Commit Graph

733 Commits

Author SHA1 Message Date
Ryan Richard
34509e7430 Add more unit tests for dynamic clients and enhance token exchange
- Enhance the token exchange to check that the same client is used
  compared to the client used during the original authorization and
  token requests, and also check that the client has the token-exchange
  grant type allowed in its configuration.
- Reduce the minimum required bcrypt cost for OIDCClient secrets
  because 15 is too slow for real-life use, especially considering
  that every login and every refresh flow will require two client auths.
- In unit tests, use bcrypt hashes with a cost of 4, because bcrypt
  slows down by 13x when run with the race detector, and we run our
  tests with the race detector enabled, causing the tests to be
  unacceptably slow. The production code uses a higher minimum cost.
- Centralize all pre-computed bcrypt hashes used by unit tests to a
  single place. Also extract some other useful test helpers for
  unit tests related to OIDCClients.
- Add tons of unit tests for the token endpoint related to dynamic
  clients for authcode exchanges, token exchanges, and refreshes.
2022-07-20 13:55:56 -07:00
Ryan Richard
f5f55176af Enhance integration tests for OIDCClients in supervisor_login_test.go 2022-07-14 18:50:23 -07:00
Ryan Richard
e0ecdc004b Allow dynamic clients to be used in downstream OIDC flows
This is only a first commit towards making this feature work.
- Hook dynamic clients into fosite by returning them from the storage
  interface (after finding and validating them)
- In the auth endpoint, prevent the use of the username and password
  headers for dynamic clients to force them to use the browser-based
  login flows for all the upstream types
- Add happy path integration tests in supervisor_login_test.go
- Add lots of comments (and some small refactors) in
  supervisor_login_test.go to make it much easier to understand
- Add lots of unit tests for the auth endpoint regarding dynamic clients
  (more unit tests to be added for other endpoints in follow-up commits)
- Enhance crud.go to make lifetime=0 mean never garbage collect,
  since we want client secret storage Secrets to last forever
- Move the OIDCClient validation code to a package where it can be
  shared between the controller and the fosite storage interface
- Make shared test helpers for tests that need to create OIDC client
  secret storage Secrets
- Create a public const for "pinniped-cli" now that we are using that
  string in several places in the production code
2022-07-14 09:51:11 -07:00
Ryan Richard
93939ccbd8 OIDCClient watcher controller updates based on PR feedback 2022-07-06 10:34:24 -07:00
Margo Crawford
98b0b6b21c One line fix to the supervisor warnings test
Make the scopes in the cache key include the new groups scope

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-24 08:09:32 -07:00
Margo Crawford
8adc1ce345 Fix failing active directory integration test
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-22 16:16:32 -07:00
Margo Crawford
a010e72b29 Merge branch 'dynamic_clients' into require-groups-scope 2022-06-22 14:27:06 -07:00
Margo Crawford
f2005b4c7f Merge branch 'dynamic_clients' into require-groups-scope 2022-06-22 12:30:54 -07:00
Margo Crawford
c70a0b99a8 Don't do ldap group search when group scope not specified
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-22 10:58:08 -07:00
Margo Crawford
9903c5f79e Handle refresh requests without groups scope
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-22 08:21:16 -07:00
Ryan Richard
5aa0d91267
New controller watches OIDCClients and updates validation Conditions 2022-06-17 13:11:26 -04:00
Monis Khan
36a5c4c20d
Fix TestOIDCClientStaticValidation on old servers
Signed-off-by: Monis Khan <mok@vmware.com>
2022-06-17 09:04:03 -04:00
Mo Khan
4bf734061d
Merge pull request #1190 from vmware-tanzu/client-secret-api-noop
aggregated api for oidcclientsecretrequest
2022-06-16 10:30:13 -04:00
Margo Crawford
64cd8b0b9f Add e2e test for groups scope
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-15 13:41:22 -07:00
Monis Khan
59d67322d3
Static validation for OIDC clients
The following validation is enforced:

1. Names must start with client.oauth.pinniped.dev-
2. Redirect URIs must start with https://
   or http://127.0.0.1
   or http://::1
3. All spec lists must not have duplicates

Added an integration test to assert all static validations.

