Mo Khan
ca2ee26c86
Merge pull request #884 from vmware-tanzu/upstream-ad-refresh
...
Upstream active directory refresh checks for password changes, deactivated and locked users
2021-12-09 20:51:46 -05:00
Margo Crawford
59d999956c
Move ad specific stuff to controller
...
also make extra refresh attributes a separate field rather than part of
Extra
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-09 16:16:36 -08:00
Margo Crawford
acaad05341
Make pwdLastSet stuff more generic and not require parsing the timestamp
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-09 16:16:36 -08:00
Margo Crawford
65f3464995
Fix issue with very high integer value parsing, add unit tests
...
also add comment about urgent replication
2021-12-09 16:16:36 -08:00
Margo Crawford
ee4f725209
Incorporate PR feedback
2021-12-09 16:16:36 -08:00
Margo Crawford
ef5a04c7ce
Check for locked users on ad upstream refresh
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-09 16:16:36 -08:00
Margo Crawford
f62e9a2d33
Active directory checks for deactivated user
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-09 16:16:36 -08:00
Margo Crawford
da9b4620b3
Active Directory checks whether password has changed recently during
...
upstream refresh
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-09 16:16:35 -08:00
Margo Crawford
8db0203839
Add test for upstream ldap idp not found, wrong idp uid, and malformed
...
fosite session storage
2021-12-09 16:16:35 -08:00
anjalitelang
4110297a8f
Update ROADMAP.md
...
Updated roadmap to reflect current velocity
2021-12-09 16:59:09 -05:00
Mo Khan
7a3b5e3571
Merge pull request #908 from vmware-tanzu/microwavables-main
...
Added GOVERNANCE.md file to repo
2021-12-08 14:38:21 -05:00
Nanci Lancaster
505bc47ae1
Added GOVERNANCE.md file to repo
...
Signed-off-by: Nanci Lancaster <nancil@vmware.com>
2021-12-08 14:29:16 -05:00
Mo Khan
2c5b74c960
Merge pull request #905 from vmware-tanzu/dependabot/docker/golang-1.17.4
...
Bump golang from 1.17.3 to 1.17.4
2021-12-06 15:44:42 -05:00
dependabot[bot]
db68fc3a2b
Bump golang from 1.17.3 to 1.17.4
...
Bumps golang from 1.17.3 to 1.17.4.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
2021-12-06 01:14:25 +00:00
Ryan Richard
29490ee665
ran go mod tidy
2021-12-03 16:40:01 -08:00
Ryan Richard
edd3547977
Merge pull request #903 from vmware-tanzu/code-walkthrough-doc
...
Add first draft of code walk-through doc
2021-12-03 12:19:29 -08:00
Ryan Richard
aa361a70a7
clarifications to code walkthrough doc
2021-12-03 10:50:02 -08:00
Ryan Richard
7b6bdd8129
fix link to blog and add another in doc
2021-12-03 10:32:16 -08:00
Ryan Richard
4aed3385b6
Merge branch 'main' into code-walkthrough-doc
2021-12-03 09:17:35 -08:00
Ryan Richard
2736c3603a
fix typo in doc
2021-12-03 09:17:17 -08:00
Ryan Richard
3ea90467b7
add first draft of code walk-through doc
2021-12-02 17:18:50 -08:00
anjalitelang
683027468e
Update ROADMAP.md
2021-12-02 12:00:54 -05:00
Mo Khan
269cae3a9f
Merge pull request #895 from enj/enj/f/warning_rt
...
phttp: add generic support for RFC 2616 14.46 warnings headers
2021-11-30 16:15:39 -05:00
Monis Khan
9d4a932656
phttp: add generic support for RFC 2616 14.46 warnings headers
...
Signed-off-by: Monis Khan <mok@vmware.com>
2021-11-30 15:11:59 -05:00
Mo Khan
1611cf681a
Merge pull request #876 from vmware-tanzu/upstream_refresh_revocation_during_gc
...
Revoke upstream OIDC refresh tokens during downstream session garbage collection
2021-11-23 20:15:37 -05:00
Mo Khan
78474cfae9
Merge branch 'main' into upstream_refresh_revocation_during_gc
2021-11-23 19:29:13 -05:00
Mo Khan
aaf847040f
Merge pull request #893 from vmware-tanzu/fix_unit_test
...
Attempt to fix a unit test that always failed on my laptop
2021-11-23 19:25:16 -05:00
Ryan Richard
e44540043d
Attempt to fix a unit test that always failed on my laptop
...
Try to make the GCP plugin config less sensitive to the setup of the
computer on which it runs.
2021-11-23 15:47:19 -08:00
Ryan Richard
69be273e01
Merge branch 'main' into upstream_refresh_revocation_during_gc
2021-11-23 14:55:44 -08:00
Mo Khan
5a1de2f54c
Merge pull request #888 from vmware-tanzu/customize_ports
...
