djpbessems
/
ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
1,035 Commits 30 Branches 34 Tags 22 MiB
Commit Graph

1035 Commits

Author SHA1 Message Date
Matt Moyer f0ebd808d7
Switch CSRF cookie from `Same-Site=Strict` to `Same-Site=Lax`. 
This CSRF cookie needs to be included on the request to the callback endpoint triggered by the redirect from the OIDC upstream provider. This is not allowed by `Same-Site=Strict` but is allowed by `Same-Site=Lax` because it is a "cross-site top-level navigation" [1].

We didn't catch this earlier with our Dex-based tests because the upstream and downstream issuers were on the same parent domain `*.svc.cluster.local` so the cookie was allowed even with `Strict` mode.

[1]: https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00#section-3.2

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-03 21:30:00 -06:00
Margo Crawford 0bb2b10b3b Passing signing key through to the token endpoint 2020-12-03 17:16:08 -08:00
Matt Moyer fa94ebfbd1
Merge pull request #229 from vmware-tanzu/callback-endpoint 
Implement supervisor OIDC upstream callback endpoint used during authorize flow
 2020-12-03 16:28:02 -06:00
Matt Moyer c18c670765
Merge remote-tracking branch 'origin/main' into callback-endpoint 2020-12-03 14:53:26 -06:00
Matt Moyer f410da0ed2
Merge pull request #242 from rajat404/refactor-docs 
Remove duplicate docs from the repo and change all links to point to …
 2020-12-03 14:52:51 -06:00
Andrew Keesler 58237d0e7d
WIP: start to wire signing key into token handler 
This commit includes a failing test (amongst other compiler failures) for the
dynamic signing key fetcher that we will inject into fosite. We are checking it
in so that we can pass the WIP off.

Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2020-12-03 15:37:25 -05:00
Matt Moyer c8abc79d9b
Fix this comment (and retrigger CI). 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-03 14:24:26 -06:00
Matt Moyer 9455a66be8
This trailing dash is now taken care of by the library method. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-03 13:56:24 -06:00
aram price 05085d8e23 Use anonymous interface in test for Storage 2020-12-03 11:26:36 -08:00
Matt Moyer 8563c05baf
Tweak these timeouts to be a bit faster (and retrigger CI). 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-03 13:22:27 -06:00
Ryan Richard 67bf54a9f9 Use an interface for storage in token_handler_test.go 
Signed-off-by: Aram Price <pricear@vmware.com>
 2020-12-03 11:05:47 -08:00
Matt Moyer 408fbe4f76
Parameterize the `supervisor_redirect_uri` in the test env Dex. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-03 12:45:56 -06:00
Matt Moyer cb5e494815
Dump out proxy access logs in TestSupervisorLogin. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-03 11:28:48 -06:00
Matt Moyer 954591d2db
Add some debugging logs to our proxy client code. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-03 10:25:26 -06:00
Andrew Keesler 2f1a67ef0d
Merge remote-tracking branch 'upstream/callback-endpoint' into token-endpoint 2020-12-03 11:14:37 -05:00
Matt Moyer d7b1ab8e43
Try to capture more logs from the TestSupervisorLogin test. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-03 09:39:33 -06:00
Matt Moyer 1d44a0cdfa
Add a small integration test library to dump pod logs on test failures. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-03 09:39:33 -06:00
Matt Moyer 1fa41c4d0a
Merge remote-tracking branch 'origin/main' into callback-endpoint 2020-12-03 08:50:31 -06:00
Matt Moyer 0deb7cc09a
Merge pull request #250 from mattmoyer/fix-ipv6-test-regression 
Fix a test regression with IPv6 localhost interfaces.
 2020-12-03 08:48:57 -06:00
Andrew Keesler fe2e2bdff1
Our ID token signing algorithm is ES256, not RS256 
We are currently using EC keys to sign ID tokens, so we should reflect that in
our OIDC discovery metadata.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-03 07:46:07 -05:00
Ryan Richard 95093ab0af Use kube storage for the supervisor callback endpoint's fosite sessions 2020-12-02 17:40:01 -08:00
Margo Crawford 1dd7c82af6 Added id token verification 2020-12-02 16:55:48 -08:00
Matt Moyer 64ef53402d
In TestSupervisorLogin, wrap the discovery request in an `Eventually()`. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-02 18:07:52 -06:00
Matt Moyer 37c5e121c4
Fix a test issue with IPv6 localhost interfaces. 
This fixes a regression introduced by 24c4bc0dd4. It could occasionally cause the tests to fail when run on a machine with an IPv6 localhost interface. As a fix I added a wrapper for the new Go 1.15 `LookupIP()` method, and created a partially-functional backport for Go 1.14. This should be easy to delete in the future.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-02 17:49:21 -06:00
Matt Moyer 879525faac
Clean up the browsertest package a bit. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-02 17:20:24 -06:00
Ryan Richard 6ed9107df0 Remove a couple of todos that will be resolved in Slack conversations 2020-12-02 14:20:18 -08:00
Ryan Richard c320132289 Back-fill some more unit tests on authorizationcode_test.go 2020-12-02 14:20:18 -08:00
Matt Moyer ae9bdc1d61
Fix a lint warning by simplifying this append operation. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-02 16:11:40 -06:00
Matt Moyer c0f13ef4ac
Merge remote-tracking branch 'origin/main' into callback-endpoint 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-02 16:09:08 -06:00
Matt Moyer f40144e1a9
Update TestSupervisorLogin to test the callback flow using a browser. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-02 15:55:35 -06:00
Matt Moyer 0ccf14801e
Expose the MaskTokens function so other test code can use it. 
This is just a small helper to make test output more readable.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-02 15:55:34 -06:00
Matt Moyer 273ac62ec2
Extend the test client helpers in ./test/library/client.go. 
This adds a few new "create test object" helpers and extends `CreateTestOIDCProvider()` to optionally wait for the created OIDCProvider to enter some expected status condition.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-02 15:55:34 -06:00
Matt Moyer 545c26e5fe
Refactor browser-related test functions to a `./test/library/browsertest` package. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-02 15:55:34 -06:00
Matt Moyer 22953cdb78
Add a CA.Pool() method to ./internal/certauthority. 
This is convenient for at least one test and is simple enough to write and test.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-02 15:55:34 -06:00
Matt Moyer fe0481c304
In integration test env, deploy a ClusterIP service and register that with Dex. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-02 15:55:33 -06:00
Matt Moyer fde56164cd
Add a `redirectURI` parameter to ExchangeAuthcodeAndValidateTokens() method. 
We missed this in the original interface specification, but the `grant_type=authorization_code` requires it, per RFC6749 (https://tools.ietf.org/html/rfc6749#section-4.1.3).

