ae9bdc1d61
Fix a lint warning by simplifying this append operation.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 16:11:40 -06:00
c0f13ef4ac
Merge remote-tracking branch 'origin/main' into callback-endpoint
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 16:09:08 -06:00
f40144e1a9
Update TestSupervisorLogin to test the callback flow using a browser.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 15:55:35 -06:00
0ccf14801e
Expose the MaskTokens function so other test code can use it.
...
This is just a small helper to make test output more readable.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 15:55:34 -06:00
273ac62ec2
Extend the test client helpers in ./test/library/client.go.
...
This adds a few new "create test object" helpers and extends `CreateTestOIDCProvider()` to optionally wait for the created OIDCProvider to enter some expected status condition.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 15:55:34 -06:00
545c26e5fe
Refactor browser-related test functions to a `./test/library/browsertest` package.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 15:55:34 -06:00
22953cdb78
Add a CA.Pool() method to ./internal/certauthority.
...
This is convenient for at least one test and is simple enough to write and test.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 15:55:34 -06:00
fe0481c304
In integration test env, deploy a ClusterIP service and register that with Dex.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 15:55:33 -06:00
fde56164cd
Add a `redirectURI` parameter to ExchangeAuthcodeAndValidateTokens() method.
...
We missed this in the original interface specification, but the `grant_type=authorization_code` requires it, per RFC6749 (https://tools.ietf.org/html/rfc6749#section-4.1.3 ).
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 15:55:33 -06:00
4fe691de92
Save an http.Client with each upstreamoidc.ProviderConfig object.
...
This allows the token exchange request to be performed with the correct TLS configuration.
We go to a bit of extra work to make sure the `http.Client` object is cached between reconcile operations so that connection pooling works as expected.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 15:55:33 -06:00
c23c54f500
Add an explicit `Path=/;` to our CSRF cookie, per the spec.
...
> [...] a cookie named "__Host-cookie1" MUST contain a "Path" attribute with a value of "/".
https://tools.ietf.org/html/draft-ietf-httpbis-cookie-prefixes-00#section-3.2
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 15:55:33 -06:00
9419b7392d
WIP: start to validate ID token returned from token endpoint
...
This won't compile, but we are passing this between two teammates.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-02 16:26:47 -05:00
09e6c86c46
token_handler.go: complete some TODOs and strengthen double auth code test
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-02 15:33:57 -05:00
7e78c9322c
Remove duplicate documentation images from the repo and change all links to point to the Hugo site
2020-12-02 23:58:19 +05:30
31810a97e1
Remove duplicate docs from the repo and change all links to point to the Hugo site
2020-12-02 23:58:19 +05:30
8e4c85d816
WIP: get linting and unit tests passing after token endpoint first draft
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-02 11:16:02 -05:00
970be58847
token_handler.go: first draft of token handler, with a bunch of TODOs
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-02 11:14:45 -05:00
d60c184424
Add pkce and openidconnect storage
...
- Also refactor authorizationcode_test
Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-01 17:18:32 -08:00
f38c150f6a
Finished tests for pkce storage and added it to kubestorage
...
- Also fixed some lint errors with v1.33.0 of the linter
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-01 14:53:22 -08:00
c8eaa3f383
WIP towards using k8s fosite storage in the supervisor's callback endpoint
...
- Note that this WIP commit includes a failing unit test, which will
be addressed in the next commit
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-01 11:01:42 -08:00
be8f11fe5a
Merge pull request #246 from mattmoyer/build-on-go-1.14
...
Tweak some stdlib usage so we compile under Go 1.14.
2020-11-30 17:38:19 -06:00
b272b3f331
Refactor oidcclient.Login to use new upstreamoidc package.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-30 17:37:14 -06:00
4b60c922ef
Add generated mock of UpstreamOIDCIdentityProviderI.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-30 17:37:14 -06:00
25ee99f93a
Add ValidateToken method to UpstreamOIDCIdentityProviderI interface.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-30 17:37:14 -06:00
d32583dd7f
Move OIDC Token structs into a new `oidctypes` package.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-30 17:02:03 -06:00
d64acbb5a9
Add upstreamoidc.ProviderConfig type implementing provider.UpstreamOIDCIdentityProviderI.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-30 15:22:56 -06:00
24c4bc0dd4
Tweak some stdlib usage so we compile under Go 1.14.
...
