Commit Graph

2888 Commits

Author SHA1 Message Date
Ryan Richard
ab302cf2b7 Add AD via browser login e2e test and refactor e2e tests to share code 2022-05-10 10:30:32 -07:00
Ryan Richard
a4e32d8f3d Extract browsertest.LoginToUpstreamLDAP() integration test helper 2022-05-09 15:43:36 -07:00
Ryan Richard
4c44f583e9 Don't add pinniped_idp_name pinniped_idp_type params into upstream state 2022-05-06 12:00:46 -07:00
Ryan Richard
ec22b5715b Add Pinniped favicon to login UI page 🦭 2022-05-05 14:46:07 -07:00
Ryan Richard
6e6e1f4add Update login page CSS selectors in e2e test 2022-05-05 13:56:38 -07:00
Ryan Richard
00d68845c4 Add --flow to choose login flow in prepare-supervisor-on-kind.sh 2022-05-05 13:42:23 -07:00
Ryan Richard
cffa353ffb Login page styling/structure for users, screen readers, passwd managers
Also:
- Add CSS to login page
- Refactor login page HTML and CSS into a new package
- New custom CSP headers for the login page, because the requirements
  are different from the form_post page
2022-05-05 13:13:25 -07:00
Ryan Richard
6ca7c932ae Add unit test for rendering form_post response from POST /login 2022-05-05 13:13:25 -07:00
Margo Crawford
329d41aac7 Add the full end to end test for ldap web ui
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-05-05 08:49:58 -07:00
Ryan Richard
656f221fb7 Merge branch 'main' into ldap-login-ui 2022-05-04 09:29:15 -07:00
Ryan Richard
a36688573b
Merge pull request #1150 from vmware-tanzu/prepare_supervisor_on_kind_active_directory
Support AD in hack/prepare-supervisor-on-kind.sh
2022-05-04 09:16:13 -07:00
Ryan Richard
2e031f727b Use security headers for the form_post page in the POST /login endpoint
Also use more specific test assertions where security headers are
expected. And run the unit tests for the login package in parallel.
2022-05-03 16:46:09 -07:00
Margo Crawford
388cdb6ddd Fix bug where form was posting to the wrong path
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-05-03 15:18:38 -07:00
Ryan Richard
eaa87c7628 support AD in hack/prepare-supervisor-on-kind.sh 2022-05-03 12:59:39 -07:00
Ryan Richard
d6e61012c6
Merge pull request #1149 from vmware-tanzu/update_kube_versions
Update kube codegen versions
2022-05-02 15:35:49 -07:00
Ryan Richard
cc1f0b8db9
Merge pull request #1148 from vmware-tanzu/ldap_group_search_escape
Escape special characters in LDAP DNs when used in search filters
2022-05-02 14:44:45 -07:00
Ryan Richard
90e88bb83c Update kube codegen versions
Note that attempting to update 1.18.18 to 1.18.20 didn't work for some
reason, so I skipped that one. The code generator didn't like 1.18.20
and it deleted all the generated code. Avoiding 1.18.19 because it is
listed as having a regression at
https://kubernetes.io/releases/patch-releases/#non-active-branch-history
2022-05-02 14:33:33 -07:00
Ryan Richard
2ad181c7dd Merge branch 'main' into ldap_group_search_escape 2022-05-02 13:49:55 -07:00
Mo Khan
ee881aa406
Merge pull request #1146 from enj/enj/i/bump_0007
Bump deps to latest and go mod compat to 1.17
2022-05-02 16:44:49 -04:00
Ryan Richard
c74dea6405 Escape special characters in LDAP DNs when used in search filters 2022-05-02 13:37:32 -07:00
Ryan Richard
69e5169fc5 Implement post_login_handler.go to accept form post and auth to LDAP/AD
Also extract some helpers from auth_handler.go so they can be shared
with the new handler.
2022-04-29 16:02:00 -07:00
Margo Crawford
646c6ec9ed Show error message on login page
Also add autocomplete attribute and title element

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-29 10:36:13 -07:00
Monis Khan
2cdb55e7da
Bump deps to latest and go mod compat to 1.17
Signed-off-by: Monis Khan <mok@vmware.com>
2022-04-28 15:37:51 -04:00
Margo Crawford
453c69af7d Fix some errors and pass state as form element
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-28 12:07:04 -07:00
Margo Crawford
07b2306254 Add basic outline of login get handler
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-28 11:51:36 -07:00
Margo Crawford
77f016fb64 Allow browser_authcode flow for pinniped login command
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-27 08:53:53 -07:00
Margo Crawford
ae60d4356b Some refactoring of shared code between OIDC and LDAP browser flows
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-27 08:51:37 -07:00
Margo Crawford
379a803509 when password header but not username is sent to password grant, error
also add more unit tests

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-26 16:46:58 -07:00
Ryan Richard
65eed7e742 Implement login_handler.go to defer to other handlers
The other handlers for GET and POST requests are not yet implemented in
this commit. The shared handler code in login_handler.go takes care of
things checking the method, checking the CSRF cookie, decoding the state
param, and adding security headers on behalf of both the GET and POST
handlers.

