Mo Khan
b148359337
Merge pull request #918 from vmware-tanzu/replace_reflections
...
Replace reflections in go.mod
2021-12-16 17:10:28 -05:00
Nanci Lancaster
e31a410096
Updated community and resources pages
2021-12-16 16:02:47 -06:00
Ryan Richard
6bf67f44ef
replace reflections in go.mod
2021-12-16 11:15:24 -08:00
Mo Khan
fdc91ec56c
Merge pull request #909 from vmware-tanzu/dependabot/docker/golang-1.17.5
...
Bump golang from 1.17.4 to 1.17.5
2021-12-10 12:41:02 -05:00
dependabot[bot]
884d18bade
Bump golang from 1.17.4 to 1.17.5
...
Bumps golang from 1.17.4 to 1.17.5.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
2021-12-10 17:03:50 +00:00
Mo Khan
ca2ee26c86
Merge pull request #884 from vmware-tanzu/upstream-ad-refresh
...
Upstream active directory refresh checks for password changes, deactivated and locked users
2021-12-09 20:51:46 -05:00
Margo Crawford
59d999956c
Move ad specific stuff to controller
...
also make extra refresh attributes a separate field rather than part of
Extra
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-09 16:16:36 -08:00
Margo Crawford
acaad05341
Make pwdLastSet stuff more generic and not require parsing the timestamp
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-09 16:16:36 -08:00
Margo Crawford
65f3464995
Fix issue with very high integer value parsing, add unit tests
...
also add comment about urgent replication
2021-12-09 16:16:36 -08:00
Margo Crawford
ee4f725209
Incorporate PR feedback
2021-12-09 16:16:36 -08:00
Margo Crawford
ef5a04c7ce
Check for locked users on ad upstream refresh
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-09 16:16:36 -08:00
Margo Crawford
f62e9a2d33
Active directory checks for deactivated user
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-09 16:16:36 -08:00
Margo Crawford
da9b4620b3
Active Directory checks whether password has changed recently during
...
upstream refresh
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-09 16:16:35 -08:00
Margo Crawford
8db0203839
Add test for upstream ldap idp not found, wrong idp uid, and malformed
...
fosite session storage
2021-12-09 16:16:35 -08:00
Ryan Richard
92bd3b49c8
Merge branch 'main' into upstream_access_revocation_during_gc
2021-12-09 14:16:52 -08:00
anjalitelang
4110297a8f
Update ROADMAP.md
...
Updated roadmap to reflect current velocity
2021-12-09 16:59:09 -05:00
Ryan Richard
dbcb213691
Merge branch 'main' into upstream_access_revocation_during_gc
2021-12-08 14:29:59 -08:00
Ryan Richard
f410d2bd00
Add revocation of upstream access tokens to garbage collector
...
Also refactor the code that decides which types of revocation failures
are worth retrying. Be more selective by only retrying those types of
errors that are likely to be worth retrying.
2021-12-08 14:29:25 -08:00
Mo Khan
7a3b5e3571
Merge pull request #908 from vmware-tanzu/microwavables-main
...
Added GOVERNANCE.md file to repo
2021-12-08 14:38:21 -05:00
Nanci Lancaster
505bc47ae1
Added GOVERNANCE.md file to repo
...
Signed-off-by: Nanci Lancaster <nancil@vmware.com>
2021-12-08 14:29:16 -05:00
Ryan Richard
c9c218fdf0
Merge branch 'main' into upstream_access_revocation_during_gc
2021-12-06 14:47:27 -08:00
Ryan Richard
46008a7235
Add struct field for storing upstream access token in downstream session
2021-12-06 14:43:39 -08:00
Mo Khan
2c5b74c960
Merge pull request #905 from vmware-tanzu/dependabot/docker/golang-1.17.4
...
Bump golang from 1.17.3 to 1.17.4
2021-12-06 15:44:42 -05:00
dependabot[bot]
db68fc3a2b
Bump golang from 1.17.3 to 1.17.4
...
Bumps golang from 1.17.3 to 1.17.4.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
2021-12-06 01:14:25 +00:00
Ryan Richard
29490ee665
ran go mod tidy
2021-12-03 16:40:01 -08:00
Ryan Richard
b981055d31
Support revocation of access tokens in UpstreamOIDCIdentityProviderI
...
- Rename the RevokeRefreshToken() function to RevokeToken() and make it
take the token type (refresh or access) as a new parameter.
- This is a prefactor getting ready to support revocation of upstream
access tokens in the garbage collection handler.
2021-12-03 13:44:24 -08:00
Ryan Richard
edd3547977
Merge pull request #903 from vmware-tanzu/code-walkthrough-doc
...
