Ryan Richard
a561fd21d9
Consolidate the supervisor's timeout settings into a single struct
...
- This struct represents the configuration of all timeouts. These
timeouts are all interrelated to declare them all in one place.
This should also make it easier to allow the user to override
our defaults if we would like to implement such a feature in the
future.
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-10 10:14:54 -08:00
Matt Moyer
40c9e8472c
Merge pull request #272 from mattmoyer/default-cli-scopes
...
Tweak default CLI `--scopes` parameter to match supervisor use case.
2020-12-10 11:41:22 -06:00
Matt Moyer
e7338da3dc
Tweak default CLI --scopes
parameter to match supervisor use case.
...
This should be a better default for most cases.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-10 10:48:11 -06:00
Matt Moyer
0c52739997
Merge pull request #271 from mattmoyer/fix-cli-content-type-parsing
...
Fix bug in handling response content-type in oidcclient.
2020-12-10 10:46:10 -06:00
Matt Moyer
9d3c98232b
Fix bug in handling response content-type in oidcclient.
...
Before this, we weren't properly parsing the `Content-Type` header. This breaks in integration with the Supervisor since it sends an extra encoding parameter like `application/json;charset=UTF-8`.
This change switches to properly parsing with the `mime.ParseMediaType` function, and adds test cases to match the supervisor behavior.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-10 10:12:56 -06:00
Matt Moyer
5a0918afde
Merge pull request #270 from mattmoyer/default-cli-client-id
...
Add a default --client-id in `pinniped login oidc` command.
2020-12-10 10:12:28 -06:00
Matt Moyer
4395d5a0ca
Add a default --client-id in pinniped login oidc
command.
...
This default matches the static client we have defined in the supervisor, which will be the correct value in most cases.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-10 09:46:07 -06:00
Andrew Keesler
d83927ae75
Merge pull request #268 from vmware-tanzu/secret-generation-prefactor
...
Secret generation prefactor
2020-12-10 08:39:32 -05:00
aram price
86c75b7a80
CSRF cookie is no longer encrypted
2020-12-09 17:34:02 -08:00
aram price
f1f8ffa456
Distinct Encoder
's use distinct keys
2020-12-09 17:34:02 -08:00
aram price
4a5f8e30a8
Use distinct Encoder
for state and csrf data
2020-12-09 17:34:02 -08:00
aram price
e111ca02da
Use the narrowest possible interface
2020-12-09 17:34:02 -08:00
aram price
6ec3589112
Use recorder Cookies()
helper
...
- replaces hand-parsing of cookie strings
2020-12-09 17:34:02 -08:00
Margo Crawford
2ddba8d825
Merge pull request #267 from vmware-tanzu/token-exchange-endpoint
...
Implement RFC8693 token exchange handler in the supervisor
2020-12-09 17:13:28 -08:00
Margo Crawford
218f27306c
Integration test for refresh grant
...
Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-09 17:07:37 -08:00
Margo Crawford
fde2e6fa97
Merge remote-tracking branch 'origin/main' into token-exchange-endpoint
2020-12-09 15:22:54 -08:00
Ryan Richard
4d82ec1283
Merge pull request #262 from vmware-tanzu/token-refresh
...
Support for the refresh grant in the supervisor's token endpoint
2020-12-09 15:22:02 -08:00
Ryan Richard
5b7c510577
Fixed error handling for token exchange when openid scope missing
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-09 15:15:50 -08:00
Ryan Richard
0abadddb1a
token_handler_test.go: modify a test about refresh request scopes param
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-09 15:03:52 -08:00
Margo Crawford
5f6e7de785
Merge branch 'token-refresh' into token-exchange-endpoint
...
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-09 14:56:41 -08:00
Ryan Richard
64631d5780
token_handler_test.go: add even more test cases for refresh grant
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-09 14:53:39 -08:00
Ryan Richard
0386658d26
token_handler_test.go: add more test cases for refresh grant
2020-12-09 14:12:00 -08:00
Matt Moyer
167d440b65
Remove this unneccesary go113 nolint
directives.
...
We disabled this linter across the project.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-09 14:51:27 -06:00
Matt Moyer
3e6ebab389
Clean up TestTokenExchange a bit.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-09 14:49:44 -06:00
Matt Moyer
f90b5d48de
Merge branch 'token-refresh' of github.com:vmware-tanzu/pinniped into token-exchange-endpoint
2020-12-09 14:46:57 -06:00
Matt Moyer
016b0e9a8e
Satisfy the pedantic linter config 🙃 .
