djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
2,999 Commits 30 Branches 34 Tags
Commit Graph

967 Commits

Author SHA1 Message Date
Monis Khan
baca5506d6
wip009 
Signed-off-by: Monis Khan <mok@vmware.com>
 2022-07-20 22:08:54 -04:00
Monis Khan
5589dcd3b3
wip008 
Signed-off-by: Monis Khan <mok@vmware.com>
 2022-07-20 21:58:47 -04:00
Monis Khan
41eafd1bdc
wip007 
Signed-off-by: Monis Khan <mok@vmware.com>
 2022-07-20 21:39:49 -04:00
Monis Khan
20391a323f
wip006 
Signed-off-by: Monis Khan <mok@vmware.com>
 2022-07-20 16:44:41 -04:00
Monis Khan
8c387f977c
wip005 
Signed-off-by: Monis Khan <mok@vmware.com>
 2022-07-20 15:41:05 -04:00
Monis Khan
a4fb53e131
wip004 
Signed-off-by: Monis Khan <mok@vmware.com>
 2022-07-15 16:11:10 -04:00
Monis Khan
983c6116ef
wip003 
Signed-off-by: Monis Khan <mok@vmware.com>
 2022-07-15 11:55:30 -04:00
Monis Khan
2e36cea786
wip002 
Signed-off-by: Monis Khan <mok@vmware.com>
 2022-07-15 08:53:20 -04:00
Monis Khan
6c199abcde
wip001 
Signed-off-by: Monis Khan <mok@vmware.com>
 2022-07-15 08:53:20 -04:00
Ryan Richard
be85e1ed0a TotalClientSecrets field gets omitempty and becomes int32 2022-07-14 09:30:03 -07:00
Ryan Richard
93939ccbd8 OIDCClient watcher controller updates based on PR feedback 2022-07-06 10:34:24 -07:00
Monis Khan
f13c5e3f06
Fix supervisor scheme comment 
Signed-off-by: Monis Khan <mok@vmware.com>
 2022-06-24 09:56:44 -04:00
Margo Crawford
a010e72b29 Merge branch 'dynamic_clients' into require-groups-scope 2022-06-22 14:27:06 -07:00
Margo Crawford
dac0395680 Add a couple tests, address pr comments 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-06-22 14:19:55 -07:00
Margo Crawford
f2005b4c7f Merge branch 'dynamic_clients' into require-groups-scope 2022-06-22 12:30:54 -07:00
Margo Crawford
c70a0b99a8 Don't do ldap group search when group scope not specified 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-06-22 10:58:08 -07:00
Margo Crawford
9903c5f79e Handle refresh requests without groups scope 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-06-22 08:21:16 -07:00
Ryan Richard
5aa0d91267
New controller watches OIDCClients and updates validation Conditions 2022-06-17 13:11:26 -04:00
Monis Khan
36a5c4c20d
Fix TestOIDCClientStaticValidation on old servers 
Signed-off-by: Monis Khan <mok@vmware.com>
 2022-06-17 09:04:03 -04:00
Mo Khan
4bf734061d
Merge pull request #1190 from vmware-tanzu/client-secret-api-noop 
aggregated api for oidcclientsecretrequest
 2022-06-16 10:30:13 -04:00
Margo Crawford
64cd8b0b9f Add e2e test for groups scope 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-06-15 13:41:22 -07:00
Monis Khan
59d67322d3
Static validation for OIDC clients 
The following validation is enforced:

1. Names must start with client.oauth.pinniped.dev-
2. Redirect URIs must start with https://
   or http://127.0.0.1
   or http://::1
3. All spec lists must not have duplicates

Added an integration test to assert all static validations.

