djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
886 Commits 30 Branches 34 Tags 22 MiB
b272b3f331
Commit Graph

886 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Matt Moyer
b272b3f331
Refactor oidcclient.Login to use new upstreamoidc package. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-30 17:37:14 -06:00
Matt Moyer
4b60c922ef
Add generated mock of UpstreamOIDCIdentityProviderI. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-30 17:37:14 -06:00
Matt Moyer
25ee99f93a
Add ValidateToken method to UpstreamOIDCIdentityProviderI interface. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-30 17:37:14 -06:00
Matt Moyer
d32583dd7f
Move OIDC Token structs into a new oidctypes package. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-30 17:02:03 -06:00
Matt Moyer
d64acbb5a9
Add upstreamoidc.ProviderConfig type implementing provider.UpstreamOIDCIdentityProviderI. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-30 15:22:56 -06:00
Andrew Keesler
58a3e35c51
Revert "test/integration: skip TestSupervisorLogin until new callback logic is on main" 
This reverts commit eae6d355f8.

We have added the new callback path logic (see b21f003), so we can stop skipping
this test.
 2020-11-30 11:07:25 -05:00
Andrew Keesler
25bbd28527
Merge remote-tracking branch 'upstream/main' into callback-endpoint 2020-11-30 11:06:20 -05:00
Andrew Keesler
385d2db445
Merge pull request #245 from ankeesler/fix-supervisor-login-test 
Run TestSupervisorLogin only on valid HTTP/HTTPS supervisor addresses
 2020-11-30 11:05:43 -05:00
Andrew Keesler
eae6d355f8
test/integration: skip TestSupervisorLogin until new callback logic is on main 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-30 10:12:03 -05:00
Andrew Keesler
5be46d0bb7
test/integration: get downstream issuer path from upstream redirect 
See comment in the code.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-30 09:58:08 -05:00
Andrew Keesler
5b04192945
Run TestSupervisorLogin only on valid HTTP/HTTPS supervisor addresses 
We were assuming that env.SupervisorHTTPAddress was set, but it might not be
depending on the environment on which the integration tests are being run. For
example, in our acceptance environments, we don't currently set
env.SupervisorHTTPAddress.

I tried to follow the pattern from TestSupervisorOIDCDiscovery here.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-30 09:23:12 -05:00
Ryan Richard
e6b6c0e3ab Merge branch 'main' into callback-endpoint 2020-11-20 15:50:26 -08:00
Matt Moyer
dfb6544171
Merge pull request #238 from jknostman3/patch-1 
Update site demo to use pinniped-concierge namespace
 2020-11-20 17:15:26 -06:00
Matt Moyer
3596610f40
Merge pull request #239 from enj/enj/f/fosite_defaults 
Set defaults for fosite config
 2020-11-20 17:14:05 -06:00
Ryan Richard
ccddeb4cda Merge branch 'main' into callback-endpoint 2020-11-20 15:13:25 -08:00
Monis Khan
d39cc08b66
Set defaults for fosite config 
Signed-off-by: Monis Khan <mok@vmware.com>
 2020-11-20 17:18:52 -05:00
Ryan Richard
c4ff1ca304 auth_handler.go: Ignore invalid CSRF cookies rather than return error 
Generate a new cookie for the user and move on as if they had not sent
a bad cookie. Hopefully this will make the user experience better if,
for example, the server rotated cookie signing keys and then a user
submitted a very old cookie.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-20 13:56:35 -08:00
Andrew Keesler
b21f0035d7 callback_handler.go: Get upstream name from state instead of path 
Also use ConstantTimeCompare() to compare CSRF tokens to prevent
leaking any information in how quickly we reject bad tokens.

Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-11-20 13:33:08 -08:00
Matt Moyer
ad9439eef2
Merge pull request #207 from vmware-tanzu/dependabot/docker/golang-1.15.5 
Bump golang from 1.15.3 to 1.15.5
 2020-11-20 15:18:23 -06:00
Ryan Richard
72321fc106
Use /callback (without IDP name) path for callback endpoint (part 1) 
This is much nicer UX for an administrator installing a UpstreamOIDCProvider
CRD. They don't have to guess as hard at what the callback endpoint path should
be for their UpstreamOIDCProvider.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-20 16:14:45 -05:00
Andrew Keesler
541019eb98
callback_handler.go: simplify stored ID token claims 
Fosite is gonna set these fields for us.

Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-11-20 15:36:51 -05:00
Jake Knostman
15bffc6b16
Update site demo to use pinniped-concierge namespace 2020-11-20 12:31:23 -08:00
dependabot[bot]
901242c1e1
Bump golang from 1.15.3 to 1.15.5 
Bumps golang from 1.15.3 to 1.15.5.

