djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
2,962 Commits 30 Branches 34 Tags 22 MiB
f2005b4c7f
Commit Graph

944 Commits

Author SHA1 Message Date
Margo Crawford
f2005b4c7f Merge branch 'dynamic_clients' into require-groups-scope 2022-06-22 12:30:54 -07:00
Margo Crawford
c70a0b99a8 Don't do ldap group search when group scope not specified 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-06-22 10:58:08 -07:00
Margo Crawford
9903c5f79e Handle refresh requests without groups scope 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-06-22 08:21:16 -07:00
Margo Crawford
64cd8b0b9f Add e2e test for groups scope 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-06-15 13:41:22 -07:00
Margo Crawford
4d0c2e16f4 require groups scope to get groups back from supervisor 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-06-15 08:00:17 -07:00
Ryan Richard
b9272b2729 Reserve all of *.pinniped.dev for requested aud in token exchanges 
Our previous plan was to reserve only *.oauth.pinniped.dev but we
changed our minds during PR review.
 2022-06-13 12:08:11 -07:00
Ryan Richard
321abfc98d Merge branch 'dynamic_clients' into token_exchange_aud 2022-06-08 09:03:29 -07:00
Ryan Richard
ea45e5dfef Disallow certain requested audience strings in token exchange 2022-06-07 16:32:19 -07:00
Mo Khan
472ab229e7
Merge branch 'main' into auth_handler_form_post_csp 2022-06-07 18:26:52 -04:00
Ryan Richard
7751c0bf59
Bump project deps, including kube 0.23.6->0.24.1 and Go 1.18.1->1.18.3 
Several API changes in Kube required changes in Pinniped code.

Signed-off-by: Monis Khan <mok@vmware.com>
 2022-06-07 15:26:30 -04:00
Ryan Richard
b99c4773a2 Use CSP headers in auth handler response 
When response_mode=form_post is requested, some error cases will be
returned to the client using the form_post web page to POST the result
back to the client's redirect URL.
 2022-06-02 09:23:34 -07:00
Monis Khan
0674215ef3
Switch to go.uber.org/zap for JSON formatted logging 
Signed-off-by: Monis Khan <mok@vmware.com>
 2022-05-24 11:17:42 -04:00
Ryan Richard
39fd9ba270 Small refactors and comments for LDAP/AD UI 2022-05-19 16:02:08 -07:00
Ryan Richard
0f2a984308 Merge branch 'main' into ldap-login-ui 2022-05-11 11:32:15 -07:00
Ryan Richard
aa732a41fb Add LDAP browser flow login failure tests to supervisor_login_test.go 
Also do some refactoring to share more common test setup code in
supervisor_login_test.go.
 2022-05-10 16:28:08 -07:00
Ryan Richard
4c44f583e9 Don't add pinniped_idp_name pinniped_idp_type params into upstream state 2022-05-06 12:00:46 -07:00
Ryan Richard
ec22b5715b Add Pinniped favicon to login UI page 🦭 2022-05-05 14:46:07 -07:00
Ryan Richard
cffa353ffb Login page styling/structure for users, screen readers, passwd managers 
Also:
- Add CSS to login page
- Refactor login page HTML and CSS into a new package
- New custom CSP headers for the login page, because the requirements
  are different from the form_post page
 2022-05-05 13:13:25 -07:00
Ryan Richard
6ca7c932ae Add unit test for rendering form_post response from POST /login 2022-05-05 13:13:25 -07:00
Ryan Richard
656f221fb7 Merge branch 'main' into ldap-login-ui 2022-05-04 09:29:15 -07:00
Ryan Richard
2e031f727b Use security headers for the form_post page in the POST /login endpoint 
Also use more specific test assertions where security headers are
expected. And run the unit tests for the login package in parallel.
 2022-05-03 16:46:09 -07:00
Ryan Richard
acc6c50e48 More unit tests for LDAP DNs which contain special chars 
Adding explicit coverage for PerformRefresh().
 2022-05-03 15:43:01 -07:00
Margo Crawford
388cdb6ddd Fix bug where form was posting to the wrong path 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-05-03 15:18:38 -07:00
Ryan Richard
c74dea6405 Escape special characters in LDAP DNs when used in search filters 2022-05-02 13:37:32 -07:00
Ryan Richard
69e5169fc5 Implement post_login_handler.go to accept form post and auth to LDAP/AD 
Also extract some helpers from auth_handler.go so they can be shared
with the new handler.
 2022-04-29 16:02:00 -07:00
Margo Crawford
646c6ec9ed Show error message on login page 
Also add autocomplete attribute and title element

Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-04-29 10:36:13 -07:00
Margo Crawford
453c69af7d Fix some errors and pass state as form element 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-04-28 12:07:04 -07:00
Margo Crawford
07b2306254 Add basic outline of login get handler 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-04-28 11:51:36 -07:00
Margo Crawford
ae60d4356b Some refactoring of shared code between OIDC and LDAP browser flows 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-04-27 08:51:37 -07:00
Margo Crawford
379a803509 when password header but not username is sent to password grant, error 
also add more unit tests

Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-04-26 16:46:58 -07:00
Ryan Richard
65eed7e742 Implement login_handler.go to defer to other handlers 
The other handlers for GET and POST requests are not yet implemented in
this commit. The shared handler code in login_handler.go takes care of
things checking the method, checking the CSRF cookie, decoding the state
param, and adding security headers on behalf of both the GET and POST
handlers.

Some code has been extracted from callback_handler.go to be shared.
 2022-04-26 15:37:30 -07:00
Margo Crawford
eb1d3812ec Update authorization endpoint to redirect to new login page 
Also fix some test failures on the callback handler, register the
new login handler in manager.go and add a (half baked) integration test

Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-04-26 12:51:56 -07:00
Margo Crawford
8832362b94 WIP: Add login handler for LDAP/AD web login 
Also change state param to include IDP type
 2022-04-25 16:41:55 -07:00
Margo Crawford
694e4d6df6 Advertise browser_authcode flow in ldap idp discovery 
To keep this backwards compatible, this PR changes how
the cli deals with ambiguous flows. Previously, if there
was more than one flow advertised, the cli would require users
to set the flag --upstream-identity-provider-flow. Now it
chooses the first one in the list.

Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-04-25 14:54:21 -07:00
Ryan Richard
0ec5e57114
Merge pull request #1131 from vmware-tanzu/bump_some_deps 
Bump some deps
 2022-04-19 13:29:28 -07:00
Margo Crawford
0b72f7084c JWTAuthenticator distributed claims resolution honors tls config 
Kube 1.23 introduced a new field on the OIDC Authenticator which
allows us to pass in a client with our own TLS config. See
https://github.com/kubernetes/kubernetes/pull/106141.

Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-04-19 11:36:46 -07:00
Ryan Richard
132d2aac72 add a code comment 2022-04-19 11:35:46 -07:00
Ryan Richard
2d4f4e4efd Merge branch 'main' into bump_some_deps 2022-04-19 11:32:53 -07:00
Ryan Richard
fb8083d024 bump some direct deps 2022-04-19 11:09:24 -07:00
hectorj2f
a3f7afaec4 oidc: add code challenge supported methods 
Signed-off-by: hectorj2f <hectorf@vmware.com>
 2022-04-19 01:21:39 +02:00
Margo Crawford
d5337c9c19 Error format of untrusted certificate errors should depend on OS 
Go 1.18.1 started using MacOS' x509 verification APIs on Macs
rather than Go's own. The error messages are different.

Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-04-14 17:37:36 -07:00
Margo Crawford
03f19da21c the http2RoundTripper should only use http2 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2022-04-14 10:51:25 -07:00
Monis Khan
e0886c6948
Only emit FIPS startup log when running a server component 
Signed-off-by: Monis Khan <mok@vmware.com>
 2022-04-13 18:31:02 -04:00
Monis Khan
8fd77b72df
Bump to go1.18.1 and fix linter errors 
Signed-off-by: Monis Khan <mok@vmware.com>
 2022-04-13 16:43:06 -04:00
Ryan Richard
53348b8464 Add custom prefix to downstream access and refresh tokens and authcodes 2022-04-13 10:13:27 -07:00
Monis Khan
6b4fbb6e0e
Use klog to make sure FIPS init log is emitted 
We cannot use plog until the log level config has been setup, but
that occurs after this init function has run.

Signed-off-by: Monis Khan <mok@vmware.com>
 2022-04-12 14:36:06 -04:00
Ryan Richard
25d20d4081 Merge branch 'main' into disable_http 2022-04-05 09:00:26 -07:00
Monis Khan
07066e020d
Explicitly set defaultServing ciphers in FIPS mode 
This is a no-op today, but could change in the future when we add
support for FIPS in non-strict mode.

Signed-off-by: Monis Khan <mok@vmware.com>
 2022-04-01 10:59:47 -04:00
Monis Khan
3f0753ec5a
Remove duplication in secure TLS tests 
Signed-off-by: Monis Khan <mok@vmware.com>
 2022-04-01 10:56:38 -04:00
Monis Khan
15bc6a4a67
Add more details to FIPS comments 
Signed-off-by: Monis Khan <mok@vmware.com>
 2022-04-01 10:56:38 -04:00