Ryan Richard
514ee5b883
Merge branch 'main' into initial_ldap
2021-05-13 14:24:10 -07:00
Ryan Richard
67dca688d7
Add an API version to the Supervisor IDP discovery endpoint
...
Also rename one of the new functional opts in login.go to more
accurately reflect the intention of the opt.
2021-05-13 10:05:56 -07:00
Margo Crawford
b391d5ae02
Also check that the authcode storage is around for a while
2021-05-12 14:22:14 -07:00
Margo Crawford
874f938fc7
unit test for garbage collection time for refresh and access tokens
2021-05-12 13:55:54 -07:00
Ryan Richard
f0652c1ce1
Replace all usages of strPtr() with pointer.StringPtr()
2021-05-12 13:20:00 -07:00
Ryan Richard
044443f315
Rename X-Pinniped-Idp-*
headers to Pinniped-*
...
See RFC6648 which asks that people stop using `X-` on header names.
Also Matt preferred not mentioning "IDP" in the header name.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-12 13:06:08 -07:00
Ryan Richard
f98aa96ed3
Merge branch 'initial_ldap' into ldap-get-kubeconfig
2021-05-11 11:10:25 -07:00
Ryan Richard
675bbb2aba
Merge branch 'main' into initial_ldap
2021-05-11 11:09:37 -07:00
Ryan Richard
e25eb05450
Move Supervisor IDP discovery to its own new endpoint
2021-05-11 10:31:33 -07:00
Margo Crawford
5240f5e84a
Change access token storage lifetime to be the same as the refresh token's
...
to avoid garbage collection breaking the refresh flow
Also changed the access token lifetime to be 2 minutes instead of 15
since we now have cert caching.
2021-05-06 13:14:20 -07:00
Ryan Richard
4bd83add35
Add Supervisor upstream IDP discovery on the server-side
2021-04-28 13:14:21 -07:00
Ryan Richard
263a33cc85
Some updates based on PR review
2021-04-27 12:43:09 -07:00
Ryan Richard
c176d15aa7
Add Supervisor upstream LDAP login to the Pinniped CLI
...
- Also enhance prepare-supervisor-on-kind.sh to allow setup of
a working LDAP upstream IDP.
2021-04-19 17:59:46 -07:00
Ryan Richard
51263a0f07
Return unauthenticated instead of error for bad username or password
...
- Bad usernames and passwords aren't really errors, since they are
based on end-user input.
- Other kinds of authentication failures are caused by bad configuration
so still treat those as errors.
- Empty usernames and passwords are already prevented by our endpoint
handler, but just to be safe make sure they cause errors inside the
authenticator too.
2021-04-13 16:22:13 -07:00
Ryan Richard
05daa9eff5
More LDAP WIP: started controller and LDAP server connection code
...
Both are unfinished works in progress.
2021-04-09 18:49:43 -07:00
Ryan Richard
f6ded84f07
Implement upstream LDAP support in auth_handler.go
...
- When the upstream IDP is an LDAP IDP and the user's LDAP username and
password are received as new custom headers, then authenticate the
user and, if authentication was successful, return a redirect with
an authcode. Handle errors according to the OAuth/OIDC specs.
- Still does not support having multiple upstream IDPs defined at the
same time, which was an existing limitation of this endpoint.
- Does not yet include the actual LDAP authentication, which is
hidden behind an interface from the point of view of auth_handler.go
- Move the oidctestutil package to the testutil directory.
- Add an interface for Fosite storage to avoid a cyclical test
dependency.
- Add GetURL() to the UpstreamLDAPIdentityProviderI interface.
- Extract test helpers to be shared between callback_handler_test.go
and auth_handler_test.go because the authcode and fosite storage
assertions should be identical.
- Backfill Content-Type assertions in callback_handler_test.go.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-08 17:28:01 -07:00
Ryan Richard
064e3144a2
auth_handler.go: pre-factor to make room for upstream LDAP IDPs
2021-04-07 17:05:25 -07:00
Ryan Richard
1f5978aa1a
Supervisor pre-factor to make room for upstream LDAP identity providers
2021-04-07 16:12:13 -07:00
Monis Khan
d7edc41c24
oidc discovery: encode metadata once and reuse
...
Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-03 13:37:43 -05:00
Matt Moyer
c832cab8d0
Update internal/oidc/token_exchange.go for latest Fosite version.
...
The `fosite.TokenEndpointHandler` changed and now requires some additional methods.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-01 13:08:41 -06:00
Matt Moyer
5b4e58f0b8
Add some trivial unit tests to internal/oidc/csrftoken.
...