Add first draft of code walk-through doc
2021-12-03 12:19:29 -08:00
Ryan Richard
aa361a70a7
clarifications to code walkthrough doc
2021-12-03 10:50:02 -08:00
Ryan Richard
7b6bdd8129
fix link to blog and add another in doc
2021-12-03 10:32:16 -08:00
Ryan Richard
4aed3385b6
Merge branch 'main' into code-walkthrough-doc
2021-12-03 09:17:35 -08:00
Ryan Richard
2736c3603a
fix typo in doc
2021-12-03 09:17:17 -08:00
Ryan Richard
3ea90467b7
add first draft of code walk-through doc
2021-12-02 17:18:50 -08:00
anjalitelang
683027468e
Update ROADMAP.md
2021-12-02 12:00:54 -05:00
Mo Khan
269cae3a9f
Merge pull request #895 from enj/enj/f/warning_rt
...
phttp: add generic support for RFC 2616 14.46 warnings headers
2021-11-30 16:15:39 -05:00
Monis Khan
9d4a932656
phttp: add generic support for RFC 2616 14.46 warnings headers
...
Signed-off-by: Monis Khan <mok@vmware.com>
2021-11-30 15:11:59 -05:00
Mo Khan
1611cf681a
Merge pull request #876 from vmware-tanzu/upstream_refresh_revocation_during_gc
...
Revoke upstream OIDC refresh tokens during downstream session garbage collection
2021-11-23 20:15:37 -05:00
Mo Khan
78474cfae9
Merge branch 'main' into upstream_refresh_revocation_during_gc
2021-11-23 19:29:13 -05:00
Mo Khan
aaf847040f
Merge pull request #893 from vmware-tanzu/fix_unit_test
...
Attempt to fix a unit test that always failed on my laptop
2021-11-23 19:25:16 -05:00
Ryan Richard
e44540043d
Attempt to fix a unit test that always failed on my laptop
...
Try to make the GCP plugin config less sensitive to the setup of the
computer on which it runs.
2021-11-23 15:47:19 -08:00
Ryan Richard
69be273e01
Merge branch 'main' into upstream_refresh_revocation_during_gc
2021-11-23 14:55:44 -08:00
Mo Khan
5a1de2f54c
Merge pull request #888 from vmware-tanzu/customize_ports
...
Make Concierge server port numbers configurable
2021-11-23 17:51:04 -05:00
Ryan Richard
91eed1ab24
Merge branch 'main' into upstream_refresh_revocation_during_gc
2021-11-23 12:11:39 -08:00
Ryan Richard
3ca8c49334
Improve garbage collector log format and some comments
2021-11-23 12:11:17 -08:00
Mo Khan
f28b33bbf0
Merge branch 'main' into customize_ports
2021-11-23 08:30:48 -05:00
Mo Khan
537f85205d
Merge pull request #889 from enj/enj/i/strict_tls_acceptance
...
tls: fix integration tests for long lived environments
2021-11-18 16:37:15 -05:00
Ryan Richard
b8a93b6b90
Merge branch 'main' into customize_ports
2021-11-18 09:31:18 -08:00
Monis Khan
764a1ad7e4
tls: fix integration tests for long lived environments
...
This change updates the new TLS integration tests to:
1. Only create the supervisor default TLS serving cert if needed
2. Port forward the node port supervisor service since that is
available in all environments
Signed-off-by: Monis Khan <mok@vmware.com>
2021-11-18 03:55:56 -05:00
Mo Khan
6a68c6532c
Merge pull request #873 from enj/enj/i/strict_tls
...
Force the use of secure TLS config
2021-11-17 19:17:13 -05:00
Ryan Richard
3b3641568a
GC retries failed upstream revocations for a while, but not forever
2021-11-17 15:58:44 -08:00
Monis Khan
cd686ffdf3
Force the use of secure TLS config
...
This change updates the TLS config used by all pinniped components.
There are no configuration knobs associated with this change. Thus
this change tightens our static defaults.
There are four TLS config levels:
1. Secure (TLS 1.3 only)
2. Default (TLS 1.2+ best ciphers that are well supported)
3. Default LDAP (TLS 1.2+ with less good ciphers)
4. Legacy (currently unused, TLS 1.2+ with all non-broken ciphers)
Highlights per component:
1. pinniped CLI
- uses "secure" config against KAS
- uses "default" for all other connections
2. concierge
- uses "secure" config as an aggregated API server
- uses "default" config as a impersonation proxy API server
- uses "secure" config against KAS
- uses "default" config for JWT authenticater (mostly, see code)
- no changes to webhook authenticater (see code)
3. supervisor
- uses "default" config as a server
- uses "secure" config against KAS
- uses "default" config against OIDC IDPs
- uses "default LDAP" config against LDAP IDPs
Signed-off-by: Monis Khan <mok@vmware.com>
2021-11-17 16:55:35 -05:00