Margo Crawford
98b0b6b21c
One line fix to the supervisor warnings test
...
Make the scopes in the cache key include the new groups scope
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-24 08:09:32 -07:00
Margo Crawford
8adc1ce345
Fix failing active directory integration test
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-22 16:16:32 -07:00
Margo Crawford
a010e72b29
Merge branch 'dynamic_clients' into require-groups-scope
2022-06-22 14:27:06 -07:00
Margo Crawford
f2005b4c7f
Merge branch 'dynamic_clients' into require-groups-scope
2022-06-22 12:30:54 -07:00
Margo Crawford
c70a0b99a8
Don't do ldap group search when group scope not specified
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-22 10:58:08 -07:00
Margo Crawford
9903c5f79e
Handle refresh requests without groups scope
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-22 08:21:16 -07:00
Ryan Richard
5aa0d91267
New controller watches OIDCClients and updates validation Conditions
2022-06-17 13:11:26 -04:00
Monis Khan
36a5c4c20d
Fix TestOIDCClientStaticValidation on old servers
...
Signed-off-by: Monis Khan <mok@vmware.com>
2022-06-17 09:04:03 -04:00
Mo Khan
4bf734061d
Merge pull request #1190 from vmware-tanzu/client-secret-api-noop
...
aggregated api for oidcclientsecretrequest
2022-06-16 10:30:13 -04:00
Margo Crawford
64cd8b0b9f
Add e2e test for groups scope
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-15 13:41:22 -07:00
Monis Khan
59d67322d3
Static validation for OIDC clients
...
The following validation is enforced:
1. Names must start with client.oauth.pinniped.dev-
2. Redirect URIs must start with https://
or http://127.0.0.1
or http://::1
3. All spec lists must not have duplicates
Added an integration test to assert all static validations.
Signed-off-by: Monis Khan <mok@vmware.com>
2022-06-15 15:09:40 -04:00
Margo Crawford
424f925a14
Merge branch 'dynamic_clients' into client-secret-api-noop
2022-06-15 09:38:55 -07:00
Margo Crawford
c117329553
Updates based on code review
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-15 09:38:21 -07:00
Margo Crawford
4d0c2e16f4
require groups scope to get groups back from supervisor
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-15 08:00:17 -07:00
Mo Khan
c77bee67c1
Merge pull request #1189 from vmware-tanzu/token_exchange_aud
...
Disallow certain requested audience strings in token exchange
2022-06-14 16:41:51 -04:00
Margo Crawford
104e08b0f6
Merge branch 'dynamic_clients' into client-secret-api-noop
2022-06-13 15:52:34 -07:00
Margo Crawford
0c1f48cbc1
Move oidcclient into config.supervisor.pinniped.dev
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-13 15:48:54 -07:00
Margo Crawford
8f4285dbff
Change group names
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-13 14:28:05 -07:00
Ryan Richard
b9272b2729
Reserve all of *.pinniped.dev for requested aud in token exchanges
...
Our previous plan was to reserve only *.oauth.pinniped.dev but we
changed our minds during PR review.
2022-06-13 12:08:11 -07:00
Margo Crawford
ba371423d9
Add integration test for OIDCClientSecretRequest
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-10 13:56:15 -07:00
Ryan Richard
e7096c61a8
Merge branch 'main' into dynamic_clients
2022-06-10 12:52:59 -07:00
Margo Crawford
889348e999
WIP aggregated api for oidcclientsecretrequest
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-09 13:47:19 -07:00
Ryan Richard
ec533cd781
Skip some recently added integration tests when LDAP is unavailable
...
Also refactor to use shared test helper for skipping LDAP and AD tests.