This change is primarily to test that our test coverage reporting is working as expected.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-02 09:38:17 -06:00
Ryan Richard
6ef7ec21cd
Merge branch 'release-0.4' into main
2021-01-25 15:13:14 -08:00
Ryan Richard
b77297c68d
Validate the upstream email_verified
claim when it makes sense
2021-01-25 15:10:41 -08:00
Matt Moyer
04c4cd9534
Upgrade to github.com/coreos/go-oidc v3.0.0.
...
See https://github.com/coreos/go-oidc/releases/tag/v3.0.0 for release notes.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-21 12:08:14 -06:00
Margo Crawford
d11a73c519
PR feedback-- omit empty groups, keep groups as nil until last minute
...
Also log keys and values for claims
2021-01-14 15:11:00 -08:00
Andrew Keesler
6fce1bd6bb
Allow arrays of type interface
...
and always set the groups claim to an
array in the downstream token
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-01-14 17:21:41 -05:00
Monis Khan
3c3da9e75d
Wire in new env vars for user info testing
...
Signed-off-by: Monis Khan <mok@vmware.com>
2021-01-12 11:23:25 -05:00
Matt Moyer
3a81fbd1b4
Update fosite error usage.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-17 16:31:08 -06:00
Ryan Richard
b96d49df0f
Rename all "op" and "opc" usages
...
Signed-off-by: Aram Price <pricear@vmware.com>
2020-12-17 11:34:49 -08:00
Margo Crawford
196e43aa48
Rename off of main
...
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 14:27:09 -08:00
Matt Moyer
7dae166a69
Merge branch 'main' into username-and-subject-claims
2020-12-16 15:23:19 -06:00
Matt Moyer
72ce69410e
Merge pull request #273 from vmware-tanzu/secret-generation
...
Generate secrets for Pinniped Supervisor
2020-12-16 15:22:23 -06:00
Matt Moyer
8527c363bb
Rename the "pinniped.sts.unrestricted" scope to "pinniped:request-audience".
...
This is a bit more clear. We're changing this now because it is a non-backwards-compatible change that we can make now since none of this RFC8693 token exchange stuff has been released yet.
There is also a small typo fix in some flag usages (s/RF8693/RFC8693/)
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-16 14:24:13 -06:00
Ryan Richard
40c6a67631
Merge branch 'main' into username-and-subject-claims
2020-12-15 18:09:44 -08:00
Andrew Keesler
056afc17bd
Merge remote-tracking branch 'upstream/main' into secret-generation
2020-12-15 15:55:46 -05:00
aram price
2edcdc92f4
Log when unexpected Upstream OIDC Providers found
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-15 10:49:13 -08:00
Ryan Richard
43bb7117b7
Allow upstream group claim values to be either arrays or strings
2020-12-15 08:34:24 -08:00
Andrew Keesler
d2498c96e0
Merge remote-tracking branch 'upstream/main' into secret-generation
2020-12-15 09:27:23 -05:00
Ryan Richard
16dfab0aff
token_handler_test.go: Add tests for username and groups custom claims
2020-12-14 18:27:14 -08:00
Margo Crawford
afcd5e3e36
WIP: Adjust subject and username claims
...
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-14 17:05:53 -08:00
Ryan Richard
16907e4453
Add Cache-Control, Pragma, Expires, and X-DNS-Prefetch-Control headers
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-14 15:28:32 -08:00
Andrew Keesler
cae0023234
Merge remote-tracking branch 'upstream/main' into secret-generation
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-14 11:44:01 -05:00
Andrew Keesler
2f28d2a96b
Synchronize the OIDCProvider secrets cache
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-14 11:32:33 -05:00
Andrew Keesler
b043dae149
Finish first implementation of generic secret generator controller
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-14 10:36:45 -05:00
Ryan Richard
7cda6628a6
Merge branch 'main' into fosite-settings
2020-12-11 18:19:37 -08:00
Ryan Richard
020fbcf190
Adjust some expectations about the state and nonce lengths
2020-12-11 17:39:58 -08:00
Margo Crawford
2a19dd0d2e
Pass prompt through to upstream login request
...
Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-11 17:13:27 -08:00
Margo Crawford
ded28dff15
Update the fosite settings
...
- AudienceMatchingStrategy: we want to use the default matcher from
fosite, so remove that line
- AllowedPromptValues: We can use the default if we add a small
change to the auth_handler.go to account for it (in a future commit)
- MinParameterEntropy: Use the fosite default to make it more likely
that off the shelf OIDC clients can work with the supervisor
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-11 16:15:50 -08:00
Andrew Keesler
e2aad48852
internal/oidc/dynamiccodec: loosen test to reduce flakes
...
