f13c5e3f06
Fix supervisor scheme comment
...
Signed-off-by: Monis Khan <mok@vmware.com>
2022-06-24 09:56:44 -04:00
a010e72b29
Merge branch 'dynamic_clients' into require-groups-scope
2022-06-22 14:27:06 -07:00
dac0395680
Add a couple tests, address pr comments
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-22 14:19:55 -07:00
f2005b4c7f
Merge branch 'dynamic_clients' into require-groups-scope
2022-06-22 12:30:54 -07:00
c70a0b99a8
Don't do ldap group search when group scope not specified
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-22 10:58:08 -07:00
9903c5f79e
Handle refresh requests without groups scope
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-22 08:21:16 -07:00
5aa0d91267
New controller watches OIDCClients and updates validation Conditions
2022-06-17 13:11:26 -04:00
36a5c4c20d
Fix TestOIDCClientStaticValidation on old servers
...
Signed-off-by: Monis Khan <mok@vmware.com>
2022-06-17 09:04:03 -04:00
4bf734061d
Merge pull request #1190 from vmware-tanzu/client-secret-api-noop
...
aggregated api for oidcclientsecretrequest
2022-06-16 10:30:13 -04:00
64cd8b0b9f
Add e2e test for groups scope
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-15 13:41:22 -07:00
59d67322d3
Static validation for OIDC clients
...
The following validation is enforced:
1. Names must start with client.oauth.pinniped.dev-
2. Redirect URIs must start with https://
or http://127.0.0.1
or http://::1
3. All spec lists must not have duplicates
Added an integration test to assert all static validations.
Signed-off-by: Monis Khan <mok@vmware.com>
2022-06-15 15:09:40 -04:00
424f925a14
Merge branch 'dynamic_clients' into client-secret-api-noop
2022-06-15 09:38:55 -07:00
c117329553
Updates based on code review
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-15 09:38:21 -07:00
4d0c2e16f4
require groups scope to get groups back from supervisor
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-15 08:00:17 -07:00
8f4285dbff
Change group names
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-13 14:28:05 -07:00
b9272b2729
Reserve all of *.pinniped.dev for requested aud in token exchanges
...
Our previous plan was to reserve only *.oauth.pinniped.dev but we
changed our minds during PR review.
2022-06-13 12:08:11 -07:00
ba371423d9
Add integration test for OIDCClientSecretRequest
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-10 13:56:15 -07:00
889348e999
WIP aggregated api for oidcclientsecretrequest
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-09 13:47:19 -07:00
321abfc98d
Merge branch 'dynamic_clients' into token_exchange_aud
2022-06-08 09:03:29 -07:00
ea45e5dfef
Disallow certain requested audience strings in token exchange
2022-06-07 16:32:19 -07:00
472ab229e7
Merge branch 'main' into auth_handler_form_post_csp
2022-06-07 18:26:52 -04:00
7751c0bf59
Bump project deps, including kube 0.23.6->0.24.1 and Go 1.18.1->1.18.3
...
Several API changes in Kube required changes in Pinniped code.
Signed-off-by: Monis Khan <mok@vmware.com>
2022-06-07 15:26:30 -04:00
b99c4773a2
Use CSP headers in auth handler response
...
When response_mode=form_post is requested, some error cases will be
returned to the client using the form_post web page to POST the result
back to the client's redirect URL.
2022-06-02 09:23:34 -07:00
0674215ef3
Switch to go.uber.org/zap for JSON formatted logging
...
Signed-off-by: Monis Khan <mok@vmware.com>
2022-05-24 11:17:42 -04:00
39fd9ba270
Small refactors and comments for LDAP/AD UI
2022-05-19 16:02:08 -07:00
0f2a984308
Merge branch 'main' into ldap-login-ui
2022-05-11 11:32:15 -07:00
aa732a41fb
Add LDAP browser flow login failure tests to supervisor_login_test.go
...
Also do some refactoring to share more common test setup code in
supervisor_login_test.go.
