djpbessems
/
ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
1,045 Commits 30 Branches 34 Tags 22 MiB
Commit Graph

1045 Commits

Author SHA1 Message Date
Ryan Richard 51c828382f Supervisor token endpoint supports refresh grant type 
- This commit does not include the sad path tests for the refresh
  grant type, which will come in a future commit.
 2020-12-09 12:12:59 -08:00
Matt Moyer 02d96d731f
Finish TestTokenExchange unit tests and add missing scope check. 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2020-12-09 13:56:53 -06:00
Ryan Richard cac3a3520f Merge branch 'main' into token-refresh 2020-12-09 09:58:21 -08:00
Matt Moyer b04db6ad2b
Fix some false positive gosec warnings. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-09 10:42:37 -06:00
Matt Moyer f1aff2faab
Start extending TestSupervisorLogin to test the token exchange flow (WIP). 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-09 10:23:10 -06:00
Matt Moyer b1542be7b1
In oidcclient token exchange request, pass client_id but don't bother with authorization header. 
I think this should be more correct. In the server we're authenticating the request primarily via the `subject_token` parameter anyway, and Fosite needs the `client_id` to be set.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-09 10:08:41 -06:00
Matt Moyer 1db2ae3a45
Add more parameter validations and refactor internal/oidc/token_exchange.go. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-09 10:04:58 -06:00
Matt Moyer e25d090ca9
Merge branch 'main' of github.com:vmware-tanzu/pinniped into token-exchange-endpoint 2020-12-09 10:00:54 -06:00
Andrew Keesler 5f4348c57d
Merge pull request #266 from ankeesler/fix-jwt-auth-ca-bundle 
Fix `JWTAuthenticator` CA bundle
 2020-12-09 10:43:33 -05:00
Matt Moyer 644cb687b9
Grant the Pinniped STS scope in authorize/callback handlers. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-09 09:36:45 -06:00
Matt Moyer bebe25c32e
Merge branch 'main' of github.com:vmware-tanzu/pinniped into token-exchange-endpoint 2020-12-09 09:25:58 -06:00
Andrew Keesler 4c0fb12cf6
test/integration: only set JWTAuthenticator CA bundle when it exists 
See comment in code.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-09 10:15:53 -05:00
Andrew Keesler 93cfd8c93a
Fix prepare-for-integration-tests.sh and Tiltfile for kubectl 1.20 
kubectl 1.20 prints "Kubernetes control plane" instead of "Kubernetes master".

Signed-off-by: Andrew Keesler <akeesler@vmware.com>

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-09 10:15:34 -05:00
Matt Moyer 5f1bd5ec31
Update TestNullStorage_GetClient with adjusted pinniped-cli scopes. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-09 09:12:32 -06:00
Andrew Keesler 8fcc176d8b
Merge pull request #258 from ankeesler/jwt-authenticator 
Add JWTAuthenticator API and initial controller
 2020-12-09 08:21:04 -05:00
Ryan Richard 6420caca94 Bring back the test that was skipped by the previous commit 
- This test is still a work in progress. Some TODO comments
  have been added to give hints for next steps.
 2020-12-08 18:25:01 -08:00
Ryan Richard f84dda937b Merge branch 'token-refresh' into token-exchange-endpoint 2020-12-08 18:12:12 -08:00
Ryan Richard ef4ef583dc token_handler_test.go: Refactor how we specify the expected results 
- This is to make it easier for the token exchange branch to also edit
  this test without causing a lot of merge conflicts with the
  refresh token branch, to enable parallel development of closely
  related stories.
 2020-12-08 18:10:55 -08:00
Margo Crawford f103c02408 Add check for grant type in tokenexchangehandler, 
- also started writing a test for the tokenexchangehandler, skipping for
now

Signed-off-by: Ryan Richard <rrichard@vmware.com>
 2020-12-08 17:33:08 -08:00
Margo Crawford ef3f837800 Merge remote-tracking branch 'origin/token-refresh' into token-exchange-endpoint 2020-12-08 16:58:35 -08:00
Ryan Richard 170982a688 refactor token_handler_test.go: easier to make more requests after initial authcode exchange 
- This refactor will allow us to add new test tables for the
  refresh and token exchange requests, which both must come after
  an initial successful authcode exchange has already happened

Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2020-12-08 16:54:58 -08:00
Margo Crawford a852baac75 Merge remote-tracking branch 'origin/token-refresh' into token-exchange-endpoint 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-08 12:55:44 -08:00
Andrew Keesler 381a2e749a
impotent -> idempotent 
These words do not mean the same thing...

