djpbessems
/
ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
875 Commits 30 Branches 34 Tags 22 MiB
Commit Graph

875 Commits

Author SHA1 Message Date
Ryan Richard 97552aec5f Merge branch 'main' into callback-endpoint 2020-11-17 09:06:54 -08:00
Matt Moyer d6d808d185
Re-add the TestSupervisorLogin integration test. 
This is 99% Andrew's code from 4032ed32ae, but tweaked to work with the new UpstreamOIDCProvider setup.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-17 09:21:17 -06:00
Matt Moyer b75a6cdb76
Merge pull request #221 from mattmoyer/use-https-dex 
Add support for custom CA bundle in CLI and UpstreamOIDCProvider.
 2020-11-16 20:47:16 -06:00
Matt Moyer b31deff0fb
Update integration tests to use HTTPS Dex for UpstreamOIDCProvider testing. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-16 20:23:20 -06:00
Matt Moyer ee978fdde8
Add controller support for spec.tls field. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-16 20:23:20 -06:00
Matt Moyer e867fb82b9
Add `spec.tls` field to UpstreamOIDCProvider API. 
This allows for a custom CA bundle to be used when connecting to the upstream issuer.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-16 20:23:20 -06:00
Matt Moyer b17ac6ec0b
Update integration tests to run Dex over HTTPS. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-16 20:23:20 -06:00
Matt Moyer dd2133458e
Add --ca-bundle flag to "pinniped login oidc" command. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-16 18:15:20 -06:00
Matt Moyer e7ecfd3954
Merge pull request #219 from mattmoyer/add-test-proxy 
Convert CLI tests to work through an HTTP forward proxy.
 2020-11-16 17:48:16 -06:00
Matt Moyer c8b17978a9
Convert CLI tests to work through an HTTP forward proxy. 
This change deploys a small Squid-based proxy into the `dex` namespace in our integration test environment. This lets us use the cluster-local DNS name (`http://dex.dex.svc.cluster.local/dex`) as the OIDC issuer. It will make generating certificates easier, and most importantly it will mean that our CLI can see Dex at the same name/URL as the supervisor running inside the cluster.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-16 17:16:58 -06:00
Matt Moyer a4733025ce
Merge pull request #220 from jonasrosland/fix-landing-text 
Fix landing page use cases
 2020-11-16 16:36:44 -06:00
Andrew Keesler 1c7601a2b5
callback_handler.go: start happy path test with redirect 
Next steps: fosite storage?

Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-11-16 17:07:34 -05:00
Ryan Richard 052cdc40dc
callback_handler.go: add CSRF and version state validations 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-16 14:41:00 -05:00
jonasrosland 332ed8e50b Fix landing page use cases 
Signed-off-by: jonasrosland <jrosland@vmware.com>
 2020-11-16 12:00:06 -05:00
Andrew Keesler 4138c9244f
callback_handler.go: write 2 invalid cookie tests 
Also common-ize some more constants shared between the auth and callback
endpoints.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-16 11:47:49 -05:00
Michael Nelson 57a2dc9fc1 Update default namespace for pinniped-concierge to match install-pinniped-concierge.yaml 2020-11-16 11:05:53 +11:00
Michael Nelson 9bb9402e89 Updated doc/demo.md with required namespace 2020-11-16 11:05:53 +11:00
Andrew Keesler 3ef1171667 Tiny bit more code for Supervisor's callback_handler.go 
Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-11-13 15:59:51 -08:00
Matt Moyer 84b61fac88
Merge pull request #215 from mattmoyer/fix-upstream-oidc-provider 
Fix some issues in the UpstreamOIDCProvider CRD and controller
 2020-11-13 17:23:10 -06:00
Matt Moyer c10393b495
Mask the raw error messages from go-oidc, since they are dangerous. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-13 16:22:34 -06:00
Matt Moyer d3d8ef44a0
Make more fields in UpstreamOIDCProvider optional. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-13 15:28:37 -06:00
Mo Khan d5ee925e62
Merge pull request #213 from mattmoyer/more-categories 
Add our TokenCredentialRequest to the "pinniped" API category as well.
 2020-11-13 15:51:42 -05:00
Mo Khan 47d216caae
Merge pull request #209 from alexbrand/doc-fixes 
Fix broken links in the project's website
 2020-11-13 15:51:13 -05:00
Alexander Brand 406d6b5544
docs/scope.md: Fix link to contrib guide 
Signed-off-by: Alexander Brand <alexbrand09@gmail.com>
 2020-11-13 15:25:01 -05:00
Matt Moyer ab87977c08
Put our TokenCredentialRequest API into the "pinniped" category. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-13 14:22:26 -06:00
Matt Moyer f4dfc22f8e
Merge pull request #212 from enj/enj/i/restore_cert_ttl 
Reduce client cert TTL back to 5 mins
 2020-11-13 14:11:44 -06:00
Matt Moyer 785a1d14fb
Merge pull request #199 from mattmoyer/add-oidc-upstream-crd 
Add UpstreamOIDCProvider API and initial controller.
 2020-11-13 13:01:13 -06:00
Matt Moyer d68a4b85f4
Add integration tests for UpstreamOIDCProvider status. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-13 12:30:38 -06:00
Matt Moyer cbd71df574
Add "upstream-watcher" controller to supervisor. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-13 12:30:38 -06:00
Monis Khan c05cbca0b0
Reduce client cert TTL back to 5 mins 
Signed-off-by: Monis Khan <mok@vmware.com>
 2020-11-13 13:30:02 -05:00
Matt Moyer 2e7d869ccc
Add generated API/client code for new UpstreamOIDCProvider CRD. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-13 11:38:50 -06:00
Matt Moyer bac3c19bec
Add UpstreamOIDCProvider API type definition. 
This is essentially just a copy of Andrew's work from https://github.com/vmware-tanzu/pinniped/pull/135.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-13 11:38:49 -06:00
Andrew Keesler 81b9a48437
callback_handler.go: initial API/test shape with 1 test 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-13 12:32:35 -05:00
Alexander Brand 271640b66d
docs/architecture.md: Fix broken link 2020-11-13 09:17:47 -05:00
Alexander Brand 6b0d4184d5
docs/architecture.md: Fix broken link 2020-11-13 09:15:46 -05:00
Ryan Richard d351ef430c
Merge pull request #206 from vmware-tanzu/authorize_endpoint_reuse_cookie 
Supervisor authorize endpoint reuses existing CSRF cookies and signs new ones
 2020-11-12 16:26:01 -08:00
Matt Moyer e6f128e2a7
Merge pull request #205 from mattmoyer/more-careful-categories 
Put all of our APIs into a "pinniped" category, and never use "all".
 2020-11-12 17:37:20 -06:00
Andrew Keesler 080bb594b2 Supervisor authorize endpoint reuses existing CSRF cookies and signs new ones 
- To better support having multiple downstream providers configured,
  the authorize endpoint will share a CSRF cookie between all
  downstream providers' authorize endpoints. The first time a
  user's browser hits the authorize endpoint of any downstream
  provider, that endpoint will set the cookie. Then if the user
  starts an authorize flow with that same downstream provider or with
  any other downstream provider which shares the same domain name
  (i.e. differentiated by issuer path), then the same cookie will be
  submitted and respected.
- Just in case we are sharing the domain name with some other app,
  we sign the value of any new CSRF cookie and check the signature
  when we receive the cookie. This wasn't strictly necessary since
  we probably won't share a domain name with other apps, but it
  wasn't hard to add this cookie signing.

Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-11-12 15:36:59 -08:00
Matt Moyer f1696411d9
Test that Pinniped APis do not have short names, either. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-12 17:13:52 -06:00
Matt Moyer 5580ca82ac
Merge pull request #204 from mattmoyer/cleanup-update-script 
Remove CRD count check, since we can now use wildcards.
 2020-11-12 16:28:24 -06:00
Matt Moyer 7f2c43cd62
Put all of our APIs into a "pinniped" category, and never use "all". 
We want to have our APIs respond to `kubectl get pinniped`, and we shouldn't use `all` because we don't think most average users should have permission to see our API types, which means if we put our types there, they would get an error from `kubectl get all`.

I also added some tests to assert these properties on all `*.pinniped.dev` API resources.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-12 16:26:34 -06:00
Matt Moyer 372cfe1601
Remove CRD count check, since we can now use wildcards. 
This check predates the API renaming we did. Now that our API groups have `concierge`/`supervisor` in the name, we don't need to maintain a specific set of `cp` commands and keep them in sync, so we don't really need this check.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-12 15:48:03 -06:00
Mo Khan d73fdb1d33
Merge pull request #202 from mattmoyer/remove-internal-crd-packages 
Remove extraneous internal packages for CRD APIs.
 2020-11-12 15:29:29 -05:00
Matt Moyer 821190004c
Remove extraneous internal packages for CRD APIs. 
These only really make sense for aggregated API types where we need `conversion-gen` to do version conversion.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-12 14:04:53 -06:00
Andrew Keesler 8321773a22
auth_handler.go: fix lint error 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-12 12:24:40 -05:00
Andrew Keesler 3a943a3b9a
auth_handler.go: ignore encoding timestamp for deterministic tests 
Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-11-12 12:14:50 -05:00
Ryan Richard 6d380c629a
auth_handler.go: use encryption in tests 
Our unit tests are gonna touch a lot more corner cases than our
integration tests, so let's make them run as close to the real
implementation as possible.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-12 12:14:49 -05:00
Matt Moyer 5fd105496f
Merge pull request #201 from amymanion/am-dev 
Style updates
 2020-11-12 09:12:24 -06:00
Matt Moyer b3e622c914
Merge pull request #200 from jonasrosland/website-fixes 
Website fixes for broken links, formatting, and more
 2020-11-12 09:10:28 -06:00
Amy Manion c4ed768c9e Adjust hero font size 2020-11-12 09:46:44 -05:00