2022-05-10 16:28:08 -07:00
4c44f583e9
Don't add pinniped_idp_name pinniped_idp_type params into upstream state
2022-05-06 12:00:46 -07:00
ec22b5715b
Add Pinniped favicon to login UI page 🦭
2022-05-05 14:46:07 -07:00
cffa353ffb
Login page styling/structure for users, screen readers, passwd managers
...
Also:
- Add CSS to login page
- Refactor login page HTML and CSS into a new package
- New custom CSP headers for the login page, because the requirements
are different from the form_post page
2022-05-05 13:13:25 -07:00
6ca7c932ae
Add unit test for rendering form_post response from POST /login
2022-05-05 13:13:25 -07:00
656f221fb7
Merge branch 'main' into ldap-login-ui
2022-05-04 09:29:15 -07:00
2e031f727b
Use security headers for the form_post page in the POST /login endpoint
...
Also use more specific test assertions where security headers are
expected. And run the unit tests for the login package in parallel.
2022-05-03 16:46:09 -07:00
acc6c50e48
More unit tests for LDAP DNs which contain special chars
...
Adding explicit coverage for PerformRefresh().
2022-05-03 15:43:01 -07:00
388cdb6ddd
Fix bug where form was posting to the wrong path
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-05-03 15:18:38 -07:00
c74dea6405
Escape special characters in LDAP DNs when used in search filters
2022-05-02 13:37:32 -07:00
69e5169fc5
Implement post_login_handler.go to accept form post and auth to LDAP/AD
...
Also extract some helpers from auth_handler.go so they can be shared
with the new handler.
2022-04-29 16:02:00 -07:00
646c6ec9ed
Show error message on login page
...
Also add autocomplete attribute and title element
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-29 10:36:13 -07:00
453c69af7d
Fix some errors and pass state as form element
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-28 12:07:04 -07:00
07b2306254
Add basic outline of login get handler
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-28 11:51:36 -07:00
ae60d4356b
Some refactoring of shared code between OIDC and LDAP browser flows
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-27 08:51:37 -07:00
379a803509
when password header but not username is sent to password grant, error
...
also add more unit tests
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-26 16:46:58 -07:00
65eed7e742
Implement login_handler.go to defer to other handlers
...
The other handlers for GET and POST requests are not yet implemented in
this commit. The shared handler code in login_handler.go takes care of
things checking the method, checking the CSRF cookie, decoding the state
param, and adding security headers on behalf of both the GET and POST
handlers.
Some code has been extracted from callback_handler.go to be shared.
2022-04-26 15:37:30 -07:00
eb1d3812ec
Update authorization endpoint to redirect to new login page
...
Also fix some test failures on the callback handler, register the
new login handler in manager.go and add a (half baked) integration test
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-26 12:51:56 -07:00
8832362b94
WIP: Add login handler for LDAP/AD web login
...
Also change state param to include IDP type
2022-04-25 16:41:55 -07:00
694e4d6df6
Advertise browser_authcode flow in ldap idp discovery
...
To keep this backwards compatible, this PR changes how
the cli deals with ambiguous flows. Previously, if there
was more than one flow advertised, the cli would require users
to set the flag --upstream-identity-provider-flow. Now it
chooses the first one in the list.
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-25 14:54:21 -07:00
0ec5e57114
Merge pull request #1131 from vmware-tanzu/bump_some_deps
...
Bump some deps
2022-04-19 13:29:28 -07:00
0b72f7084c
JWTAuthenticator distributed claims resolution honors tls config
...
Kube 1.23 introduced a new field on the OIDC Authenticator which
allows us to pass in a client with our own TLS config. See
https://github.com/kubernetes/kubernetes/pull/106141 .
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-19 11:36:46 -07:00
132d2aac72
add a code comment
2022-04-19 11:35:46 -07:00
2d4f4e4efd
Merge branch 'main' into bump_some_deps
2022-04-19 11:32:53 -07:00
Monis Khan