Signed-off-by: Monis Khan <mok@vmware.com>
2022-06-15 15:09:40 -04:00
Margo Crawford
424f925a14 Merge branch 'dynamic_clients' into client-secret-api-noop 2022-06-15 09:38:55 -07:00
Margo Crawford
c117329553 Updates based on code review
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-15 09:38:21 -07:00
Margo Crawford
4d0c2e16f4 require groups scope to get groups back from supervisor
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-15 08:00:17 -07:00
Mo Khan
c77bee67c1
Merge pull request #1189 from vmware-tanzu/token_exchange_aud
Disallow certain requested audience strings in token exchange
2022-06-14 16:41:51 -04:00
Margo Crawford
104e08b0f6 Merge branch 'dynamic_clients' into client-secret-api-noop 2022-06-13 15:52:34 -07:00
Margo Crawford
0c1f48cbc1 Move oidcclient into config.supervisor.pinniped.dev
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-13 15:48:54 -07:00
Margo Crawford
8f4285dbff Change group names
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-13 14:28:05 -07:00
Ryan Richard
b9272b2729 Reserve all of *.pinniped.dev for requested aud in token exchanges
Our previous plan was to reserve only *.oauth.pinniped.dev but we
changed our minds during PR review.
2022-06-13 12:08:11 -07:00
Margo Crawford
ba371423d9 Add integration test for OIDCClientSecretRequest
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-10 13:56:15 -07:00
Ryan Richard
e7096c61a8 Merge branch 'main' into dynamic_clients 2022-06-10 12:52:59 -07:00
Margo Crawford
889348e999 WIP aggregated api for oidcclientsecretrequest
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-09 13:47:19 -07:00
Ryan Richard
ec533cd781 Skip some recently added integration tests when LDAP is unavailable
Also refactor to use shared test helper for skipping LDAP and AD tests.
2022-06-08 12:57:00 -07:00
Ryan Richard
dd61ada540 Allow new warning messages about GCP plugin in TestGetPinnipedCategory 2022-06-08 10:22:15 -07:00
Ryan Richard
321abfc98d Merge branch 'dynamic_clients' into token_exchange_aud 2022-06-08 09:03:29 -07:00
Ryan Richard
97d17bbda8 Merge branch 'main' into dynamic_clients 2022-06-08 09:03:06 -07:00
Ryan Richard
ea45e5dfef Disallow certain requested audience strings in token exchange 2022-06-07 16:32:19 -07:00
Ryan Richard
8170889aef Update CSP header expectations in TestSupervisorLogin_Browser int test 2022-06-07 11:20:59 -07:00
Margo Crawford
ca3da0bc90 Fix some disallowed kubebuilder annotations, fix kube api discovery test
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-04 21:04:40 -07:00
Ryan Richard
cb8685b942 Add e2e test for PINNIPED_UPSTREAM_IDENTITY_PROVIDER_FLOW env var 2022-06-02 11:27:54 -07:00
Ryan Richard
aa732a41fb Add LDAP browser flow login failure tests to supervisor_login_test.go
Also do some refactoring to share more common test setup code in
supervisor_login_test.go.
2022-05-10 16:28:08 -07:00
Ryan Richard
0b106c245e Add LDAP browser flow login test to supervisor_login_test.go 2022-05-10 12:54:40 -07:00
Ryan Richard
ab302cf2b7 Add AD via browser login e2e test and refactor e2e tests to share code 2022-05-10 10:30:32 -07:00
Ryan Richard
a4e32d8f3d Extract browsertest.LoginToUpstreamLDAP() integration test helper 2022-05-09 15:43:36 -07:00
Ryan Richard
6e6e1f4add Update login page CSS selectors in e2e test 2022-05-05 13:56:38 -07:00
Margo Crawford
329d41aac7 Add the full end to end test for ldap web ui
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-05-05 08:49:58 -07:00
Margo Crawford
07b2306254 Add basic outline of login get handler
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-28 11:51:36 -07:00
Margo Crawford
eb1d3812ec Update authorization endpoint to redirect to new login page
Also fix some test failures on the callback handler, register the
new login handler in manager.go and add a (half baked) integration test

