Commit Graph

836 Commits

Author SHA1 Message Date
Andrew Keesler
f8d76066c5
callback_handler.go: assert nonce is stored correctly
I think we want to do this here since we are storing all of the
other ID token claims?

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-20 08:38:23 -05:00
Andrew Keesler
b25696a1fb callback_handler.go: Prepend iss to sub when making default username
- Also handle several more error cases
- Move RequireTimeInDelta to shared testutils package so other tests
  can also use it
- Move all of the oidc test helpers into a new oidc/oidctestutils
  package to break a circular import dependency. The shared testutil
  package can't depend on any of our other packages or else we
  end up with circular dependencies.
- Lots more assertions about what was stored at the end of the
  request to build confidence that we are going to pass all of the
  right settings over to the token endpoint through the storage, and
  also to avoid accidental regressions in that area in the future

Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-19 17:57:07 -08:00
Andrew Keesler
b49d37ca54
callback_handler.go: test invalid upstream ID token username/groups
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-19 15:53:21 -05:00
Ryan Richard
83101eefce
callback_handler.go: start to test upstream token corner cases
Also refactor to get rid of duplicate test structs.

Also also don't default groups ID token claim because there is no standard one.

Also also also add some logging that will hopefully help us in debugging in the
future.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-19 14:19:01 -05:00
Ryan Richard
a47617cad0 callback_handler.go: Add JWT Audience claim to storage 2020-11-19 08:53:53 -08:00
Ryan Richard
ee84f31f42 callback_handler.go: Add JWT Issuer claim to storage 2020-11-19 08:35:23 -08:00
Andrew Keesler
ace861f722
callback_handler.go: get some thoughts down about default upstream claims
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-19 11:08:21 -05:00
Andrew Keesler
2e62be3ebb
callback_handler.go: assert correct args are passed to token exchange
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-19 10:20:46 -05:00
Andrew Keesler
48e0250649
callback_handler.go: test that we request openid scope correctly
Also add some testing.T.Log() calls to make debugging handler test failures
easier.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-19 09:28:56 -05:00
Andrew Keesler
6c72507bca
callback_handler.go: add test for failed upstream exchange/validation
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-19 09:00:41 -05:00
Andrew Keesler
63b8c6e4b2
callback_handler.go: test when state missing a needed param
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-19 08:51:23 -05:00
Andrew Keesler
ffdb7fa795
callback_handler.go: add a test for invalid state auth params
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-19 08:41:44 -05:00
Ryan Richard
652ea6bd2a Start using fosite in the Supervisor's callback handler 2020-11-18 17:15:01 -08:00
Ryan Richard
227fbd63aa Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider
Because we want it to implement an AuthcodeExchanger interface and
do it in a way that will be more unit test-friendly than the underlying
library that we intend to use inside its implementation.
2020-11-18 13:38:13 -08:00
Ryan Richard
97552aec5f Merge branch 'main' into callback-endpoint 2020-11-17 09:06:54 -08:00
Matt Moyer
b75a6cdb76
Merge pull request #221 from mattmoyer/use-https-dex
Add support for custom CA bundle in CLI and UpstreamOIDCProvider.
2020-11-16 20:47:16 -06:00
Matt Moyer
b31deff0fb
Update integration tests to use HTTPS Dex for UpstreamOIDCProvider testing.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-16 20:23:20 -06:00
Matt Moyer
ee978fdde8
Add controller support for spec.tls field.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-16 20:23:20 -06:00
Matt Moyer
e867fb82b9
Add spec.tls field to UpstreamOIDCProvider API.
This allows for a custom CA bundle to be used when connecting to the upstream issuer.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-16 20:23:20 -06:00
Matt Moyer
b17ac6ec0b
Update integration tests to run Dex over HTTPS.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-16 20:23:20 -06:00
Matt Moyer
dd2133458e
Add --ca-bundle flag to "pinniped login oidc" command.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-16 18:15:20 -06:00
Matt Moyer
e7ecfd3954
Merge pull request #219 from mattmoyer/add-test-proxy
Convert CLI tests to work through an HTTP forward proxy.
2020-11-16 17:48:16 -06:00
Matt Moyer
c8b17978a9
Convert CLI tests to work through an HTTP forward proxy.
This change deploys a small Squid-based proxy into the `dex` namespace in our integration test environment. This lets us use the cluster-local DNS name (`http://dex.dex.svc.cluster.local/dex`) as the OIDC issuer. It will make generating certificates easier, and most importantly it will mean that our CLI can see Dex at the same name/URL as the supervisor running inside the cluster.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-16 17:16:58 -06:00
Matt Moyer
a4733025ce
Merge pull request #220 from jonasrosland/fix-landing-text
Fix landing page use cases
2020-11-16 16:36:44 -06:00
Andrew Keesler
1c7601a2b5
callback_handler.go: start happy path test with redirect
Next steps: fosite storage?

Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-16 17:07:34 -05:00
Ryan Richard
052cdc40dc
callback_handler.go: add CSRF and version state validations
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-16 14:41:00 -05:00
jonasrosland
332ed8e50b Fix landing page use cases
Signed-off-by: jonasrosland <jrosland@vmware.com>
2020-11-16 12:00:06 -05:00
Andrew Keesler
4138c9244f
callback_handler.go: write 2 invalid cookie tests
Also common-ize some more constants shared between the auth and callback
endpoints.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-16 11:47:49 -05:00
Andrew Keesler
3ef1171667 Tiny bit more code for Supervisor's callback_handler.go
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-13 15:59:51 -08:00
Matt Moyer
84b61fac88
Merge pull request #215 from mattmoyer/fix-upstream-oidc-provider
Fix some issues in the UpstreamOIDCProvider CRD and controller
2020-11-13 17:23:10 -06:00
Matt Moyer
c10393b495
Mask the raw error messages from go-oidc, since they are dangerous.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-13 16:22:34 -06:00
Matt Moyer
d3d8ef44a0
Make more fields in UpstreamOIDCProvider optional.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-13 15:28:37 -06:00
Mo Khan
d5ee925e62
Merge pull request #213 from mattmoyer/more-categories
Add our TokenCredentialRequest to the "pinniped" API category as well.
2020-11-13 15:51:42 -05:00
Mo Khan
47d216caae
Merge pull request #209 from alexbrand/doc-fixes
Fix broken links in the project's website
2020-11-13 15:51:13 -05:00
Alexander Brand
406d6b5544
docs/scope.md: Fix link to contrib guide
Signed-off-by: Alexander Brand <alexbrand09@gmail.com>
2020-11-13 15:25:01 -05:00
Matt Moyer
ab87977c08
Put our TokenCredentialRequest API into the "pinniped" category.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-13 14:22:26 -06:00
Matt Moyer
f4dfc22f8e
Merge pull request #212 from enj/enj/i/restore_cert_ttl
Reduce client cert TTL back to 5 mins
2020-11-13 14:11:44 -06:00
Matt Moyer
785a1d14fb
Merge pull request #199 from mattmoyer/add-oidc-upstream-crd
Add UpstreamOIDCProvider API and initial controller.
2020-11-13 13:01:13 -06:00
Matt Moyer
d68a4b85f4
Add integration tests for UpstreamOIDCProvider status.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-13 12:30:38 -06:00
Matt Moyer
cbd71df574
Add "upstream-watcher" controller to supervisor.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-13 12:30:38 -06:00
Monis Khan
c05cbca0b0
Reduce client cert TTL back to 5 mins
Signed-off-by: Monis Khan <mok@vmware.com>
2020-11-13 13:30:02 -05:00
Matt Moyer
2e7d869ccc
Add generated API/client code for new UpstreamOIDCProvider CRD.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-13 11:38:50 -06:00
Matt Moyer
bac3c19bec
Add UpstreamOIDCProvider API type definition.
This is essentially just a copy of Andrew's work from https://github.com/vmware-tanzu/pinniped/pull/135.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-13 11:38:49 -06:00
Andrew Keesler
81b9a48437
callback_handler.go: initial API/test shape with 1 test
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-13 12:32:35 -05:00
Alexander Brand
271640b66d
docs/architecture.md: Fix broken link 2020-11-13 09:17:47 -05:00
Alexander Brand
6b0d4184d5
docs/architecture.md: Fix broken link 2020-11-13 09:15:46 -05:00
Ryan Richard
d351ef430c
Merge pull request #206 from vmware-tanzu/authorize_endpoint_reuse_cookie
Supervisor authorize endpoint reuses existing CSRF cookies and signs new ones
2020-11-12 16:26:01 -08:00
Matt Moyer
e6f128e2a7
Merge pull request #205 from mattmoyer/more-careful-categories
Put all of our APIs into a "pinniped" category, and never use "all".
2020-11-12 17:37:20 -06:00
Andrew Keesler
080bb594b2 Supervisor authorize endpoint reuses existing CSRF cookies and signs new ones
- To better support having multiple downstream providers configured,
  the authorize endpoint will share a CSRF cookie between all
  downstream providers' authorize endpoints. The first time a
  user's browser hits the authorize endpoint of any downstream
  provider, that endpoint will set the cookie. Then if the user
  starts an authorize flow with that same downstream provider or with
  any other downstream provider which shares the same domain name
  (i.e. differentiated by issuer path), then the same cookie will be
  submitted and respected.
- Just in case we are sharing the domain name with some other app,
  we sign the value of any new CSRF cookie and check the signature
  when we receive the cookie. This wasn't strictly necessary since
  we probably won't share a domain name with other apps, but it
  wasn't hard to add this cookie signing.

Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-12 15:36:59 -08:00
Matt Moyer
f1696411d9
Test that Pinniped APis do not have short names, either.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-12 17:13:52 -06:00