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-09 14:41:27 -06:00
Ryan Richard
51c828382f
Supervisor token endpoint supports refresh grant type
...
- This commit does not include the sad path tests for the refresh
grant type, which will come in a future commit.
2020-12-09 12:12:59 -08:00
Matt Moyer
02d96d731f
Finish TestTokenExchange unit tests and add missing scope check.
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-09 13:56:53 -06:00
Ryan Richard
cac3a3520f
Merge branch 'main' into token-refresh
2020-12-09 09:58:21 -08:00
Matt Moyer
b04db6ad2b
Fix some false positive gosec warnings.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-09 10:42:37 -06:00
Matt Moyer
f1aff2faab
Start extending TestSupervisorLogin to test the token exchange flow (WIP).
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-09 10:23:10 -06:00
Matt Moyer
b1542be7b1
In oidcclient token exchange request, pass client_id but don't bother with authorization header.
...
I think this should be more correct. In the server we're authenticating the request primarily via the `subject_token` parameter anyway, and Fosite needs the `client_id` to be set.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-09 10:08:41 -06:00
Matt Moyer
1db2ae3a45
Add more parameter validations and refactor internal/oidc/token_exchange.go.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-09 10:04:58 -06:00
Matt Moyer
e25d090ca9
Merge branch 'main' of github.com:vmware-tanzu/pinniped into token-exchange-endpoint
2020-12-09 10:00:54 -06:00
Andrew Keesler
5f4348c57d
Merge pull request #266 from ankeesler/fix-jwt-auth-ca-bundle
...
Fix `JWTAuthenticator` CA bundle
2020-12-09 10:43:33 -05:00
Matt Moyer
644cb687b9
Grant the Pinniped STS scope in authorize/callback handlers.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-09 09:36:45 -06:00
Matt Moyer
bebe25c32e
Merge branch 'main' of github.com:vmware-tanzu/pinniped into token-exchange-endpoint
2020-12-09 09:25:58 -06:00
Andrew Keesler
4c0fb12cf6
test/integration: only set JWTAuthenticator CA bundle when it exists
...
See comment in code.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-09 10:15:53 -05:00
Andrew Keesler
93cfd8c93a
Fix prepare-for-integration-tests.sh and Tiltfile for kubectl 1.20
...
kubectl 1.20 prints "Kubernetes control plane" instead of "Kubernetes master".
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-09 10:15:34 -05:00
Matt Moyer
5f1bd5ec31
Update TestNullStorage_GetClient with adjusted pinniped-cli scopes.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-09 09:12:32 -06:00
Andrew Keesler
8fcc176d8b
Merge pull request #258 from ankeesler/jwt-authenticator
...
Add JWTAuthenticator API and initial controller
2020-12-09 08:21:04 -05:00
Ryan Richard
6420caca94
Bring back the test that was skipped by the previous commit
...
- This test is still a work in progress. Some TODO comments
have been added to give hints for next steps.
2020-12-08 18:25:01 -08:00
Ryan Richard
f84dda937b
Merge branch 'token-refresh' into token-exchange-endpoint
2020-12-08 18:12:12 -08:00
Ryan Richard
ef4ef583dc
token_handler_test.go: Refactor how we specify the expected results
...
- This is to make it easier for the token exchange branch to also edit
this test without causing a lot of merge conflicts with the
refresh token branch, to enable parallel development of closely
related stories.
2020-12-08 18:10:55 -08:00
Margo Crawford
f103c02408
Add check for grant type in tokenexchangehandler,
...
- also started writing a test for the tokenexchangehandler, skipping for
now
Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-08 17:33:08 -08:00
Margo Crawford
ef3f837800
Merge remote-tracking branch 'origin/token-refresh' into token-exchange-endpoint
2020-12-08 16:58:35 -08:00
Ryan Richard
170982a688
refactor token_handler_test.go: easier to make more requests after initial authcode exchange
...
- This refactor will allow us to add new test tables for the
refresh and token exchange requests, which both must come after
an initial successful authcode exchange has already happened
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-08 16:54:58 -08:00
Margo Crawford
a852baac75
Merge remote-tracking branch 'origin/token-refresh' into token-exchange-endpoint
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-08 12:55:44 -08:00
Andrew Keesler
381a2e749a
impotent -> idempotent
...
These words do not mean the same thing...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-08 15:41:49 -05:00
Aram Price
9ed5dcb031
Only create underlying jwt authenticator when spec has changed
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-08 15:41:49 -05:00