Signed-off-by: Monis Khan <mok@vmware.com>
 2022-06-15 15:09:40 -04:00
Margo Crawford
424f925a14 Merge branch 'dynamic_clients' into client-secret-api-noop 2022-06-15 09:38:55 -07:00
Margo Crawford
c117329553 Updates based on code review 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-06-15 09:38:21 -07:00
Margo Crawford
4d0c2e16f4 require groups scope to get groups back from supervisor 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-06-15 08:00:17 -07:00
Margo Crawford
8f4285dbff Change group names 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-06-13 14:28:05 -07:00
Ryan Richard
b9272b2729 Reserve all of *.pinniped.dev for requested aud in token exchanges 
Our previous plan was to reserve only *.oauth.pinniped.dev but we
changed our minds during PR review.
 2022-06-13 12:08:11 -07:00
Margo Crawford
ba371423d9 Add integration test for OIDCClientSecretRequest 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-06-10 13:56:15 -07:00
Margo Crawford
889348e999 WIP aggregated api for oidcclientsecretrequest 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-06-09 13:47:19 -07:00
Ryan Richard
321abfc98d Merge branch 'dynamic_clients' into token_exchange_aud 2022-06-08 09:03:29 -07:00
Ryan Richard
ea45e5dfef Disallow certain requested audience strings in token exchange 2022-06-07 16:32:19 -07:00
Mo Khan
472ab229e7
Merge branch 'main' into auth_handler_form_post_csp 2022-06-07 18:26:52 -04:00
Ryan Richard
7751c0bf59
Bump project deps, including kube 0.23.6->0.24.1 and Go 1.18.1->1.18.3 
Several API changes in Kube required changes in Pinniped code.

Signed-off-by: Monis Khan <mok@vmware.com>
 2022-06-07 15:26:30 -04:00
Ryan Richard
b99c4773a2 Use CSP headers in auth handler response 
When response_mode=form_post is requested, some error cases will be
returned to the client using the form_post web page to POST the result
back to the client's redirect URL.
 2022-06-02 09:23:34 -07:00
Monis Khan
0674215ef3
Switch to go.uber.org/zap for JSON formatted logging 
Signed-off-by: Monis Khan <mok@vmware.com>
 2022-05-24 11:17:42 -04:00
Ryan Richard
39fd9ba270 Small refactors and comments for LDAP/AD UI 2022-05-19 16:02:08 -07:00
Ryan Richard
0f2a984308 Merge branch 'main' into ldap-login-ui 2022-05-11 11:32:15 -07:00
Ryan Richard
aa732a41fb Add LDAP browser flow login failure tests to supervisor_login_test.go 
Also do some refactoring to share more common test setup code in
supervisor_login_test.go.
 2022-05-10 16:28:08 -07:00
Ryan Richard
4c44f583e9 Don't add pinniped_idp_name pinniped_idp_type params into upstream state 2022-05-06 12:00:46 -07:00
Ryan Richard
ec22b5715b Add Pinniped favicon to login UI page 🦭 2022-05-05 14:46:07 -07:00
Ryan Richard
cffa353ffb Login page styling/structure for users, screen readers, passwd managers 
Also:
- Add CSS to login page
- Refactor login page HTML and CSS into a new package
- New custom CSP headers for the login page, because the requirements
  are different from the form_post page
 2022-05-05 13:13:25 -07:00
Ryan Richard
6ca7c932ae Add unit test for rendering form_post response from POST /login 2022-05-05 13:13:25 -07:00
Ryan Richard
656f221fb7 Merge branch 'main' into ldap-login-ui 2022-05-04 09:29:15 -07:00
Ryan Richard
2e031f727b Use security headers for the form_post page in the POST /login endpoint 
Also use more specific test assertions where security headers are
expected. And run the unit tests for the login package in parallel.
 2022-05-03 16:46:09 -07:00
Ryan Richard
acc6c50e48 More unit tests for LDAP DNs which contain special chars 
Adding explicit coverage for PerformRefresh().
 2022-05-03 15:43:01 -07:00
Margo Crawford
388cdb6ddd Fix bug where form was posting to the wrong path 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-05-03 15:18:38 -07:00
Ryan Richard
c74dea6405 Escape special characters in LDAP DNs when used in search filters 2022-05-02 13:37:32 -07:00
Ryan Richard
69e5169fc5 Implement post_login_handler.go to accept form post and auth to LDAP/AD 
Also extract some helpers from auth_handler.go so they can be shared
with the new handler.
 2022-04-29 16:02:00 -07:00
Margo Crawford
646c6ec9ed Show error message on login page 
Also add autocomplete attribute and title element

Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-04-29 10:36:13 -07:00
Margo Crawford
453c69af7d Fix some errors and pass state as form element 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-04-28 12:07:04 -07:00