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-26 12:51:56 -07:00
hectorj2f
a3f7afaec4 oidc: add code challenge supported methods
Signed-off-by: hectorj2f <hectorf@vmware.com>
2022-04-19 01:21:39 +02:00
Margo Crawford
d5337c9c19 Error format of untrusted certificate errors should depend on OS
Go 1.18.1 started using MacOS' x509 verification APIs on Macs
rather than Go's own. The error messages are different.

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-14 17:37:36 -07:00
Ryan Richard
53348b8464 Add custom prefix to downstream access and refresh tokens and authcodes 2022-04-13 10:13:27 -07:00
Monis Khan
3f0753ec5a
Remove duplication in secure TLS tests
Signed-off-by: Monis Khan <mok@vmware.com>
2022-04-01 10:56:38 -04:00
Monis Khan
15bc6a4a67
Add more details to FIPS comments
Signed-off-by: Monis Khan <mok@vmware.com>
2022-04-01 10:56:38 -04:00
Margo Crawford
53597bb824 Introduce FIPS compatibility
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-03-29 16:58:41 -07:00
Ryan Richard
bedf4e5a39 Try to avoid getting a second username prompt in a test in e2e_test.go 2022-03-22 14:23:50 -07:00
Ryan Richard
2715741c2c Increase a test timeout in e2e_test.go 2022-03-22 12:13:10 -07:00
Ryan Richard
d162e294ed Split up the context timeouts per test in e2e_test.go 2022-03-22 10:17:45 -07:00
Monis Khan
8fac6cb9a4
Rework or remove tests that rely on the http port
Signed-off-by: Monis Khan <mok@vmware.com>
2022-03-10 19:43:12 -05:00
Ryan Richard
fffcb7f5b4 Update to github.com/golangci/golangci-lint/cmd/golangci-lint@v1.44.2
- Two of the linters changed their names
- Updated code and nolint comments to make all linters pass with 1.44.2
- Added a new hack/install-linter.sh script to help developers install
  the expected version of the linter for local development
2022-03-08 12:28:09 -08:00
Margo Crawford
f6ad5d5c45 Add group change warning test for Active Directory
Also refactor some of the AD test helper functions

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-03-02 11:54:36 -08:00
Monis Khan
eae55a8595
Fix typo in group removed warning
Signed-off-by: Monis Khan <mok@vmware.com>
2022-03-02 12:58:30 -05:00
Margo Crawford
609b55a6d7 Pinniped Supervisor should issue a warning when groups change during refresh 2022-03-01 14:01:57 -08:00
Ryan Richard
e1e3342b3d Increase a test timeout to account for slower test on EKS in CI
The test takes longer on EKS because it has to wait about 2 minutes for
the EKS load balancer to be ready during the test.
2022-02-22 11:46:15 -08:00
Margo Crawford
e2c6dcd6e6 Add integration test 2022-02-17 12:50:28 -08:00
Ryan Richard
dec89b5378
Merge branch 'main' into proposal_process 2022-02-17 12:48:58 -08:00
Margo Crawford
662f2cef9c Integration test for updating group search base
Also a small change to a comment
2022-02-17 11:29:59 -08:00
Margo Crawford
ca523b1f20 Always update groups even if it's nil
Also de-dup groups and various small formatting changes
2022-02-17 11:29:59 -08:00
Margo Crawford
cd7538861a Add integration test where we don't get groups back 2022-02-17 11:29:59 -08:00
Margo Crawford
013b521838 Upstream ldap group refresh:
- Doing it inline on the refresh request
2022-02-17 11:29:59 -08:00
Ryan Richard
9dbf7d6bf5 Merge branch 'main' into proposal_process 2022-02-17 10:07:37 -08:00
Ryan Richard
c09daa8513 Merge branch 'main' into fix_int_test_macos 2022-02-16 11:09:11 -08:00
Monis Khan
b8202d89d9
Enforce naming convention for browser based tests
This allows us to target browser based tests with the regex:

go test -v -race -count 1 -timeout 0 ./test/integration -run '/_Browser'

New tests that call browsertest.Open will automatically be forced to
follow this convention.

