Andrew Keesler
b25696a1fb
callback_handler.go: Prepend iss to sub when making default username
...
- Also handle several more error cases
- Move RequireTimeInDelta to shared testutils package so other tests
can also use it
- Move all of the oidc test helpers into a new oidc/oidctestutils
package to break a circular import dependency. The shared testutil
package can't depend on any of our other packages or else we
end up with circular dependencies.
- Lots more assertions about what was stored at the end of the
request to build confidence that we are going to pass all of the
right settings over to the token endpoint through the storage, and
also to avoid accidental regressions in that area in the future
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-19 17:57:07 -08:00
Andrew Keesler
b49d37ca54
callback_handler.go: test invalid upstream ID token username/groups
...
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-19 15:53:21 -05:00
Ryan Richard
83101eefce
callback_handler.go: start to test upstream token corner cases
...
Also refactor to get rid of duplicate test structs.
Also also don't default groups ID token claim because there is no standard one.
Also also also add some logging that will hopefully help us in debugging in the
future.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-19 14:19:01 -05:00
Ryan Richard
a47617cad0
callback_handler.go: Add JWT Audience claim to storage
2020-11-19 08:53:53 -08:00
Ryan Richard
ee84f31f42
callback_handler.go: Add JWT Issuer claim to storage
2020-11-19 08:35:23 -08:00
Andrew Keesler
ace861f722
callback_handler.go: get some thoughts down about default upstream claims
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-19 11:08:21 -05:00
Andrew Keesler
2e62be3ebb
callback_handler.go: assert correct args are passed to token exchange
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-19 10:20:46 -05:00
Andrew Keesler
48e0250649
callback_handler.go: test that we request openid scope correctly
...
Also add some testing.T.Log() calls to make debugging handler test failures
easier.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-19 09:28:56 -05:00
Andrew Keesler
6c72507bca
callback_handler.go: add test for failed upstream exchange/validation
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-19 09:00:41 -05:00
Andrew Keesler
63b8c6e4b2
callback_handler.go: test when state missing a needed param
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-19 08:51:23 -05:00
Andrew Keesler
ffdb7fa795
callback_handler.go: add a test for invalid state auth params
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-19 08:41:44 -05:00
Ryan Richard
652ea6bd2a
Start using fosite in the Supervisor's callback handler
2020-11-18 17:15:01 -08:00
Ryan Richard
227fbd63aa
Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider
...
Because we want it to implement an AuthcodeExchanger interface and
do it in a way that will be more unit test-friendly than the underlying
library that we intend to use inside its implementation.
2020-11-18 13:38:13 -08:00
Ryan Richard
97552aec5f
Merge branch 'main' into callback-endpoint
2020-11-17 09:06:54 -08:00
Matt Moyer
b75a6cdb76
Merge pull request #221 from mattmoyer/use-https-dex
...
Add support for custom CA bundle in CLI and UpstreamOIDCProvider.
2020-11-16 20:47:16 -06:00
Matt Moyer
b31deff0fb
Update integration tests to use HTTPS Dex for UpstreamOIDCProvider testing.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-16 20:23:20 -06:00
Matt Moyer
ee978fdde8
Add controller support for spec.tls field.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-16 20:23:20 -06:00
Matt Moyer
e867fb82b9
Add spec.tls
field to UpstreamOIDCProvider API.
...
This allows for a custom CA bundle to be used when connecting to the upstream issuer.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-16 20:23:20 -06:00
Matt Moyer
b17ac6ec0b
Update integration tests to run Dex over HTTPS.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-16 20:23:20 -06:00
Matt Moyer
dd2133458e
Add --ca-bundle flag to "pinniped login oidc" command.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-16 18:15:20 -06:00
Matt Moyer
e7ecfd3954
Merge pull request #219 from mattmoyer/add-test-proxy
...
Convert CLI tests to work through an HTTP forward proxy.
2020-11-16 17:48:16 -06:00
Matt Moyer
c8b17978a9
Convert CLI tests to work through an HTTP forward proxy.
...
This change deploys a small Squid-based proxy into the `dex` namespace in our integration test environment. This lets us use the cluster-local DNS name (`http://dex.dex.svc.cluster.local/dex `) as the OIDC issuer. It will make generating certificates easier, and most importantly it will mean that our CLI can see Dex at the same name/URL as the supervisor running inside the cluster.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-16 17:16:58 -06:00
Matt Moyer
a4733025ce
Merge pull request #220 from jonasrosland/fix-landing-text
...
Fix landing page use cases
2020-11-16 16:36:44 -06:00
Andrew Keesler
1c7601a2b5
callback_handler.go: start happy path test with redirect
...
Next steps: fosite storage?
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-16 17:07:34 -05:00
Ryan Richard
052cdc40dc
callback_handler.go: add CSRF and version state validations
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-16 14:41:00 -05:00
jonasrosland
332ed8e50b
Fix landing page use cases
...
