Ryan Richard
ec533cd781
Skip some recently added integration tests when LDAP is unavailable
...
Also refactor to use shared test helper for skipping LDAP and AD tests.
2022-06-08 12:57:00 -07:00
Ryan Richard
8170889aef
Update CSP header expectations in TestSupervisorLogin_Browser int test
2022-06-07 11:20:59 -07:00
Ryan Richard
aa732a41fb
Add LDAP browser flow login failure tests to supervisor_login_test.go
...
Also do some refactoring to share more common test setup code in
supervisor_login_test.go.
2022-05-10 16:28:08 -07:00
Ryan Richard
0b106c245e
Add LDAP browser flow login test to supervisor_login_test.go
2022-05-10 12:54:40 -07:00
Ryan Richard
a4e32d8f3d
Extract browsertest.LoginToUpstreamLDAP() integration test helper
2022-05-09 15:43:36 -07:00
Ryan Richard
53348b8464
Add custom prefix to downstream access and refresh tokens and authcodes
2022-04-13 10:13:27 -07:00
Ryan Richard
fffcb7f5b4
Update to github.com/golangci/golangci-lint/cmd/golangci-lint@v1.44.2
...
- Two of the linters changed their names
- Updated code and nolint comments to make all linters pass with 1.44.2
- Added a new hack/install-linter.sh script to help developers install
the expected version of the linter for local development
2022-03-08 12:28:09 -08:00
Margo Crawford
f6ad5d5c45
Add group change warning test for Active Directory
...
Also refactor some of the AD test helper functions
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-03-02 11:54:36 -08:00
Margo Crawford
e2c6dcd6e6
Add integration test
2022-02-17 12:50:28 -08:00
Margo Crawford
662f2cef9c
Integration test for updating group search base
...
Also a small change to a comment
2022-02-17 11:29:59 -08:00
Margo Crawford
cd7538861a
Add integration test where we don't get groups back
2022-02-17 11:29:59 -08:00
Margo Crawford
013b521838
Upstream ldap group refresh:
...
- Doing it inline on the refresh request
2022-02-17 11:29:59 -08:00
Monis Khan
b8202d89d9
Enforce naming convention for browser based tests
...
This allows us to target browser based tests with the regex:
go test -v -race -count 1 -timeout 0 ./test/integration -run '/_Browser'
New tests that call browsertest.Open will automatically be forced to
follow this convention.
Signed-off-by: Monis Khan <mok@vmware.com>
2022-02-16 09:20:28 -05:00
Margo Crawford
513c943e87
Keep all scopes except offline_access in integration test
2022-01-19 13:29:26 -08:00
Ryan Richard
91924ec685
Revert adding allowAccessTokenBasedRefresh flag to OIDCIdentityProvider
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-01-12 18:03:25 -08:00
Margo Crawford
683a2c5b23
WIP adding access token to storage upon login
2022-01-12 18:03:25 -08:00
Margo Crawford
2958461970
Addressing PR feedback
...
store issuer and subject in storage for refresh
Clean up some constants
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-01-10 11:03:37 -08:00
Margo Crawford
0cd086cf9c
Check username claim is unchanged for oidc.
...
Also add integration tests for claims changing.
2022-01-10 11:03:37 -08:00
Margo Crawford
59d999956c
Move ad specific stuff to controller
...
also make extra refresh attributes a separate field rather than part of
Extra
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-09 16:16:36 -08:00
Margo Crawford
65f3464995
Fix issue with very high integer value parsing, add unit tests
...
also add comment about urgent replication
2021-12-09 16:16:36 -08:00
Margo Crawford
ee4f725209
Incorporate PR feedback
2021-12-09 16:16:36 -08:00
Margo Crawford
ef5a04c7ce
Check for locked users on ad upstream refresh
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-09 16:16:36 -08:00
Margo Crawford
f62e9a2d33
Active directory checks for deactivated user
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-09 16:16:36 -08:00
Margo Crawford
da9b4620b3
Active Directory checks whether password has changed recently during
...
upstream refresh
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-09 16:16:35 -08:00
Margo Crawford
cb60a44f8a
extract ldap refresh search into helper function
...
also added an integration test for refresh failing after updating the username attribute
2021-11-05 14:22:43 -07:00
Margo Crawford
b5b8cab717
Refactors:
...
- pull construction of authenticators.Response into searchAndBindUser
- remove information about the identity provider in the error that gets
returned to users. Put it in debug instead, where it may show up in
logs.
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-11-05 14:22:43 -07:00
Margo Crawford
722b5dcc1b
Test for change to stored username or subject.
...
All of this is still done staticly.