Signed-off-by: Monis Khan <mok@vmware.com>
2022-02-16 09:20:28 -05:00
Ryan Richard
1aa17bd84d Check for darwin before relaxing stderr vs stdout assertion in e2e test 2022-02-15 13:45:04 -08:00
Ryan Richard
b0c36c6633 Fix int test that was failing on MacOS, and some small doc changes 2022-02-15 11:19:49 -08:00
Ryan Richard
5d79d4b9dc Fix form_post.js mistake from recent commit; Better CORS on callback 2022-02-08 17:30:48 -08:00
Mo Khan
29368e8242
Make the linter happy 2022-02-08 16:31:04 -05:00
Ryan Richard
cd825c5e51 Use "-v6" for kubectl for an e2e test so we can get more failure output 2022-02-08 13:00:49 -08:00
Monis Khan
8ee461ae8a
e2e_test: handle hung go routines and readers
Signed-off-by: Monis Khan <mok@vmware.com>
2022-02-08 11:40:10 -05:00
Mo Khan
1388183bf1
TestE2EFullIntegration: reduce timeout
This causes the test to timeout before concourse terminates the entire test run.
2022-02-07 20:53:03 -05:00
Ryan Richard
0431a072ae Remove an unnecessary nolint comment 2022-02-07 16:26:39 -08:00
Ryan Richard
aa56f174db Capture and print the full kubectl output in an e2e test upon failure 2022-02-07 16:17:38 -08:00
Ryan Richard
2b93fdf357 Fix a bug in the e2e tests
When the test was going to fail, a goroutine would accidentally block
on writing to an unbuffered channel, and the spawnTestGoroutine helper
would wait for that goroutine to end on cleanup, causing the test to
hang forever while it was trying to fail.
2022-02-07 11:57:54 -08:00
Margo Crawford
842ef38868 Ensure warning is on stderr and not stdout. 2022-01-20 13:48:50 -08:00
Margo Crawford
acd23c4c37 Separate test for access token refresh 2022-01-20 13:48:50 -08:00
Margo Crawford
38d184fe81 Integration test + making sure we get the session correctly in token handler 2022-01-20 13:48:50 -08:00
Margo Crawford
513c943e87 Keep all scopes except offline_access in integration test 2022-01-19 13:29:26 -08:00
Monis Khan
1e1789f6d1
Allow configuration of supervisor endpoints
This change allows configuration of the http and https listeners
used by the supervisor.

TCP (IPv4 and IPv6 with any interface and port) and Unix domain
socket based listeners are supported.  Listeners may also be
disabled.

Binding the http listener to TCP addresses other than 127.0.0.1 or
::1 is deprecated.

The deployment now uses https health checks.  The supervisor is
always able to complete a TLS connection with the use of a bootstrap
certificate that is signed by an in-memory certificate authority.

To support sidecar containers used by service meshes, Unix domain
socket based listeners include ACLs that allow writes to the socket
file from any runAsUser specified in the pod's containers.

