses
 2020-11-30 11:05:43 -05:00
Andrew Keesler
eae6d355f8
test/integration: skip TestSupervisorLogin until new callback logic is on main 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-30 10:12:03 -05:00
Andrew Keesler
5be46d0bb7
test/integration: get downstream issuer path from upstream redirect 
See comment in the code.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-30 09:58:08 -05:00
Andrew Keesler
5b04192945
Run TestSupervisorLogin only on valid HTTP/HTTPS supervisor addresses 
We were assuming that env.SupervisorHTTPAddress was set, but it might not be
depending on the environment on which the integration tests are being run. For
example, in our acceptance environments, we don't currently set
env.SupervisorHTTPAddress.

I tried to follow the pattern from TestSupervisorOIDCDiscovery here.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-30 09:23:12 -05:00
Ryan Richard
e6b6c0e3ab Merge branch 'main' into callback-endpoint 2020-11-20 15:50:26 -08:00
Matt Moyer
dfb6544171
Merge pull request #238 from jknostman3/patch-1 
Update site demo to use pinniped-concierge namespace
 2020-11-20 17:15:26 -06:00
Matt Moyer
3596610f40
Merge pull request #239 from enj/enj/f/fosite_defaults 
Set defaults for fosite config
 2020-11-20 17:14:05 -06:00
Ryan Richard
ccddeb4cda Merge branch 'main' into callback-endpoint 2020-11-20 15:13:25 -08:00
Monis Khan
d39cc08b66
Set defaults for fosite config 
Signed-off-by: Monis Khan <mok@vmware.com>
 2020-11-20 17:18:52 -05:00
Ryan Richard
c4ff1ca304 auth_handler.go: Ignore invalid CSRF cookies rather than return error 
Generate a new cookie for the user and move on as if they had not sent
a bad cookie. Hopefully this will make the user experience better if,
for example, the server rotated cookie signing keys and then a user
submitted a very old cookie.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-20 13:56:35 -08:00
Andrew Keesler
b21f0035d7 callback_handler.go: Get upstream name from state instead of path 
Also use ConstantTimeCompare() to compare CSRF tokens to prevent
leaking any information in how quickly we reject bad tokens.

Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-11-20 13:33:08 -08:00
Matt Moyer
ad9439eef2
Merge pull request #207 from vmware-tanzu/dependabot/docker/golang-1.15.5 
Bump golang from 1.15.3 to 1.15.5
 2020-11-20 15:18:23 -06:00
Ryan Richard
72321fc106
Use /callback (without IDP name) path for callback endpoint (part 1) 
This is much nicer UX for an administrator installing a UpstreamOIDCProvider
CRD. They don't have to guess as hard at what the callback endpoint path should
be for their UpstreamOIDCProvider.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-20 16:14:45 -05:00
Andrew Keesler
541019eb98
callback_handler.go: simplify stored ID token claims 
Fosite is gonna set these fields for us.

Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-11-20 15:36:51 -05:00
Jake Knostman
15bffc6b16
Update site demo to use pinniped-concierge namespace 2020-11-20 12:31:23 -08:00
dependabot[bot]
901242c1e1
Bump golang from 1.15.3 to 1.15.5 
Bumps golang from 1.15.3 to 1.15.5.

Signed-off-by: dependabot[bot] <support@github.com>
 2020-11-20 20:19:51 +00:00