Signed-off-by: dependabot[bot] <support@github.com>
 2020-11-20 20:19:51 +00:00
Matt Moyer
fd0e0bb4c9
Merge pull request #234 from rajat404/main 
Avoid printing the error message twice from client
 2020-11-20 13:29:35 -06:00
Rajat Goyal
53bece2186 Avoid printing the error message twice from client 2020-11-21 00:05:26 +05:30
Matt Moyer
1a881e4f2b
Merge pull request #232 from mattmoyer/adjust-test-environment-upstream-clients 
Split test environment variables so there's a specific supervisor upstream client.
 2020-11-20 09:46:04 -06:00
Andrew Keesler
488d1b663a
internal/oidc/provider/manager: route to callback endpoint 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-20 10:44:56 -05:00
Andrew Keesler
8f5d1709a1
callback_handler.go: assert behavior about PKCE and IDSession storage 
Also aggresively refactor for readability:
- Make helper validations functions for each type of storage
- Try to label symbols based on their downstream/upstream use and group them
  accordingly

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-20 09:41:49 -05:00
Matt Moyer
bc700d58ae
Split test environment variables so there's a specific supervisor upstream client. 
Prior to this we re-used the CLI testing client to test the authorize flow of the supervisor, but they really need to be separate upstream clients. For example, the supervisor client should be a non-public client with a client secret and a different callback endpoint.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-20 08:03:06 -06:00
Andrew Keesler
f8d76066c5
callback_handler.go: assert nonce is stored correctly 
I think we want to do this here since we are storing all of the
other ID token claims?

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-20 08:38:23 -05:00
Mo Khan
b8fb37b9f6
Merge pull request #233 from enj/enj/i/tmp_disable_max_flight 
Temporarily disable max inflight checks for mutating requests
 2020-11-19 22:51:03 -05:00
Monis Khan
4a28d1f800
Temporarily disable max inflight checks for mutating requests 
Signed-off-by: Monis Khan <mok@vmware.com>
 2020-11-19 21:21:10 -05:00
Andrew Keesler
b25696a1fb callback_handler.go: Prepend iss to sub when making default username 
- Also handle several more error cases
- Move RequireTimeInDelta to shared testutils package so other tests
  can also use it
- Move all of the oidc test helpers into a new oidc/oidctestutils
  package to break a circular import dependency. The shared testutil
  package can't depend on any of our other packages or else we
  end up with circular dependencies.
- Lots more assertions about what was stored at the end of the
  request to build confidence that we are going to pass all of the
  right settings over to the token endpoint through the storage, and
  also to avoid accidental regressions in that area in the future

Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-11-19 17:57:07 -08:00
Andrew Keesler
b49d37ca54
callback_handler.go: test invalid upstream ID token username/groups 
Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-11-19 15:53:21 -05:00
Mo Khan
20b62b8841
Merge pull request #231 from enj/enj/f/fosite_kube_storage 
Add kube based storage for use with fosite
 2020-11-19 15:34:55 -05:00
Ryan Richard
83101eefce
callback_handler.go: start to test upstream token corner cases 
Also refactor to get rid of duplicate test structs.

Also also don't default groups ID token claim because there is no standard one.

Also also also add some logging that will hopefully help us in debugging in the
future.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-19 14:19:01 -05:00
Monis Khan
86865d155a
Switch fuzzing test to UTC 
Signed-off-by: Monis Khan <mok@vmware.com>
 2020-11-19 14:04:25 -05:00
Monis Khan
3575be7742
Add authorization code storage 
Signed-off-by: Monis Khan <mok@vmware.com>
 2020-11-19 13:18:27 -05:00
Monis Khan
b7d823a077
Add generic Kube API based CRUD storage 
Signed-off-by: Monis Khan <mok@vmware.com>
 2020-11-19 13:18:02 -05:00
Ryan Richard
a47617cad0 callback_handler.go: Add JWT Audience claim to storage 2020-11-19 08:53:53 -08:00
Ryan Richard
ee84f31f42 callback_handler.go: Add JWT Issuer claim to storage 2020-11-19 08:35:23 -08:00
Andrew Keesler
ace861f722
callback_handler.go: get some thoughts down about default upstream claims 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-19 11:08:21 -05:00
Andrew Keesler
2e62be3ebb
callback_handler.go: assert correct args are passed to token exchange 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-19 10:20:46 -05:00
Andrew Keesler
48e0250649
callback_handler.go: test that we request openid scope correctly 
Also add some testing.T.Log() calls to make debugging handler test failures
easier.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-19 09:28:56 -05:00
Andrew Keesler
6c72507bca
callback_handler.go: add test for failed upstream exchange/validation 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-19 09:00:41 -05:00
Andrew Keesler
63b8c6e4b2
callback_handler.go: test when state missing a needed param 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-19 08:51:23 -05:00
Andrew Keesler
ffdb7fa795
callback_handler.go: add a test for invalid state auth params 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-19 08:41:44 -05:00
Ryan Richard
652ea6bd2a Start using fosite in the Supervisor's callback handler 2020-11-18 17:15:01 -08:00
Mo Khan
3bc5952f7e
Merge pull request #227 from mattmoyer/add-authorizationconfig-omitempty 
Use `omitempty` on UpstreamOIDCProvider `spec.authorizationConfig` field.
 2020-11-18 20:10:55 -05:00
Matt Moyer
7520dadbdd
Use omitempty on UpstreamOIDCProvider spec.authorizationConfig field. 
This allows you to omit the field in creation requests, which was annoying.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-18 17:14:35 -06:00