ContainerImage.Pinniped

Author	SHA1	Message	Date
Matt Moyer	c23c54f500	Add an explicit `Path=/;` to our CSRF cookie, per the spec. > [...] a cookie named "__Host-cookie1" MUST contain a "Path" attribute with a value of "/". https://tools.ietf.org/html/draft-ietf-httpbis-cookie-prefixes-00#section-3.2 Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-12-02 15:55:33 -06:00
Margo Crawford	d60c184424	Add pkce and openidconnect storage - Also refactor authorizationcode_test Signed-off-by: Ryan Richard <rrichard@vmware.com>	2020-12-01 17:18:32 -08:00
Ryan Richard	f38c150f6a	Finished tests for pkce storage and added it to kubestorage - Also fixed some lint errors with v1.33.0 of the linter Signed-off-by: Margo Crawford <margaretc@vmware.com>	2020-12-01 14:53:22 -08:00
Margo Crawford	c8eaa3f383	WIP towards using k8s fosite storage in the supervisor's callback endpoint - Note that this WIP commit includes a failing unit test, which will be addressed in the next commit Signed-off-by: Ryan Richard <richardry@vmware.com>	2020-12-01 11:01:42 -08:00
Matt Moyer	b272b3f331	Refactor oidcclient.Login to use new upstreamoidc package. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-11-30 17:37:14 -06:00
Matt Moyer	4b60c922ef	Add generated mock of UpstreamOIDCIdentityProviderI. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-11-30 17:37:14 -06:00
Matt Moyer	25ee99f93a	Add ValidateToken method to UpstreamOIDCIdentityProviderI interface. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-11-30 17:37:14 -06:00
Matt Moyer	d32583dd7f	Move OIDC Token structs into a new `oidctypes` package. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-11-30 17:02:03 -06:00
Matt Moyer	d64acbb5a9	Add upstreamoidc.ProviderConfig type implementing provider.UpstreamOIDCIdentityProviderI. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-11-30 15:22:56 -06:00
Ryan Richard	e6b6c0e3ab	Merge branch 'main' into callback-endpoint	2020-11-20 15:50:26 -08:00
Ryan Richard	ccddeb4cda	Merge branch 'main' into callback-endpoint	2020-11-20 15:13:25 -08:00
Monis Khan	d39cc08b66	Set defaults for fosite config Signed-off-by: Monis Khan <mok@vmware.com>	2020-11-20 17:18:52 -05:00
Ryan Richard	c4ff1ca304	auth_handler.go: Ignore invalid CSRF cookies rather than return error Generate a new cookie for the user and move on as if they had not sent a bad cookie. Hopefully this will make the user experience better if, for example, the server rotated cookie signing keys and then a user submitted a very old cookie. Signed-off-by: Andrew Keesler <akeesler@vmware.com>	2020-11-20 13:56:35 -08:00
Andrew Keesler	b21f0035d7	callback_handler.go: Get upstream name from state instead of path Also use ConstantTimeCompare() to compare CSRF tokens to prevent leaking any information in how quickly we reject bad tokens. Signed-off-by: Ryan Richard <richardry@vmware.com>	2020-11-20 13:33:08 -08:00
Ryan Richard	72321fc106	Use /callback (without IDP name) path for callback endpoint (part 1) This is much nicer UX for an administrator installing a UpstreamOIDCProvider CRD. They don't have to guess as hard at what the callback endpoint path should be for their UpstreamOIDCProvider. Signed-off-by: Andrew Keesler <akeesler@vmware.com>	2020-11-20 16:14:45 -05:00
Andrew Keesler	541019eb98	callback_handler.go: simplify stored ID token claims Fosite is gonna set these fields for us. Signed-off-by: Ryan Richard <richardry@vmware.com>	2020-11-20 15:36:51 -05:00
Andrew Keesler	488d1b663a	internal/oidc/provider/manager: route to callback endpoint Signed-off-by: Andrew Keesler <akeesler@vmware.com>	2020-11-20 10:44:56 -05:00
Andrew Keesler	8f5d1709a1	callback_handler.go: assert behavior about PKCE and IDSession storage Also aggresively refactor for readability: - Make helper validations functions for each type of storage - Try to label symbols based on their downstream/upstream use and group them accordingly Signed-off-by: Andrew Keesler <akeesler@vmware.com>	2020-11-20 09:41:49 -05:00
Andrew Keesler	f8d76066c5	callback_handler.go: assert nonce is stored correctly I think we want to do this here since we are storing all of the other ID token claims? Signed-off-by: Andrew Keesler <akeesler@vmware.com>	2020-11-20 08:38:23 -05:00
Monis Khan	4a28d1f800	Temporarily disable max inflight checks for mutating requests Signed-off-by: Monis Khan <mok@vmware.com>	2020-11-19 21:21:10 -05:00
Andrew Keesler	b25696a1fb	callback_handler.go: Prepend iss to sub when making default username - Also handle several more error cases - Move RequireTimeInDelta to shared testutils package so other tests can also use it - Move all of the oidc test helpers into a new oidc/oidctestutils package to break a circular import dependency. The shared testutil package can't depend on any of our other packages or else we end up with circular dependencies. - Lots more assertions about what was stored at the end of the request to build confidence that we are going to pass all of the right settings over to the token endpoint through the storage, and also to avoid accidental regressions in that area in the future Signed-off-by: Ryan Richard <richardry@vmware.com>	2020-11-19 17:57:07 -08:00