Make Concierge server port numbers configurable
2021-11-23 17:51:04 -05:00
Ryan Richard
91eed1ab24
Merge branch 'main' into upstream_refresh_revocation_during_gc
2021-11-23 12:11:39 -08:00
Ryan Richard
3ca8c49334
Improve garbage collector log format and some comments
2021-11-23 12:11:17 -08:00
Mo Khan
f28b33bbf0
Merge branch 'main' into customize_ports
2021-11-23 08:30:48 -05:00
Mo Khan
537f85205d
Merge pull request #889 from enj/enj/i/strict_tls_acceptance
...
tls: fix integration tests for long lived environments
2021-11-18 16:37:15 -05:00
Ryan Richard
b8a93b6b90
Merge branch 'main' into customize_ports
2021-11-18 09:31:18 -08:00
Monis Khan
764a1ad7e4
tls: fix integration tests for long lived environments
...
This change updates the new TLS integration tests to:
1. Only create the supervisor default TLS serving cert if needed
2. Port forward the node port supervisor service since that is
available in all environments
Signed-off-by: Monis Khan <mok@vmware.com>
2021-11-18 03:55:56 -05:00
Mo Khan
6a68c6532c
Merge pull request #873 from enj/enj/i/strict_tls
...
Force the use of secure TLS config
2021-11-17 19:17:13 -05:00
Ryan Richard
3b3641568a
GC retries failed upstream revocations for a while, but not forever
2021-11-17 15:58:44 -08:00
Monis Khan
cd686ffdf3
Force the use of secure TLS config
...
This change updates the TLS config used by all pinniped components.
There are no configuration knobs associated with this change. Thus
this change tightens our static defaults.
There are four TLS config levels:
1. Secure (TLS 1.3 only)
2. Default (TLS 1.2+ best ciphers that are well supported)
3. Default LDAP (TLS 1.2+ with less good ciphers)
4. Legacy (currently unused, TLS 1.2+ with all non-broken ciphers)
Highlights per component:
1. pinniped CLI
- uses "secure" config against KAS
- uses "default" for all other connections
2. concierge
- uses "secure" config as an aggregated API server
- uses "default" config as a impersonation proxy API server
- uses "secure" config against KAS
- uses "default" config for JWT authenticater (mostly, see code)
- no changes to webhook authenticater (see code)
3. supervisor
- uses "default" config as a server
- uses "secure" config against KAS
- uses "default" config against OIDC IDPs
- uses "default LDAP" config against LDAP IDPs
Signed-off-by: Monis Khan <mok@vmware.com>
2021-11-17 16:55:35 -05:00
Ryan Richard
ca2cc40769
Add impersonationProxyServerPort to the Concierge's static ConfigMap
...
- Used to determine on which port the impersonation proxy will bind
- Defaults to 8444, which is the old hard-coded port value
- Allow the port number to be configured to any value within the
range 1024 to 65535
- This commit does not include adding new config knobs to the ytt
values file, so while it is possible to change this port without
needing to recompile, it is not convenient
2021-11-17 13:27:59 -08:00
Ryan Richard
2383a88612
Add aggregatedAPIServerPort to the Concierge's static ConfigMap
...
- Allow the port number to be configured to any value within the
range 1024 to 65535
- This commit does not include adding new config knobs to the ytt
values file, so while it is possible to change this port without
needing to recompile, it is not convenient
2021-11-16 16:43:51 -08:00
Ryan Richard
48518e9513
Add trace logging to help observe upstream OIDC refresh token revocation
2021-11-11 12:24:05 -08:00
Ryan Richard
de79f15068
Merge branch 'main' into upstream_refresh_revocation_during_gc
2021-11-10 15:35:42 -08:00
Ryan Richard
2388e25235
Revoke upstream OIDC refresh tokens during GC
2021-11-10 15:34:19 -08:00
Mo Khan
c570f08b2b
Merge pull request #885 from vmware-tanzu/dependabot/docker/golang-1.17.3
...
Bump golang from 1.17.2 to 1.17.3
2021-11-05 21:45:56 -04:00
dependabot[bot]
2aeb464b43
Bump golang from 1.17.2 to 1.17.3
...
Bumps golang from 1.17.2 to 1.17.3.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
2021-11-06 00:55:39 +00:00
Mo Khan
5a3f83f90f
Merge pull request #877 from vmware-tanzu/upstream-ldap-refresh
...
Upstream ldap refresh
2021-11-05 18:08:45 -04:00
Margo Crawford
cb60a44f8a
extract ldap refresh search into helper function
...
also added an integration test for refresh failing after updating the username attribute
2021-11-05 14:22:43 -07:00
Margo Crawford
b5b8cab717
Refactors:
...
- pull construction of authenticators.Response into searchAndBindUser
- remove information about the identity provider in the error that gets
returned to users. Put it in debug instead, where it may show up in
logs.
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-11-05 14:22:43 -07:00
Margo Crawford
c84329d7a4
Fix broken ldap_client_test
2021-11-05 14:22:43 -07:00