djpbessems
/
ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
1,477 Commits 30 Branches 34 Tags 22 MiB
Commit Graph

178 Commits

Author SHA1 Message Date
Matt Moyer c832cab8d0
Update internal/oidc/token_exchange.go for latest Fosite version. 
The `fosite.TokenEndpointHandler` changed and now requires some additional methods.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2021-03-01 13:08:41 -06:00
Matt Moyer 5b4e58f0b8
Add some trivial unit tests to internal/oidc/csrftoken. 
This change is primarily to test that our test coverage reporting is working as expected.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2021-02-02 09:38:17 -06:00
Ryan Richard 6ef7ec21cd Merge branch 'release-0.4' into main 2021-01-25 15:13:14 -08:00
Ryan Richard b77297c68d Validate the upstream `email_verified` claim when it makes sense 2021-01-25 15:10:41 -08:00
Matt Moyer 04c4cd9534
Upgrade to github.com/coreos/go-oidc v3.0.0. 
See https://github.com/coreos/go-oidc/releases/tag/v3.0.0 for release notes.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2021-01-21 12:08:14 -06:00
Margo Crawford d11a73c519 PR feedback-- omit empty groups, keep groups as nil until last minute 
Also log keys and values for claims
 2021-01-14 15:11:00 -08:00
Andrew Keesler 6fce1bd6bb
Allow arrays of type interface 
and always set the groups claim to an
array in the downstream token

Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2021-01-14 17:21:41 -05:00
Monis Khan 3c3da9e75d
Wire in new env vars for user info testing 
Signed-off-by: Monis Khan <mok@vmware.com>
 2021-01-12 11:23:25 -05:00
Matt Moyer 3a81fbd1b4
Update fosite error usage. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-17 16:31:08 -06:00
Ryan Richard b96d49df0f Rename all "op" and "opc" usages 
Signed-off-by: Aram Price <pricear@vmware.com>
 2020-12-17 11:34:49 -08:00
Margo Crawford 196e43aa48 Rename off of main 
Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-12-16 14:27:09 -08:00
Matt Moyer 7dae166a69
Merge branch 'main' into username-and-subject-claims 2020-12-16 15:23:19 -06:00
Matt Moyer 72ce69410e
Merge pull request #273 from vmware-tanzu/secret-generation 
Generate secrets for Pinniped Supervisor
 2020-12-16 15:22:23 -06:00
Matt Moyer 8527c363bb
Rename the "pinniped.sts.unrestricted" scope to "pinniped:request-audience". 
This is a bit more clear. We're changing this now because it is a non-backwards-compatible change that we can make now since none of this RFC8693 token exchange stuff has been released yet.

There is also a small typo fix in some flag usages (s/RF8693/RFC8693/)

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-16 14:24:13 -06:00
Ryan Richard 40c6a67631 Merge branch 'main' into username-and-subject-claims 2020-12-15 18:09:44 -08:00
Andrew Keesler 056afc17bd
Merge remote-tracking branch 'upstream/main' into secret-generation 2020-12-15 15:55:46 -05:00
aram price 2edcdc92f4 Log when unexpected Upstream OIDC Providers found 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-15 10:49:13 -08:00
Ryan Richard 43bb7117b7 Allow upstream group claim values to be either arrays or strings 2020-12-15 08:34:24 -08:00
Andrew Keesler d2498c96e0
Merge remote-tracking branch 'upstream/main' into secret-generation 2020-12-15 09:27:23 -05:00
Ryan Richard 16dfab0aff token_handler_test.go: Add tests for username and groups custom claims 2020-12-14 18:27:14 -08:00
Margo Crawford afcd5e3e36 WIP: Adjust subject and username claims 
Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-12-14 17:05:53 -08:00
Ryan Richard 16907e4453 Add Cache-Control, Pragma, Expires, and X-DNS-Prefetch-Control headers 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2020-12-14 15:28:32 -08:00
Andrew Keesler cae0023234
Merge remote-tracking branch 'upstream/main' into secret-generation 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-14 11:44:01 -05:00
Andrew Keesler 2f28d2a96b
Synchronize the OIDCProvider secrets cache 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-14 11:32:33 -05:00
Andrew Keesler b043dae149
Finish first implementation of generic secret generator controller 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-14 10:36:45 -05:00
Ryan Richard 7cda6628a6
Merge branch 'main' into fosite-settings 2020-12-11 18:19:37 -08:00
Ryan Richard 020fbcf190 Adjust some expectations about the state and nonce lengths 2020-12-11 17:39:58 -08:00
Margo Crawford 2a19dd0d2e Pass prompt through to upstream login request 
Signed-off-by: Ryan Richard <rrichard@vmware.com>
 2020-12-11 17:13:27 -08:00
Margo Crawford ded28dff15 Update the fosite settings 
- AudienceMatchingStrategy: we want to use the default matcher from
  fosite, so remove that line
- AllowedPromptValues: We can use the default if we add a small
  change to the auth_handler.go to account for it (in a future commit)
- MinParameterEntropy: Use the fosite default to make it more likely
  that off the shelf OIDC clients can work with the supervisor

Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-12-11 16:15:50 -08:00
Andrew Keesler e2aad48852
internal/oidc/dynamiccodec: loosen test to reduce flakes 
When we try to decode with the wrong decryption key, we could get any number of
error messages, depending on what failure mode we are in (couldn't authenticate
plaintext after decryption, couldn't deserialize, etc.). This change makes the
test weaker, but at least we know we will get an error message in the case where
the decryption key is wrong.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-11 11:49:27 -05:00
Andrew Keesler e17bc31b29
Pass CSRF cookie signing key from controller to cache 
This also sets the CSRF cookie Secret's OwnerReference to the Pod's grandparent
Deployment so that when the Deployment is cleaned up, then the Secret is as
well.

Obviously this controller implementation has a lot of issues, but it will at
least get us started.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-11 11:49:27 -05:00
Andrew Keesler 0246e57d7f
Set lifespans on state and CSRF cooking encoding 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-11 11:49:22 -05:00
Andrew Keesler 9460b08873
Use just-in-time HMAC signing key fetching in our Fosite config 
This pattern is similar to what we did in
58237d0e7d.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-11 11:16:46 -05:00
aram price a3285fc187 Fix variable / package name collision 2020-12-10 17:32:55 -08:00
aram price e1173eb5eb manager.Manager is initialized with secret.Cache 
- hard-coded secret.Cache is passed in from pinniped-supervisor/main
 2020-12-10 17:32:55 -08:00
aram price 72bc458c8e Manager uses secret.Cach with hardcoded values 2020-12-10 17:32:55 -08:00
aram price 2f87be3f94 Manager uses dynamiccodec.Codec for cookie encoding 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-10 17:32:55 -08:00
Andrew Keesler 1291380611 dynamiccodec.Codec uses securecookie.JSONEncoder 
Signed-off-by: aram price <pricear@vmware.com>
 2020-12-10 17:32:55 -08:00
Andrew Keesler d8212d1337 Whitespace 
Signed-off-by: aram price <pricear@vmware.com>
 2020-12-10 17:32:55 -08:00
aram price 030edaf72d KeyFunc no longer uses multi-value return 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-10 17:32:55 -08:00
Andrew Keesler 3e112fb1ac internal/oidc/dynamiccodec: first draft 
Note that we don't cache the securecookie.SecureCookie that we use in our
implementation. This was purely because of laziness. We should think about
caching this value in the future.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-10 17:32:55 -08:00
Ryan Richard afd216308b KubeStorage annotates every Secret with garbage-collect-after timestamp 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2020-12-10 14:47:58 -08:00
Margo Crawford b0c354637d WIP passing lifetime through to storage, unit tests are failing 
Signed-off-by: Ryan Richard <rrichard@vmware.com>
 2020-12-10 12:15:40 -08:00
Margo Crawford 6f40dcb471 Increase the RefreshTokenSessionStorageLifetime 
- Make it more likely that the end user will get the more specific error
  message saying that their refresh token has expired the first time
  that they try to use an expired refresh token

Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-12-10 10:44:27 -08:00
Ryan Richard a561fd21d9 Consolidate the supervisor's timeout settings into a single struct 
- This struct represents the configuration of all timeouts. These
  timeouts are all interrelated to declare them all in one place.
  This should also make it easier to allow the user to override
  our defaults if we would like to implement such a feature in the
  future.

Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2020-12-10 10:14:54 -08:00
aram price 86c75b7a80 CSRF cookie is no longer encrypted 2020-12-09 17:34:02 -08:00
aram price f1f8ffa456 Distinct `Encoder`'s use distinct keys 2020-12-09 17:34:02 -08:00
aram price 4a5f8e30a8 Use distinct `Encoder` for state and csrf data 2020-12-09 17:34:02 -08:00
aram price e111ca02da Use the narrowest possible interface 2020-12-09 17:34:02 -08:00
aram price 6ec3589112 Use recorder `Cookies()` helper 
- replaces hand-parsing of cookie strings
 2020-12-09 17:34:02 -08:00