djpbessems
/
ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
3,113 Commits 30 Branches 34 Tags 22 MiB
Commit Graph

3113 Commits

Author SHA1 Message Date
Ryan Richard dff53b8144 Changes for Fosite's new RevokeRefreshTokenMaybeGracePeriod() interface 
Fosite v0.42.0 introduced a new RevokeRefreshTokenMaybeGracePeriod()
interface function. Updated our code to support this change. We didn't
support grace periods on refresh tokens before, so implemented it by
making the new RevokeRefreshTokenMaybeGracePeriod() method just call
the old RevokeRefreshToken() method, therefore keeping our old behavior.
 2022-01-19 13:57:01 -08:00
Margo Crawford 513c943e87 Keep all scopes except offline_access in integration test 2022-01-19 13:29:26 -08:00
Ryan Richard 3b1cc30e8d Update unit test to match new JS minify output after minify upgrade 2022-01-19 13:29:07 -08:00
Ryan Richard a4ca44ca14 Improve error handling when upstream groups is invalid during refresh 2022-01-19 12:57:47 -08:00
dependabot[bot] 4ce2f9db50
Bump github.com/tdewolff/minify/v2 from 2.9.26 to 2.9.29 
Bumps [github.com/tdewolff/minify/v2](https://github.com/tdewolff/minify) from 2.9.26 to 2.9.29.
- [Release notes](https://github.com/tdewolff/minify/releases)
- [Commits](https://github.com/tdewolff/minify/compare/v2.9.26...v2.9.29)

---
updated-dependencies:
- dependency-name: github.com/tdewolff/minify/v2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-01-19 01:05:43 +00:00
Ryan Richard 78bdb1928a
Merge branch 'main' into upstream-oidc-refresh-groups 2022-01-18 16:03:14 -08:00
dependabot[bot] b2bdf01152
Bump github.com/ory/fosite from 0.41.0 to 0.42.0 
Bumps [github.com/ory/fosite](https://github.com/ory/fosite) from 0.41.0 to 0.42.0.
- [Release notes](https://github.com/ory/fosite/releases)
- [Changelog](https://github.com/ory/fosite/blob/master/CHANGELOG.md)
- [Commits](https://github.com/ory/fosite/compare/v0.41.0...v0.42.0)

---
updated-dependencies:
- dependency-name: github.com/ory/fosite
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-01-18 23:53:34 +00:00
Mo Khan 956f6f1eab
Merge pull request #945 from enj/enj/i/supervisor_ports 
Allow configuration of supervisor endpoints
 2022-01-18 18:52:32 -05:00
Monis Khan 1e1789f6d1
Allow configuration of supervisor endpoints 
This change allows configuration of the http and https listeners
used by the supervisor.

TCP (IPv4 and IPv6 with any interface and port) and Unix domain
socket based listeners are supported.  Listeners may also be
disabled.

Binding the http listener to TCP addresses other than 127.0.0.1 or
::1 is deprecated.

The deployment now uses https health checks.  The supervisor is
always able to complete a TLS connection with the use of a bootstrap
certificate that is signed by an in-memory certificate authority.

To support sidecar containers used by service meshes, Unix domain
socket based listeners include ACLs that allow writes to the socket
file from any runAsUser specified in the pod's containers.