When we try to decode with the wrong decryption key, we could get any number of
error messages, depending on what failure mode we are in (couldn't authenticate
plaintext after decryption, couldn't deserialize, etc.). This change makes the
test weaker, but at least we know we will get an error message in the case where
the decryption key is wrong.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-11 11:49:27 -05:00
Andrew Keesler
e17bc31b29
Pass CSRF cookie signing key from controller to cache
...
This also sets the CSRF cookie Secret's OwnerReference to the Pod's grandparent
Deployment so that when the Deployment is cleaned up, then the Secret is as
well.
Obviously this controller implementation has a lot of issues, but it will at
least get us started.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-11 11:49:27 -05:00
Andrew Keesler
0246e57d7f
Set lifespans on state and CSRF cooking encoding
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-11 11:49:22 -05:00
Andrew Keesler
9460b08873
Use just-in-time HMAC signing key fetching in our Fosite config
...
This pattern is similar to what we did in
58237d0e7d
.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-11 11:16:46 -05:00
aram price
a3285fc187
Fix variable / package name collision
2020-12-10 17:32:55 -08:00
aram price
e1173eb5eb
manager.Manager is initialized with secret.Cache
...
- hard-coded secret.Cache is passed in from pinniped-supervisor/main
2020-12-10 17:32:55 -08:00
aram price
72bc458c8e
Manager uses secret.Cach with hardcoded values
2020-12-10 17:32:55 -08:00
aram price
2f87be3f94
Manager uses dynamiccodec.Codec for cookie encoding
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-10 17:32:55 -08:00
Andrew Keesler
1291380611
dynamiccodec.Codec uses securecookie.JSONEncoder
...
Signed-off-by: aram price <pricear@vmware.com>
2020-12-10 17:32:55 -08:00
Andrew Keesler
d8212d1337
Whitespace
...
Signed-off-by: aram price <pricear@vmware.com>
2020-12-10 17:32:55 -08:00
aram price
030edaf72d
KeyFunc no longer uses multi-value return
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-10 17:32:55 -08:00
Andrew Keesler
3e112fb1ac
internal/oidc/dynamiccodec: first draft
...
Note that we don't cache the securecookie.SecureCookie that we use in our
implementation. This was purely because of laziness. We should think about
caching this value in the future.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-10 17:32:55 -08:00
Ryan Richard
afd216308b
KubeStorage annotates every Secret with garbage-collect-after timestamp
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-10 14:47:58 -08:00
Margo Crawford
b0c354637d
WIP passing lifetime through to storage, unit tests are failing
...
Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-10 12:15:40 -08:00
Margo Crawford
6f40dcb471
Increase the RefreshTokenSessionStorageLifetime
...
- Make it more likely that the end user will get the more specific error
message saying that their refresh token has expired the first time
that they try to use an expired refresh token
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-10 10:44:27 -08:00
Ryan Richard
a561fd21d9
Consolidate the supervisor's timeout settings into a single struct
...
- This struct represents the configuration of all timeouts. These
timeouts are all interrelated to declare them all in one place.
This should also make it easier to allow the user to override
our defaults if we would like to implement such a feature in the
future.
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-10 10:14:54 -08:00
aram price
86c75b7a80
CSRF cookie is no longer encrypted
2020-12-09 17:34:02 -08:00
aram price
f1f8ffa456
Distinct Encoder
's use distinct keys
2020-12-09 17:34:02 -08:00
aram price
4a5f8e30a8
Use distinct Encoder
for state and csrf data
2020-12-09 17:34:02 -08:00
aram price
e111ca02da
Use the narrowest possible interface
2020-12-09 17:34:02 -08:00
aram price
6ec3589112
Use recorder Cookies()
helper
...
- replaces hand-parsing of cookie strings
2020-12-09 17:34:02 -08:00
Ryan Richard
5b7c510577
Fixed error handling for token exchange when openid scope missing
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-09 15:15:50 -08:00
Ryan Richard
0abadddb1a
token_handler_test.go: modify a test about refresh request scopes param
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-09 15:03:52 -08:00
Margo Crawford
5f6e7de785
Merge branch 'token-refresh' into token-exchange-endpoint
...
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-09 14:56:41 -08:00
Ryan Richard
64631d5780
token_handler_test.go: add even more test cases for refresh grant
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-09 14:53:39 -08:00
Ryan Richard
0386658d26
token_handler_test.go: add more test cases for refresh grant
2020-12-09 14:12:00 -08:00
Matt Moyer
3e6ebab389
Clean up TestTokenExchange a bit.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-09 14:49:44 -06:00
Matt Moyer
f90b5d48de
Merge branch 'token-refresh' of github.com:vmware-tanzu/pinniped into token-exchange-endpoint
2020-12-09 14:46:57 -06:00
Matt Moyer
016b0e9a8e
Satisfy the pedantic linter config 🙃 .