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-02 15:55:33 -06:00
Matt Moyer 4fe691de92
Save an http.Client with each upstreamoidc.ProviderConfig object. 
This allows the token exchange request to be performed with the correct TLS configuration.

We go to a bit of extra work to make sure the `http.Client` object is cached between reconcile operations so that connection pooling works as expected.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-02 15:55:33 -06:00
Matt Moyer c23c54f500
Add an explicit `Path=/;` to our CSRF cookie, per the spec. 
> [...] a cookie named "__Host-cookie1" MUST contain a "Path" attribute with a value of "/".

https://tools.ietf.org/html/draft-ietf-httpbis-cookie-prefixes-00#section-3.2

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-02 15:55:33 -06:00
Margo Crawford 9419b7392d
WIP: start to validate ID token returned from token endpoint 
This won't compile, but we are passing this between two teammates.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-02 16:26:47 -05:00
Andrew Keesler 09e6c86c46
token_handler.go: complete some TODOs and strengthen double auth code test 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-02 15:33:57 -05:00
Rajat Goyal 7e78c9322c Remove duplicate documentation images from the repo and change all links to point to the Hugo site 2020-12-02 23:58:19 +05:30
Rajat Goyal 31810a97e1 Remove duplicate docs from the repo and change all links to point to the Hugo site 2020-12-02 23:58:19 +05:30
Andrew Keesler 8e4c85d816
WIP: get linting and unit tests passing after token endpoint first draft 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-02 11:16:02 -05:00
Andrew Keesler 970be58847
token_handler.go: first draft of token handler, with a bunch of TODOs 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-02 11:14:45 -05:00
Margo Crawford d60c184424 Add pkce and openidconnect storage 
- Also refactor authorizationcode_test

Signed-off-by: Ryan Richard <rrichard@vmware.com>
 2020-12-01 17:18:32 -08:00
Ryan Richard f38c150f6a Finished tests for pkce storage and added it to kubestorage 
- Also fixed some lint errors with v1.33.0 of the linter

Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2020-12-01 14:53:22 -08:00
Margo Crawford c8eaa3f383 WIP towards using k8s fosite storage in the supervisor's callback endpoint 
- Note that this WIP commit includes a failing unit test, which will
  be addressed in the next commit

Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-12-01 11:01:42 -08:00
Matt Moyer be8f11fe5a
Merge pull request #246 from mattmoyer/build-on-go-1.14 
Tweak some stdlib usage so we compile under Go 1.14.
 2020-11-30 17:38:19 -06:00
Matt Moyer b272b3f331
Refactor oidcclient.Login to use new upstreamoidc package. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-30 17:37:14 -06:00
Matt Moyer 4b60c922ef
Add generated mock of UpstreamOIDCIdentityProviderI. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-30 17:37:14 -06:00