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-08 15:41:49 -05:00
Aram Price 9ed5dcb031
Only create underlying jwt authenticator when spec has changed 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-08 15:41:49 -05:00
Andrew Keesler e0ee18a993
Always close JWTAuthenticator underlying authenticator 
Otherwise we will leak goroutines.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-08 15:41:48 -05:00
Andrew Keesler 0efc19a1b7
Support JWTAuthenticator in pinniped CLI 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-08 15:41:48 -05:00
Andrew Keesler 57103e0a9f
Add JWTAuthenticator controller 
See https://github.com/vmware-tanzu/pinniped/issues/260 for UX bummer.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-08 15:41:48 -05:00
Andrew Keesler 946b0539d2
Add JWTAuthenticator API type 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-08 15:41:48 -05:00
Ryan Richard a9111f39af Merge branch 'main' into token-refresh 2020-12-08 12:32:41 -08:00
Ryan Richard 18d90a727e token_handler_test.go: refresh token gets deleted when authcode reused 2020-12-08 12:12:55 -08:00
Ryan Richard c090eb6a62 Supervisor token endpoint returns refresh tokens when requested 2020-12-08 11:47:39 -08:00
Andrew Keesler 8f51993db2
Merge pull request #265 from vmware-tanzu/scope-constants 
Use constants for scope values
 2020-12-08 14:32:09 -05:00
aram price 8d2b8ae6b5 Use constants for scope values 2020-12-08 10:46:05 -08:00
Matt Moyer afbef23a51 WIP implementing TokenExchangeHandler methods 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2020-12-08 10:17:03 -08:00
Margo Crawford e5ecaf01a0 WIP stubbing out tokenexchangehandler 2020-12-08 09:28:19 -08:00
Margo Crawford b7b6816531
Merge pull request #259 from mattmoyer/add-cli-request-audience 
Add a `--request-audience` flag to the `pinniped login oidc` CLI command
 2020-12-08 09:26:19 -08:00
Matt Moyer bfcd2569e9
Add a `--request-audience` flag to the `pinniped login oidc` CLI command. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2020-12-08 10:22:20 -06:00
Aram Price d91baba240 authorize and callback endpoints now handle the offline_access scope 
- This is in preparation for the token endpoint to support the refresh
  grant

Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-12-07 17:22:34 -08:00
Ryan Richard 6a90a10123
Merge pull request #249 from vmware-tanzu/token-endpoint 
OIDC token endpoint supports authcode flow
 2020-12-07 15:08:07 -08:00
Ryan Richard 12e5f94e75 Merge branch 'main' into token-endpoint 2020-12-07 14:23:40 -08:00
Ryan Richard e1ae48f2e4 Discovery does not return `token_endpoint_auth_signing_alg_values_supported` 
`token_endpoint_auth_signing_alg_values_supported` is only related to
private_key_jwt and client_secret_jwt client authentication methods
at the token endpoint, which we do not support. See
https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
for more details.

Signed-off-by: Aram Price <pricear@vmware.com>
 2020-12-07 14:15:31 -08:00
Matt Moyer dcaf9166dc
Merge pull request #261 from mattmoyer/remove-goerr113-linter 
Disable the goerr113 linter.
 2020-12-07 16:07:11 -06:00
Matt Moyer 9e945d7547
Disable the goerr113 linter. 
This linter is nice in principle, but I've found it more annoying than helpful in practice.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-07 15:53:41 -06:00
Aram Price 648fa4b9ba Backfill test for token endpoint error when JWK is not yet available 
Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-12-07 11:53:24 -08:00
Ryan Richard e0b6133bf1 Integration tests call supervisor token endpoint and validate response 
Signed-off-by: Aram Price <pricear@vmware.com>
 2020-12-04 17:07:04 -08:00
Aram Price ac19782405 Merge branch 'main' into token-endpoint 
Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-12-04 15:52:49 -08:00
Ryan Richard 858356610c Make assertions about how many secrets were stored by fosite in tests 
In both callback_handler_test.go and token_handler_test.go

Signed-off-by: Aram Price <pricear@vmware.com>
 2020-12-04 15:40:17 -08:00
Matt Moyer 040ad3293a
Merge pull request #255 from mattmoyer/reduce-default-cli-scopes 
Remove "email" and "profile" from default scopes requested by CLI.
 2020-12-04 17:04:03 -06:00
Matt Moyer 66270fded0
Merge pull request #257 from mattmoyer/prefactoring-for-cli-request-audience 
Prefactor before adding CLI "request audience" functionality.
 2020-12-04 17:03:38 -06:00
Aram Price 26a8747509 Use the more specific label name of "storage.pinniped.dev/type" 
Instead of the less specific "storage.pinniped.dev"

Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-12-04 14:39:11 -08:00