djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
832 Commits 30 Branches 34 Tags 22 MiB
a47617cad0
Commit Graph

242 Commits

Author SHA1 Message Date
Ryan Richard
a47617cad0 callback_handler.go: Add JWT Audience claim to storage 2020-11-19 08:53:53 -08:00
Ryan Richard
ee84f31f42 callback_handler.go: Add JWT Issuer claim to storage 2020-11-19 08:35:23 -08:00
Andrew Keesler
ace861f722
callback_handler.go: get some thoughts down about default upstream claims 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-19 11:08:21 -05:00
Andrew Keesler
2e62be3ebb
callback_handler.go: assert correct args are passed to token exchange 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-19 10:20:46 -05:00
Andrew Keesler
48e0250649
callback_handler.go: test that we request openid scope correctly 
Also add some testing.T.Log() calls to make debugging handler test failures
easier.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-19 09:28:56 -05:00
Andrew Keesler
6c72507bca
callback_handler.go: add test for failed upstream exchange/validation 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-19 09:00:41 -05:00
Andrew Keesler
63b8c6e4b2
callback_handler.go: test when state missing a needed param 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-19 08:51:23 -05:00
Andrew Keesler
ffdb7fa795
callback_handler.go: add a test for invalid state auth params 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-19 08:41:44 -05:00
Ryan Richard
652ea6bd2a Start using fosite in the Supervisor's callback handler 2020-11-18 17:15:01 -08:00
Ryan Richard
227fbd63aa Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider 
Because we want it to implement an AuthcodeExchanger interface and
do it in a way that will be more unit test-friendly than the underlying
library that we intend to use inside its implementation.
 2020-11-18 13:38:13 -08:00
Ryan Richard
97552aec5f Merge branch 'main' into callback-endpoint 2020-11-17 09:06:54 -08:00
Matt Moyer
ee978fdde8
Add controller support for spec.tls field. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-16 20:23:20 -06:00
Matt Moyer
dd2133458e
Add --ca-bundle flag to "pinniped login oidc" command. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-16 18:15:20 -06:00
Andrew Keesler
1c7601a2b5
callback_handler.go: start happy path test with redirect 
Next steps: fosite storage?

Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-11-16 17:07:34 -05:00
Ryan Richard
052cdc40dc
callback_handler.go: add CSRF and version state validations 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-16 14:41:00 -05:00
Andrew Keesler
4138c9244f
callback_handler.go: write 2 invalid cookie tests 
Also common-ize some more constants shared between the auth and callback
endpoints.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-16 11:47:49 -05:00
Andrew Keesler
3ef1171667 Tiny bit more code for Supervisor's callback_handler.go 
Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-11-13 15:59:51 -08:00
Matt Moyer
c10393b495
Mask the raw error messages from go-oidc, since they are dangerous. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-13 16:22:34 -06:00
Mo Khan
d5ee925e62
Merge pull request #213 from mattmoyer/more-categories 
Add our TokenCredentialRequest to the "pinniped" API category as well.
 2020-11-13 15:51:42 -05:00
Matt Moyer
ab87977c08
Put our TokenCredentialRequest API into the "pinniped" category. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-13 14:22:26 -06:00
Matt Moyer
f4dfc22f8e
Merge pull request #212 from enj/enj/i/restore_cert_ttl 
Reduce client cert TTL back to 5 mins
 2020-11-13 14:11:44 -06:00
Matt Moyer
cbd71df574
Add "upstream-watcher" controller to supervisor. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-13 12:30:38 -06:00
Monis Khan
c05cbca0b0
Reduce client cert TTL back to 5 mins 
Signed-off-by: Monis Khan <mok@vmware.com>
 2020-11-13 13:30:02 -05:00
Andrew Keesler
81b9a48437
callback_handler.go: initial API/test shape with 1 test 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-13 12:32:35 -05:00
Andrew Keesler
080bb594b2 Supervisor authorize endpoint reuses existing CSRF cookies and signs new ones 
- To better support having multiple downstream providers configured,
  the authorize endpoint will share a CSRF cookie between all
  downstream providers' authorize endpoints. The first time a
  user's browser hits the authorize endpoint of any downstream
  provider, that endpoint will set the cookie. Then if the user
  starts an authorize flow with that same downstream provider or with
  any other downstream provider which shares the same domain name
  (i.e. differentiated by issuer path), then the same cookie will be
  submitted and respected.
- Just in case we are sharing the domain name with some other app,
  we sign the value of any new CSRF cookie and check the signature
  when we receive the cookie. This wasn't strictly necessary since
  we probably won't share a domain name with other apps, but it
  wasn't hard to add this cookie signing.

Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-11-12 15:36:59 -08:00
Andrew Keesler
8321773a22
auth_handler.go: fix lint error 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-12 12:24:40 -05:00
Andrew Keesler
3a943a3b9a
auth_handler.go: ignore encoding timestamp for deterministic tests 
Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-11-12 12:14:50 -05:00
Ryan Richard
6d380c629a
auth_handler.go: use encryption in tests 
Our unit tests are gonna touch a lot more corner cases than our
integration tests, so let's make them run as close to the real
implementation as possible.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-12 12:14:49 -05:00
Monis Khan
9c8b081906
Prevent multiple pinnipeds from thrashing on the API service 
Signed-off-by: Monis Khan <mok@vmware.com>
 2020-11-11 20:09:49 -05:00
Monis Khan
db6fc234b7 Add NullStorage for the authorize endpoint to use 
We want to run all of the fosite validations in the authorize
endpoint, but we don't need to store anything yet because
we are storing what we need for later in the upstream state
parameter.

Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-11-11 14:49:24 -08:00
Ryan Richard
4b8c1de647 Add unit test to auth_handler_test.go for non-openid authorize requests 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-11 13:13:57 -08:00
Andrew Keesler
c2262773e6 Finish the WIP from the previous commit for saving authorize endpoint state 
Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-11-11 12:29:14 -08:00
Monis Khan
dd190dede6 WIP for saving authorize endpoint state into upstream state param 
Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-11-10 17:58:00 -08:00
Andrew Keesler
005225d5f9 Use the new plog pkg in auth_handler.go 
- Add a new helper method to plog to make a consistent way to log
  expected errors at the info level (as opposed to unexpected
  system errors that would be logged using plog.Error)

Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-11-10 10:33:52 -08:00
Ryan Richard
b21c27b219 Merge branch 'main' into authorize_endpoint 2020-11-10 09:24:19 -08:00
Monis Khan
1c60e09f13
Make race detector happy by removing parallelism 
Signed-off-by: Monis Khan <mok@vmware.com>
 2020-11-10 11:23:42 -05:00
Monis Khan
15a5332428
Reduce log spam 
Signed-off-by: Monis Khan <mok@vmware.com>
 2020-11-10 10:22:27 -05:00
Monis Khan
a5643e3738
Add log level support 
Signed-off-by: Monis Khan <mok@vmware.com>
 2020-11-10 10:22:27 -05:00
Monis Khan
9356f64c55
Remove global klog --log-flush-frequency flag 
Signed-off-by: Monis Khan <mok@vmware.com>
 2020-11-10 08:48:42 -05:00
Ryan Richard
246471bc91 Also run OIDC validations in supervisor authorize endpoint 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-06 14:44:58 -08:00
Ryan Richard
33ce79f89d Expose the Supervisor OIDC authorization endpoint to the public 2020-11-04 17:06:47 -08:00
Andrew Keesler
a36f7c6c07 Test that the port of localhost redirect URI is ignored during validation 
Also move definition of our oauth client and the general fosite
configuration to a helper so we can use the same config to construct
the handler for both test and production code.

Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-11-04 15:04:50 -08:00
Ryan Richard
ba688f56aa Supervisor authorize endpoint errors when PKCE code_challenge_method is invalid 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-04 12:29:43 -08:00
Andrew Keesler
2564d1be42 Supervisor authorize endpoint errors when missing PKCE params 
Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-11-04 12:19:07 -08:00
Matt Moyer
4da3d93f6e
The supervisor JWKS observer and TLS cert controllers use the ctx after all, whoops. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-04 13:08:50 -06:00
Ryan Richard
0045ce4286 Refactor auth_handler_test.go's creation of paths and urls to use helpers 2020-11-04 09:58:40 -08:00
Monis Khan
418f4d20ae
Use parent func to indicate when the controller queue is a singleton 
This prevents unnecessary sync loop runs when the controller is
running with a single worker.  When the controller is running with
more than one worker, it prevents subtle bugs that can cause the
controller to go "back in time."

Signed-off-by: Monis Khan <mok@vmware.com>
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-04 11:08:10 -06:00
Ryan Richard
8a7e22e63e @ankeesler: Maybe, but not this time ;) 2020-11-04 08:43:45 -08:00
Andrew Keesler
9e4ffd1cce
One of these days I will get here.Doc() spacing correct 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-04 11:29:33 -05:00
Andrew Keesler
6fe455c687
auth_handler.go: comment out currently unused fosite wiring 
See e8f4336 for why this is here in the first place.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-04 11:20:03 -05:00