Andrew Keesler	b49d37ca54	callback_handler.go: test invalid upstream ID token username/groups Signed-off-by: Ryan Richard <richardry@vmware.com>	2020-11-19 15:53:21 -05:00
Ryan Richard	83101eefce	callback_handler.go: start to test upstream token corner cases Also refactor to get rid of duplicate test structs. Also also don't default groups ID token claim because there is no standard one. Also also also add some logging that will hopefully help us in debugging in the future. Signed-off-by: Andrew Keesler <akeesler@vmware.com>	2020-11-19 14:19:01 -05:00
Monis Khan	86865d155a	Switch fuzzing test to UTC Signed-off-by: Monis Khan <mok@vmware.com>	2020-11-19 14:04:25 -05:00
Monis Khan	3575be7742	Add authorization code storage Signed-off-by: Monis Khan <mok@vmware.com>	2020-11-19 13:18:27 -05:00
Monis Khan	b7d823a077	Add generic Kube API based CRUD storage Signed-off-by: Monis Khan <mok@vmware.com>	2020-11-19 13:18:02 -05:00
Ryan Richard	a47617cad0	callback_handler.go: Add JWT Audience claim to storage	2020-11-19 08:53:53 -08:00
Ryan Richard	ee84f31f42	callback_handler.go: Add JWT Issuer claim to storage	2020-11-19 08:35:23 -08:00
Andrew Keesler	ace861f722	callback_handler.go: get some thoughts down about default upstream claims Signed-off-by: Andrew Keesler <akeesler@vmware.com>	2020-11-19 11:08:21 -05:00
Andrew Keesler	2e62be3ebb	callback_handler.go: assert correct args are passed to token exchange Signed-off-by: Andrew Keesler <akeesler@vmware.com>	2020-11-19 10:20:46 -05:00
Andrew Keesler	48e0250649	callback_handler.go: test that we request openid scope correctly Also add some testing.T.Log() calls to make debugging handler test failures easier. Signed-off-by: Andrew Keesler <akeesler@vmware.com>	2020-11-19 09:28:56 -05:00
Andrew Keesler	6c72507bca	callback_handler.go: add test for failed upstream exchange/validation Signed-off-by: Andrew Keesler <akeesler@vmware.com>	2020-11-19 09:00:41 -05:00
Andrew Keesler	63b8c6e4b2	callback_handler.go: test when state missing a needed param Signed-off-by: Andrew Keesler <akeesler@vmware.com>	2020-11-19 08:51:23 -05:00
Andrew Keesler	ffdb7fa795	callback_handler.go: add a test for invalid state auth params Signed-off-by: Andrew Keesler <akeesler@vmware.com>	2020-11-19 08:41:44 -05:00
Ryan Richard	652ea6bd2a	Start using fosite in the Supervisor's callback handler	2020-11-18 17:15:01 -08:00
Ryan Richard	227fbd63aa	Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider Because we want it to implement an AuthcodeExchanger interface and do it in a way that will be more unit test-friendly than the underlying library that we intend to use inside its implementation.	2020-11-18 13:38:13 -08:00
Matt Moyer	e0a9bef6ce	Move `./internal/oidcclient` to `./pkg/oidcclient`. This will allow it to be imported by Go code outside of our repository, which was something we have planned for since this code was written. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-11-17 14:53:32 -06:00
Ryan Richard	97552aec5f	Merge branch 'main' into callback-endpoint	2020-11-17 09:06:54 -08:00
Matt Moyer	ee978fdde8	Add controller support for spec.tls field. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-11-16 20:23:20 -06:00
Matt Moyer	dd2133458e	Add --ca-bundle flag to "pinniped login oidc" command. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-11-16 18:15:20 -06:00
Andrew Keesler	1c7601a2b5	callback_handler.go: start happy path test with redirect Next steps: fosite storage? Signed-off-by: Ryan Richard <richardry@vmware.com>	2020-11-16 17:07:34 -05:00
Ryan Richard	052cdc40dc	callback_handler.go: add CSRF and version state validations Signed-off-by: Andrew Keesler <akeesler@vmware.com>	2020-11-16 14:41:00 -05:00
Andrew Keesler	4138c9244f	callback_handler.go: write 2 invalid cookie tests Also common-ize some more constants shared between the auth and callback endpoints. Signed-off-by: Andrew Keesler <akeesler@vmware.com>	2020-11-16 11:47:49 -05:00
Andrew Keesler	3ef1171667	Tiny bit more code for Supervisor's callback_handler.go Signed-off-by: Ryan Richard <richardry@vmware.com>	2020-11-13 15:59:51 -08:00
Matt Moyer	c10393b495	Mask the raw error messages from go-oidc, since they are dangerous. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-11-13 16:22:34 -06:00
Mo Khan	d5ee925e62	Merge pull request #213 from mattmoyer/more-categories Add our TokenCredentialRequest to the "pinniped" API category as well.	2020-11-13 15:51:42 -05:00
Matt Moyer	ab87977c08	Put our TokenCredentialRequest API into the "pinniped" category. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-11-13 14:22:26 -06:00
Matt Moyer	f4dfc22f8e	Merge pull request #212 from enj/enj/i/restore_cert_ttl Reduce client cert TTL back to 5 mins	2020-11-13 14:11:44 -06:00
Matt Moyer	cbd71df574	Add "upstream-watcher" controller to supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-11-13 12:30:38 -06:00
Monis Khan	c05cbca0b0	Reduce client cert TTL back to 5 mins Signed-off-by: Monis Khan <mok@vmware.com>	2020-11-13 13:30:02 -05:00

1 2 3 4 5 ...

269 Commits