2022-06-08 12:57:00 -07:00
Ryan Richard
dd61ada540
Allow new warning messages about GCP plugin in TestGetPinnipedCategory
2022-06-08 10:22:15 -07:00
Ryan Richard
321abfc98d
Merge branch 'dynamic_clients' into token_exchange_aud
2022-06-08 09:03:29 -07:00
Ryan Richard
97d17bbda8
Merge branch 'main' into dynamic_clients
2022-06-08 09:03:06 -07:00
Ryan Richard
ea45e5dfef
Disallow certain requested audience strings in token exchange
2022-06-07 16:32:19 -07:00
Ryan Richard
8170889aef
Update CSP header expectations in TestSupervisorLogin_Browser int test
2022-06-07 11:20:59 -07:00
Margo Crawford
ca3da0bc90
Fix some disallowed kubebuilder annotations, fix kube api discovery test
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-04 21:04:40 -07:00
Ryan Richard
cb8685b942
Add e2e test for PINNIPED_UPSTREAM_IDENTITY_PROVIDER_FLOW env var
2022-06-02 11:27:54 -07:00
Ryan Richard
0f2a984308
Merge branch 'main' into ldap-login-ui
2022-05-11 11:32:15 -07:00
Ryan Richard
aa732a41fb
Add LDAP browser flow login failure tests to supervisor_login_test.go
...
Also do some refactoring to share more common test setup code in
supervisor_login_test.go.
2022-05-10 16:28:08 -07:00
Ryan Richard
0b106c245e
Add LDAP browser flow login test to supervisor_login_test.go
2022-05-10 12:54:40 -07:00
Ryan Richard
ab302cf2b7
Add AD via browser login e2e test and refactor e2e tests to share code
2022-05-10 10:30:32 -07:00
Ryan Richard
a4e32d8f3d
Extract browsertest.LoginToUpstreamLDAP() integration test helper
2022-05-09 15:43:36 -07:00
Ryan Richard
6e6e1f4add
Update login page CSS selectors in e2e test
2022-05-05 13:56:38 -07:00
Margo Crawford
329d41aac7
Add the full end to end test for ldap web ui
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-05-05 08:49:58 -07:00
Margo Crawford
eb891d77a5
Tiny fix: pinninpeds->pinnipeds
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-05-04 12:42:55 -07:00
Margo Crawford
07b2306254
Add basic outline of login get handler
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-28 11:51:36 -07:00
Margo Crawford
eb1d3812ec
Update authorization endpoint to redirect to new login page
...
Also fix some test failures on the callback handler, register the
new login handler in manager.go and add a (half baked) integration test
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-26 12:51:56 -07:00
hectorj2f
a3f7afaec4
oidc: add code challenge supported methods
...
Signed-off-by: hectorj2f <hectorf@vmware.com>
2022-04-19 01:21:39 +02:00
Margo Crawford
d5337c9c19
Error format of untrusted certificate errors should depend on OS
...
Go 1.18.1 started using MacOS' x509 verification APIs on Macs
rather than Go's own. The error messages are different.
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-14 17:37:36 -07:00
Ryan Richard
53348b8464
Add custom prefix to downstream access and refresh tokens and authcodes
2022-04-13 10:13:27 -07:00
Monis Khan
3f0753ec5a
Remove duplication in secure TLS tests
...
Signed-off-by: Monis Khan <mok@vmware.com>
2022-04-01 10:56:38 -04:00
Monis Khan
15bc6a4a67
Add more details to FIPS comments
...
Signed-off-by: Monis Khan <mok@vmware.com>
2022-04-01 10:56:38 -04:00
Margo Crawford
53597bb824
Introduce FIPS compatibility
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-03-29 16:58:41 -07:00
Ryan Richard
cf471d6422
Remove unused env.SupervisorHTTPAddress integration test var
2022-03-29 09:13:44 -07:00
Ryan Richard
bedf4e5a39
Try to avoid getting a second username prompt in a test in e2e_test.go
2022-03-22 14:23:50 -07:00
Ryan Richard
2715741c2c
Increase a test timeout in e2e_test.go
2022-03-22 12:13:10 -07:00
Ryan Richard
d162e294ed
Split up the context timeouts per test in e2e_test.go
2022-03-22 10:17:45 -07:00