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-09 14:41:27 -06:00
Ryan Richard
51c828382f
Supervisor token endpoint supports refresh grant type
...
- This commit does not include the sad path tests for the refresh
grant type, which will come in a future commit.
2020-12-09 12:12:59 -08:00
Matt Moyer
02d96d731f
Finish TestTokenExchange unit tests and add missing scope check.
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-09 13:56:53 -06:00
Matt Moyer
b04db6ad2b
Fix some false positive gosec warnings.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-09 10:42:37 -06:00
Matt Moyer
1db2ae3a45
Add more parameter validations and refactor internal/oidc/token_exchange.go.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-09 10:04:58 -06:00
Matt Moyer
644cb687b9
Grant the Pinniped STS scope in authorize/callback handlers.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-09 09:36:45 -06:00
Matt Moyer
5f1bd5ec31
Update TestNullStorage_GetClient with adjusted pinniped-cli scopes.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-09 09:12:32 -06:00
Ryan Richard
6420caca94
Bring back the test that was skipped by the previous commit
...
- This test is still a work in progress. Some TODO comments
have been added to give hints for next steps.
2020-12-08 18:25:01 -08:00
Ryan Richard
f84dda937b
Merge branch 'token-refresh' into token-exchange-endpoint
2020-12-08 18:12:12 -08:00
Ryan Richard
ef4ef583dc
token_handler_test.go: Refactor how we specify the expected results
...
- This is to make it easier for the token exchange branch to also edit
this test without causing a lot of merge conflicts with the
refresh token branch, to enable parallel development of closely
related stories.
2020-12-08 18:10:55 -08:00
Margo Crawford
f103c02408
Add check for grant type in tokenexchangehandler,
...
- also started writing a test for the tokenexchangehandler, skipping for
now
Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-08 17:33:08 -08:00
Margo Crawford
ef3f837800
Merge remote-tracking branch 'origin/token-refresh' into token-exchange-endpoint
2020-12-08 16:58:35 -08:00
Ryan Richard
170982a688
refactor token_handler_test.go: easier to make more requests after initial authcode exchange
...
- This refactor will allow us to add new test tables for the
refresh and token exchange requests, which both must come after
an initial successful authcode exchange has already happened
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-08 16:54:58 -08:00
Margo Crawford
a852baac75
Merge remote-tracking branch 'origin/token-refresh' into token-exchange-endpoint
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-08 12:55:44 -08:00
Ryan Richard
18d90a727e
token_handler_test.go: refresh token gets deleted when authcode reused
2020-12-08 12:12:55 -08:00
Ryan Richard
c090eb6a62
Supervisor token endpoint returns refresh tokens when requested
2020-12-08 11:47:39 -08:00
Matt Moyer
afbef23a51
WIP implementing TokenExchangeHandler methods
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-08 10:17:03 -08:00
Margo Crawford
e5ecaf01a0
WIP stubbing out tokenexchangehandler
2020-12-08 09:28:19 -08:00
Aram Price
d91baba240
authorize and callback endpoints now handle the offline_access scope
...
- This is in preparation for the token endpoint to support the refresh
grant
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-07 17:22:34 -08:00
Ryan Richard
e1ae48f2e4
Discovery does not return token_endpoint_auth_signing_alg_values_supported
...
`token_endpoint_auth_signing_alg_values_supported` is only related to
private_key_jwt and client_secret_jwt client authentication methods
at the token endpoint, which we do not support. See
https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
for more details.
Signed-off-by: Aram Price <pricear@vmware.com>
2020-12-07 14:15:31 -08:00
Aram Price
648fa4b9ba
Backfill test for token endpoint error when JWK is not yet available
...
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-07 11:53:24 -08:00
Aram Price
ac19782405
Merge branch 'main' into token-endpoint
...
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-04 15:52:49 -08:00
Ryan Richard
858356610c
Make assertions about how many secrets were stored by fosite in tests
...
In both callback_handler_test.go and token_handler_test.go
Signed-off-by: Aram Price <pricear@vmware.com>
2020-12-04 15:40:17 -08:00
Ryan Richard
ac83633888
Add fosite kube storage for access and refresh tokens
...
Also switched the token_handler_test.go to use kube storage.
Signed-off-by: Aram Price <pricear@vmware.com>
2020-12-04 14:31:06 -08:00