Signed-off-by: Monis Khan <mok@vmware.com>
 2022-01-18 17:43:45 -05:00
Ryan Richard 70bd831099
Merge branch 'main' into upstream-oidc-refresh-groups 2022-01-18 14:36:18 -08:00
Ryan Richard 01a7978387
Merge pull request #940 from vmware-tanzu/ldap_and_activedirectory_status_conditions_bug 
Fix bug where LDAP or AD status conditions were not updated correctly
 2022-01-18 14:35:49 -08:00
Ryan Richard 1a2514f417
Merge branch 'main' into ldap_and_activedirectory_status_conditions_bug 2022-01-18 10:09:14 -08:00
Ryan Richard 6143d66504 Increase timeout on linter for when CI gets slow 2022-01-18 10:07:36 -08:00
Ryan Richard 1602fca5ed Increase timeout on linter for when CI gets slow 2022-01-18 10:06:53 -08:00
anjalitelang ebcf71c30c
Update ROADMAP.md 
Proposed changes based on multiple tracks of work- Compliance, IDP features
 2022-01-18 10:34:09 -05:00
Ryan Richard 88f3b29515 Merge branch 'main' into upstream-oidc-refresh-groups 2022-01-14 16:51:12 -08:00
Ryan Richard 75e4093067 Merge branch 'main' into ldap_and_activedirectory_status_conditions_bug 2022-01-14 16:50:34 -08:00
Ryan Richard 619b0ba052
Merge pull request #904 from vmware-tanzu/upstream_access_revocation_during_gc 
Revoke upstream OIDC access tokens during downstream session garbage collection
 2022-01-14 16:45:29 -08:00
Ryan Richard 548977f579 Update group memberships during refresh for upstream OIDC providers 
Update the user's group memberships when possible. Note that we won't
always have enough information to be able to update it (see code
comments).
 2022-01-14 16:38:21 -08:00
Ryan Richard 7551af3eb8 Fix code that did not auto-merge correctly in previous merge from main 2022-01-14 10:59:39 -08:00
Ryan Richard 814399324f Merge branch 'main' into upstream_access_revocation_during_gc 2022-01-14 10:49:22 -08:00
Margo Crawford 50e4871d65
Merge pull request #944 from vmware-tanzu/refresh-with-no-refresh-token 
Access Token based OIDC refresh by checking the UserInfo endpoint
 2022-01-14 10:23:41 -08:00
Ryan Richard db0a765b98 Merge branch 'main' into ldap_and_activedirectory_status_conditions_bug 2022-01-14 10:06:16 -08:00
Ryan Richard 092a80f849 Refactor some variable names and update one comment 
Change variable names to match previously renamed interface name.
 2022-01-14 10:06:00 -08:00
Margo Crawford 5b161be334 Refactored oidcUpstreamRefresh 
Various style changes, updated some comments and variable names and
extracted a helper function for validation.
 2022-01-12 18:05:22 -08:00
Margo Crawford 62be761ef1 Perform access token based refresh by fetching the userinfo 2022-01-12 18:05:10 -08:00
Ryan Richard 651d392b00 Refuse logins when no upstream refresh token and no userinfo endpoint 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-01-12 18:03:25 -08:00
Margo Crawford 6f3977de9d Store access token when refresh not available for authcode flow. 
Also refactor oidc downstreamsessiondata code to be shared between
callback handler and auth handler.

Signed-off-by: Ryan Richard <richardry@vmware.com>
 2022-01-12 18:03:25 -08:00
Ryan Richard 91924ec685 Revert adding allowAccessTokenBasedRefresh flag to OIDCIdentityProvider 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-01-12 18:03:25 -08:00
Margo Crawford 683a2c5b23 WIP adding access token to storage upon login 2022-01-12 18:03:25 -08:00
Ryan Richard 1f146f905a Add struct field for storing upstream access token in downstream session 2022-01-12 18:03:25 -08:00
Mo Khan 82f54b5556
Merge pull request #917 from vmware-tanzu/oidc-refresh-user-info-checks 
OIDC refresh user info checks
 2022-01-12 20:27:00 -05:00
Margo Crawford 2b744b2eef Add back comment about deferring validation when id token subject is missing 2022-01-12 11:19:43 -08:00
Ryan Richard 438b58193d Empty commit to trigger CI 2022-01-10 13:47:13 -08:00
Margo Crawford 2958461970 Addressing PR feedback 
store issuer and subject in storage for refresh
Clean up some constants

Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-01-10 11:03:37 -08:00
Margo Crawford f2d2144932 rename ValidateToken to ValidateTokenAndMergeWithUserInfo to better reflect what it's doing 
Also changed a few comments and small things
 2022-01-10 11:03:37 -08:00
Margo Crawford c9cf13a01f Check for issuer if available 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-01-10 11:03:37 -08:00
Margo Crawford 0cd086cf9c Check username claim is unchanged for oidc. 
Also add integration tests for claims changing.
 2022-01-10 11:03:37 -08:00
Margo Crawford b098435290 Refactor validatetoken to handle refresh case without id token 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-01-10 11:03:37 -08:00
Margo Crawford 74b007ff66 Validate that issuer url and urls returned from discovery are https 
and that they have no query or fragment

Signed-off-by: Ryan Richard <richardry@vmware.com>
 2022-01-10 11:03:37 -08:00
Margo Crawford ed96b597c7 Check for subject matching with upstream refresh 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-01-10 11:03:37 -08:00
Ryan Richard 6b9fc7aa59 Merge branch 'main' into ldap_and_activedirectory_status_conditions_bug 2022-01-10 09:23:09 -08:00
Mo Khan d438bfbc99
Merge pull request #939 from vmware-tanzu/dependabot/go_modules/github.com/ory/x-0.0.331 
Bump github.com/ory/x from 0.0.330 to 0.0.331
 2022-01-09 12:04:56 -05:00
Ryan Richard 7f99d78462 Fix bug where LDAP or AD status conditions were not updated correctly 
When the LDAP and AD IDP watcher controllers encountered an update error
while trying to update the status conditions of the IDP resources, then
they would drop the computed desired new value of the condition on the
ground. Next time the controller ran it would not try to update the
condition again because it wants to use the cached settings and had
already forgotten the desired new value of the condition computed during
the previous run of the controller. This would leave the outdated value
of the condition on the IDP resource.

This bug would manifest in CI as random failures in which the expected
condition message and the actual condition message would refer to
different versions numbers of the bind secret. The actual condition
message would refer to an older version of the bind secret because the
update failed and then the new desired message got dropped on the
ground.

This commit changes the in-memory caching strategy to also cache the
computed condition messages, allowing the conditions to be updated
on the IDP resource during future calls to Sync() in the case of a
failed update.
 2022-01-07 17:19:13 -08:00
dependabot[bot] a7ff638f4c
Bump github.com/ory/x from 0.0.330 to 0.0.331 
Bumps [github.com/ory/x](https://github.com/ory/x) from 0.0.330 to 0.0.331.
- [Release notes](https://github.com/ory/x/releases)
- [Commits](https://github.com/ory/x/compare/v0.0.330...v0.0.331)

---
updated-dependencies:
- dependency-name: github.com/ory/x
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-01-07 13:45:37 +00:00
Mo Khan 287d5094ec
Merge pull request #938 from vmware-tanzu/dependabot/docker/golang-1.17.6 
Bump golang from 1.17.5 to 1.17.6
 2022-01-07 08:13:16 -05:00
dependabot[bot] f2b4d667d1
Bump golang from 1.17.5 to 1.17.6 
Bumps golang from 1.17.5 to 1.17.6.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-01-07 01:04:10 +00:00
Mo Khan fff27a4270
Merge pull request #935 from enj/enj/i/bump_0001 
Bump all deps to latest
 2022-01-03 19:48:08 -05:00
Monis Khan f90f173826
Bump all deps to latest 
Ran:

go get -u ./... && go mod tidy

Pinned all go.opentelemetry.io deps to match k/k.
This is needed to make the go get command work.

Signed-off-by: Monis Khan <mok@vmware.com>
 2022-01-03 17:48:59 -05:00
Mo Khan cc88d2a334
Merge pull request #931 from vmware-tanzu/dependabot/docker/distroless/static-80c956f 
Bump distroless/static from `bca3c20` to `80c956f`
 2022-01-03 10:49:08 -05:00