Signed-off-by: jonasrosland <jrosland@vmware.com>
2020-11-16 12:00:06 -05:00
Andrew Keesler
4138c9244f
callback_handler.go: write 2 invalid cookie tests
...
Also common-ize some more constants shared between the auth and callback
endpoints.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-16 11:47:49 -05:00
Andrew Keesler
3ef1171667
Tiny bit more code for Supervisor's callback_handler.go
...
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-13 15:59:51 -08:00
Matt Moyer
84b61fac88
Merge pull request #215 from mattmoyer/fix-upstream-oidc-provider
...
Fix some issues in the UpstreamOIDCProvider CRD and controller
2020-11-13 17:23:10 -06:00
Matt Moyer
c10393b495
Mask the raw error messages from go-oidc, since they are dangerous.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-13 16:22:34 -06:00
Matt Moyer
d3d8ef44a0
Make more fields in UpstreamOIDCProvider optional.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-13 15:28:37 -06:00
Mo Khan
d5ee925e62
Merge pull request #213 from mattmoyer/more-categories
...
Add our TokenCredentialRequest to the "pinniped" API category as well.
2020-11-13 15:51:42 -05:00
Mo Khan
47d216caae
Merge pull request #209 from alexbrand/doc-fixes
...
Fix broken links in the project's website
2020-11-13 15:51:13 -05:00
Alexander Brand
406d6b5544
docs/scope.md: Fix link to contrib guide
...
Signed-off-by: Alexander Brand <alexbrand09@gmail.com>
2020-11-13 15:25:01 -05:00
Matt Moyer
ab87977c08
Put our TokenCredentialRequest API into the "pinniped" category.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-13 14:22:26 -06:00
Matt Moyer
f4dfc22f8e
Merge pull request #212 from enj/enj/i/restore_cert_ttl
...
Reduce client cert TTL back to 5 mins
2020-11-13 14:11:44 -06:00
Matt Moyer
785a1d14fb
Merge pull request #199 from mattmoyer/add-oidc-upstream-crd
...
Add UpstreamOIDCProvider API and initial controller.
2020-11-13 13:01:13 -06:00
Matt Moyer
d68a4b85f4
Add integration tests for UpstreamOIDCProvider status.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-13 12:30:38 -06:00
Matt Moyer
cbd71df574
Add "upstream-watcher" controller to supervisor.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-13 12:30:38 -06:00
Monis Khan
c05cbca0b0
Reduce client cert TTL back to 5 mins
...
Signed-off-by: Monis Khan <mok@vmware.com>
2020-11-13 13:30:02 -05:00
Matt Moyer
2e7d869ccc
Add generated API/client code for new UpstreamOIDCProvider CRD.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-13 11:38:50 -06:00
Matt Moyer
bac3c19bec
Add UpstreamOIDCProvider API type definition.
...
This is essentially just a copy of Andrew's work from https://github.com/vmware-tanzu/pinniped/pull/135 .
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-13 11:38:49 -06:00
Andrew Keesler
81b9a48437
callback_handler.go: initial API/test shape with 1 test
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-13 12:32:35 -05:00
Alexander Brand
271640b66d
docs/architecture.md: Fix broken link
2020-11-13 09:17:47 -05:00
Alexander Brand
6b0d4184d5
docs/architecture.md: Fix broken link
2020-11-13 09:15:46 -05:00
Ryan Richard
d351ef430c
Merge pull request #206 from vmware-tanzu/authorize_endpoint_reuse_cookie
...
Supervisor authorize endpoint reuses existing CSRF cookies and signs new ones
2020-11-12 16:26:01 -08:00
Matt Moyer
e6f128e2a7
Merge pull request #205 from mattmoyer/more-careful-categories
...
Put all of our APIs into a "pinniped" category, and never use "all".
2020-11-12 17:37:20 -06:00
Andrew Keesler
080bb594b2
Supervisor authorize endpoint reuses existing CSRF cookies and signs new ones
...
- To better support having multiple downstream providers configured,
the authorize endpoint will share a CSRF cookie between all
downstream providers' authorize endpoints. The first time a
user's browser hits the authorize endpoint of any downstream
provider, that endpoint will set the cookie. Then if the user
starts an authorize flow with that same downstream provider or with
any other downstream provider which shares the same domain name
(i.e. differentiated by issuer path), then the same cookie will be
submitted and respected.
- Just in case we are sharing the domain name with some other app,
we sign the value of any new CSRF cookie and check the signature
when we receive the cookie. This wasn't strictly necessary since
we probably won't share a domain name with other apps, but it
wasn't hard to add this cookie signing.
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-12 15:36:59 -08:00
Matt Moyer
f1696411d9
Test that Pinniped APis do not have short names, either.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-12 17:13:52 -06:00
Matt Moyer
5580ca82ac
Merge pull request #204 from mattmoyer/cleanup-update-script
...
Remove CRD count check, since we can now use wildcards.
2020-11-12 16:28:24 -06:00