2021-11-05 14:22:43 -07:00
Margo Crawford
19281313dd
Basic upstream LDAP/AD refresh
...
This stores the user DN in the session data upon login and checks that
the entry still exists upon refresh. It doesn't check anything
else about the entry yet.
2021-11-05 14:22:42 -07:00
Ryan Richard
9e05d175a7
Add integration test: upstream refresh failure during downstream refresh
2021-10-13 15:12:19 -07:00
Margo Crawford
05f5bac405
ValidatedSettings is all or nothing
...
If either the search base or the tls settings is invalid, just
recheck everything.
2021-09-07 13:09:35 -07:00
Margo Crawford
27c1d2144a
Make sure search base in the validatedSettings cache is properly updated when the bind secret changes
2021-09-07 13:09:35 -07:00
Margo Crawford
6f221678df
Change sAMAccountName env vars to userPrincipalName
...
and add E2E ActiveDirectory test
also fixed regexes in supervisor_login_test to be anchored to the
beginning and end
2021-08-26 16:18:05 -07:00
Margo Crawford
c590c8ff41
Merge branch 'main' of github.com:vmware-tanzu/pinniped into active-directory-identity-provider
2021-08-24 12:19:29 -07:00
Margo Crawford
5e9087263d
Increase timeout for activedirectoryidentityprovider to be loaded
2021-08-18 16:24:05 -07:00
Margo Crawford
a20aee5f18
Update test assertions to reflect userPrincipalName as username
2021-08-18 13:18:53 -07:00
Margo Crawford
26c47d564f
Make new combined sAMAccountName@domain attribute the group name
...
Also change default username attribute to userPrincipalName
2021-08-17 16:53:26 -07:00
Ryan Richard
84c3c3aa9c
Optionally allow OIDC password grant for CLI-based login experience
...
- Add `AllowPasswordGrant` boolean field to OIDCIdentityProvider's spec
- The oidc upstream watcher controller copies the value of
`AllowPasswordGrant` into the configuration of the cached provider
- Add password grant to the UpstreamOIDCIdentityProviderI interface
which is implemented by the cached provider instance for use in the
authorization endpoint
- Enhance the IDP discovery endpoint to return the supported "flows"
for each IDP ("cli_password" and/or "browser_authcode")
- Enhance `pinniped get kubeconfig` to help the user choose the desired
flow for the selected IDP, and to write the flow into the resulting
kubeconfg
- Enhance `pinniped login oidc` to have a flow flag to tell it which
client-side flow it should use for auth (CLI-based or browser-based)
- In the Dex config, allow the resource owner password grant, which Dex
implements to also return ID tokens, for use in integration tests
- Enhance the authorize endpoint to perform password grant when
requested by the incoming headers. This commit does not include unit
tests for the enhancements to the authorize endpoint, which will come
in the next commit
- Extract some shared helpers from the callback endpoint to share the
code with the authorize endpoint
- Add new integration tests
2021-08-12 10:45:39 -07:00
Margo Crawford
53b58f65b2
Add integration test for wrong password with ldap
2021-07-26 16:32:46 -07:00
Margo Crawford
cc3875f048
PR feedback
2021-07-26 16:03:12 -07:00
Margo Crawford
1050f39789
Integration test deactivated ad account
2021-07-23 13:01:41 -07:00
Margo Crawford
91085e68f9
Refactoring defaulting logic
2021-07-23 13:01:41 -07:00
Margo Crawford
cb0ee07b51
Fetch AD search base from defaultNamingContext when not specified
2021-07-23 13:01:41 -07:00
Margo Crawford
5d8d7246c2
Refactor active directory and ldap controllers to share almost everything
...
Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-07-23 13:01:41 -07:00
Ryan Richard
3b4f521596
Changed TestLDAPUpstream.TestUsernameAttributeName back to TestUserMailAttributeName
...
Also added TestUserSAMAccountNameValue
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-07-23 13:01:40 -07:00
Ryan Richard
aaa4861373
Custom API Group overlay for AD
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-07-23 13:01:40 -07:00
Margo Crawford
b3d0b28bd0
Integration test fixes, fixing objectGUID handling
2021-07-23 13:01:40 -07:00
Margo Crawford
5c283d941c
Helper script for running active directory tests
2021-07-23 13:01:40 -07:00
Margo Crawford
3b8edb84a5
WIP on active directory integration test
2021-07-23 13:01:40 -07:00
Margo Crawford
8fb35c6569
Active Directory cli options
2021-07-23 13:01:40 -07:00
Monis Khan
d78b845575
Fix bad test package name
...
Signed-off-by: Monis Khan <mok@vmware.com>
2021-06-22 11:23:19 -04:00