Some code has been extracted from callback_handler.go to be shared.
2022-04-26 15:37:30 -07:00
Margo Crawford
eb1d3812ec Update authorization endpoint to redirect to new login page
Also fix some test failures on the callback handler, register the
new login handler in manager.go and add a (half baked) integration test

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-26 12:51:56 -07:00
Margo Crawford
8832362b94 WIP: Add login handler for LDAP/AD web login
Also change state param to include IDP type
2022-04-25 16:41:55 -07:00
Margo Crawford
694e4d6df6 Advertise browser_authcode flow in ldap idp discovery
To keep this backwards compatible, this PR changes how
the cli deals with ambiguous flows. Previously, if there
was more than one flow advertised, the cli would require users
to set the flag --upstream-identity-provider-flow. Now it
chooses the first one in the list.

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-25 14:54:21 -07:00
Ryan Richard
24b0ddf600
Merge pull request #1140 from vmware-tanzu/bump_kube_deps_v0.23.6
bump kube deps from v0.23.5 to v0.23.6
2022-04-21 10:18:43 -07:00
Ryan Richard
cab9ac8368 bump kube deps from v0.23.5 to v0.23.6 2022-04-21 09:17:24 -07:00
Ryan Richard
793b8b9260
Merge pull request #1121 from anjaltelang/main
v0.16.0 Blog
2022-04-20 11:54:20 -07:00
Pinny
4071b48f01 Updated versions in docs for v0.16.0 release 2022-04-20 18:52:59 +00:00
Ryan Richard
46e61bdea9
Update 2022-04-15-fips-and-more.md
Update release date
2022-04-20 10:56:21 -07:00
Ryan Richard
52341f4e49
Merge pull request #1083 from vmware-tanzu/dependabot/go_modules/k8s.io/klog/v2-2.60.1
Bump k8s.io/klog/v2 from 2.40.1 to 2.60.1
2022-04-19 15:22:08 -07:00
dependabot[bot]
cd982655a2
Bump k8s.io/klog/v2 from 2.40.1 to 2.60.1
Bumps [k8s.io/klog/v2](https://github.com/kubernetes/klog) from 2.40.1 to 2.60.1.
- [Release notes](https://github.com/kubernetes/klog/releases)
- [Changelog](https://github.com/kubernetes/klog/blob/main/RELEASE.md)
- [Commits](https://github.com/kubernetes/klog/compare/v2.40.1...v2.60.1)

---
updated-dependencies:
- dependency-name: k8s.io/klog/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-19 20:33:38 +00:00
Margo Crawford
311bb05993
Merge pull request #1130 from vmware-tanzu/kube-versions-april-22
Update kube versions to latest patch
2022-04-19 13:30:40 -07:00
Ryan Richard
0ec5e57114
Merge pull request #1131 from vmware-tanzu/bump_some_deps
Bump some deps
2022-04-19 13:29:28 -07:00
Margo Crawford
63779ddac2
Merge pull request #1129 from vmware-tanzu/jwt-authenticator-client-field
JWTAuthenticator distributed claims resolution honors tls config
2022-04-19 13:28:43 -07:00
Ryan Richard
4de8004094 Empty commit to trigger CI 2022-04-19 12:12:45 -07:00
Margo Crawford
0b72f7084c JWTAuthenticator distributed claims resolution honors tls config
Kube 1.23 introduced a new field on the OIDC Authenticator which
allows us to pass in a client with our own TLS config. See
https://github.com/kubernetes/kubernetes/pull/106141.

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-19 11:36:46 -07:00
Ryan Richard
132d2aac72 add a code comment 2022-04-19 11:35:46 -07:00
Ryan Richard
2d4f4e4efd Merge branch 'main' into bump_some_deps 2022-04-19 11:32:53 -07:00
Margo Crawford
c40bca5e65
Merge pull request #1127 from hectorj2f/add_code_challenge_method_support
oidc: add code challenge supported methods to the discovery doc
2022-04-19 11:23:57 -07:00
Margo Crawford
019750a292 Update kube versions to latest patch
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-19 11:19:24 -07:00
Anjali Telang
9e5d4ae51c Blog for v0.16.0
Signed-off-by: Anjali Telang <atelang@vmware.com>
2022-04-19 14:16:45 -04:00
Ryan Richard
5b9831d319 bump the kube direct deps 2022-04-19 11:13:52 -07:00