Mainly, avoid using some `testing` helpers that were added in 1.14, as well as a couple of other niceties we can live without.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-30 10:11:41 -06:00
58a3e35c51
Revert "test/integration: skip TestSupervisorLogin until new callback logic is on main"
...
This reverts commit eae6d355f8b21f003
2020-11-30 11:07:25 -05:00
25bbd28527
Merge remote-tracking branch 'upstream/main' into callback-endpoint
2020-11-30 11:06:20 -05:00
385d2db445
Merge pull request #245 from ankeesler/fix-supervisor-login-test
...
Run TestSupervisorLogin only on valid HTTP/HTTPS supervisor addresses
2020-11-30 11:05:43 -05:00
eae6d355f8
test/integration: skip TestSupervisorLogin until new callback logic is on main
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-30 10:12:03 -05:00
5be46d0bb7
test/integration: get downstream issuer path from upstream redirect
...
See comment in the code.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-30 09:58:08 -05:00
5b04192945
Run TestSupervisorLogin only on valid HTTP/HTTPS supervisor addresses
...
We were assuming that env.SupervisorHTTPAddress was set, but it might not be
depending on the environment on which the integration tests are being run. For
example, in our acceptance environments, we don't currently set
env.SupervisorHTTPAddress.
I tried to follow the pattern from TestSupervisorOIDCDiscovery here.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-30 09:23:12 -05:00
e6b6c0e3ab
Merge branch 'main' into callback-endpoint
2020-11-20 15:50:26 -08:00
dfb6544171
Merge pull request #238 from jknostman3/patch-1
...
Update site demo to use pinniped-concierge namespace
2020-11-20 17:15:26 -06:00
3596610f40
Merge pull request #239 from enj/enj/f/fosite_defaults
...
Set defaults for fosite config
2020-11-20 17:14:05 -06:00
ccddeb4cda
Merge branch 'main' into callback-endpoint
2020-11-20 15:13:25 -08:00
d39cc08b66
Set defaults for fosite config
...
Signed-off-by: Monis Khan <mok@vmware.com>
2020-11-20 17:18:52 -05:00
c4ff1ca304
auth_handler.go: Ignore invalid CSRF cookies rather than return error
...
Generate a new cookie for the user and move on as if they had not sent
a bad cookie. Hopefully this will make the user experience better if,
for example, the server rotated cookie signing keys and then a user
submitted a very old cookie.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-20 13:56:35 -08:00
b21f0035d7
callback_handler.go: Get upstream name from state instead of path
...
Also use ConstantTimeCompare() to compare CSRF tokens to prevent
leaking any information in how quickly we reject bad tokens.
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-20 13:33:08 -08:00
ad9439eef2
Merge pull request #207 from vmware-tanzu/dependabot/docker/golang-1.15.5
...
Bump golang from 1.15.3 to 1.15.5
2020-11-20 15:18:23 -06:00
72321fc106
Use /callback (without IDP name) path for callback endpoint (part 1)
...
This is much nicer UX for an administrator installing a UpstreamOIDCProvider
CRD. They don't have to guess as hard at what the callback endpoint path should
be for their UpstreamOIDCProvider.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-20 16:14:45 -05:00
541019eb98
callback_handler.go: simplify stored ID token claims
...
Fosite is gonna set these fields for us.
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-20 15:36:51 -05:00
15bffc6b16
Update site demo to use pinniped-concierge namespace
2020-11-20 12:31:23 -08:00
901242c1e1
Bump golang from 1.15.3 to 1.15.5
...
Bumps golang from 1.15.3 to 1.15.5.
Signed-off-by: dependabot[bot] <support@github.com>
2020-11-20 20:19:51 +00:00
fd0e0bb4c9
Merge pull request #234 from rajat404/main
...
Avoid printing the error message twice from client
2020-11-20 13:29:35 -06:00
53bece2186
Avoid printing the error message twice from client
2020-11-21 00:05:26 +05:30
1a881e4f2b
Merge pull request #232 from mattmoyer/adjust-test-environment-upstream-clients
...
Split test environment variables so there's a specific supervisor upstream client.
2020-11-20 09:46:04 -06:00
488d1b663a
internal/oidc/provider/manager: route to callback endpoint
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-20 10:44:56 -05:00
8f5d1709a1
callback_handler.go: assert behavior about PKCE and IDSession storage
...
Also aggresively refactor for readability:
- Make helper validations functions for each type of storage
- Try to label symbols based on their downstream/upstream use and group them
accordingly
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-20 09:41:49 -05:00
Matt Moyer