Signed-off-by: Monis Khan <mok@vmware.com>
2022-01-18 17:43:45 -05:00
Ryan Richard
814399324f Merge branch 'main' into upstream_access_revocation_during_gc 2022-01-14 10:49:22 -08:00
Ryan Richard
91924ec685 Revert adding allowAccessTokenBasedRefresh flag to OIDCIdentityProvider
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-01-12 18:03:25 -08:00
Margo Crawford
683a2c5b23 WIP adding access token to storage upon login 2022-01-12 18:03:25 -08:00
Margo Crawford
2958461970 Addressing PR feedback
store issuer and subject in storage for refresh
Clean up some constants

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-01-10 11:03:37 -08:00
Margo Crawford
0cd086cf9c Check username claim is unchanged for oidc.
Also add integration tests for claims changing.
2022-01-10 11:03:37 -08:00
Monis Khan
c155c6e629
Clean up nits in AD code
- Make everything private
- Drop unused AuthTime field
- Use %q format string instead of "%s"
- Only rely on GetRawAttributeValues in AttributeUnchangedSinceLogin

Signed-off-by: Monis Khan <mok@vmware.com>
2021-12-17 08:53:44 -05:00
Margo Crawford
59d999956c Move ad specific stuff to controller
also make extra refresh attributes a separate field rather than part of
Extra

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-09 16:16:36 -08:00
Margo Crawford
65f3464995 Fix issue with very high integer value parsing, add unit tests
also add comment about urgent replication
2021-12-09 16:16:36 -08:00
Margo Crawford
ee4f725209 Incorporate PR feedback 2021-12-09 16:16:36 -08:00
Margo Crawford
ef5a04c7ce Check for locked users on ad upstream refresh
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-09 16:16:36 -08:00
Margo Crawford
f62e9a2d33 Active directory checks for deactivated user
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-09 16:16:36 -08:00
Margo Crawford
da9b4620b3 Active Directory checks whether password has changed recently during
upstream refresh

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-09 16:16:35 -08:00
Monis Khan
764a1ad7e4
tls: fix integration tests for long lived environments
This change updates the new TLS integration tests to:

1. Only create the supervisor default TLS serving cert if needed
2. Port forward the node port supervisor service since that is
   available in all environments

Signed-off-by: Monis Khan <mok@vmware.com>
2021-11-18 03:55:56 -05:00
Monis Khan
cd686ffdf3
Force the use of secure TLS config
This change updates the TLS config used by all pinniped components.
There are no configuration knobs associated with this change.  Thus
this change tightens our static defaults.

There are four TLS config levels:

1. Secure (TLS 1.3 only)
2. Default (TLS 1.2+ best ciphers that are well supported)
3. Default LDAP (TLS 1.2+ with less good ciphers)
4. Legacy (currently unused, TLS 1.2+ with all non-broken ciphers)

Highlights per component:

1. pinniped CLI
   - uses "secure" config against KAS
   - uses "default" for all other connections
2. concierge
   - uses "secure" config as an aggregated API server
   - uses "default" config as a impersonation proxy API server
   - uses "secure" config against KAS
   - uses "default" config for JWT authenticater (mostly, see code)
   - no changes to webhook authenticater (see code)
3. supervisor
   - uses "default" config as a server
   - uses "secure" config against KAS
   - uses "default" config against OIDC IDPs
   - uses "default LDAP" config against LDAP IDPs

Signed-off-by: Monis Khan <mok@vmware.com>
2021-11-17 16:55:35 -05:00
Margo Crawford
cb60a44f8a extract ldap refresh search into helper function
also added an integration test for refresh failing after updating the username attribute
2021-11-05 14:22:43 -07:00
Margo Crawford
b5b8cab717 Refactors:
- pull construction of authenticators.Response into searchAndBindUser
- remove information about the identity provider in the error that gets
  returned to users. Put it in debug instead, where it may show up in
  logs.

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-11-05 14:22:43 -07:00
Margo Crawford
c84329d7a4 Fix broken ldap_client_test 2021-11-05 14:22:43 -07:00
Margo Crawford
f988879b6e Addressing code review changes
- changed to use custom authenticators.Response rather than the k8s one
  that doesn't include space for a DN
- Added more checking for correct idp type in token handler
- small style changes

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-11-05 14:22:43 -07:00
Margo Crawford
722b5dcc1b Test for change to stored username or subject.
All of this is still done staticly.
2021-11-05 14:22:43 -07:00