mirrors/pinniped
1
0
Fork 0
mirror of https://github.com/vmware-tanzu/pinniped.git synced 2026-01-04 20:24:26 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

resolve TODO by adding docs

Browse Source
This commit is contained in:
Joshua Casey
2024-11-14 10:59:41 -06:00
parent c16ebe1707
commit f388513145
2 changed files with 23 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
internal/federationdomain/endpoints/auth/auth_handler.go
View File

@@ -213,7 +213,23 @@ func (h *authorizeHandler) authorize(
}
}
if err != nil {
// TODO: Consider an audit event here
// No specific audit event is emitted here in the case of an authorization error.
// There are currently seven possible cases:
// (1) OIDC with cli_password:
// - Rely on the "HTTP Request Completed" audit event with an error and error_description to indicate what went wrong.
// - There's no way to determine why the OIDC provider rejected the request.
// (2) OIDC with browser_authcode: this endpoint only redirects upstream
// (3) LDAP with cli_password:
// - Rely on the "HTTP Request Completed" audit event with an error and error_description to indicate what went wrong.
// - If we know that the LDAP provider rejected the request due to incorrect username or password,
// Pinniped will provide the "Incorrect Username Or Password" audit event.
// (4) LDAP with browser_authcode: this endpoint only redirects to the /login page
// (5) Active Directory with cli_password:
// - Rely on the "HTTP Request Completed" audit event with an error and error_description to indicate what went wrong.
// - If we know that the Active Directory provider rejected the request due to incorrect username or password,
// Pinniped will provide the "Incorrect Username Or Password" audit event.
// (6) Active Directory with browser_authcode: this endpoint only redirects to the /login page
// (7) GitHub with browser_authcode (cli_password is not supported): this endpoint only redirects upstream
oidc.WriteAuthorizeError(r, w, oauthHelper, authorizeRequester, err, requestedBrowserlessFlow)
}
}

12
internal/testutil/log_lines.go
View File

@@ -45,14 +45,14 @@ func WantAuditIDOnEveryAuditLog(wantedAuditLogs []WantedAuditLog, wantAuditID st
}
func GetStateParam(t *testing.T, fullURL string) stateparam.Encoded {
var encodedStateParam stateparam.Encoded
if fullURL != "" {
path, err := url.Parse(fullURL)
require.NoError(t, err)
encodedStateParam = stateparam.Encoded(path.Query().Get("state"))
if fullURL == "" {
var empty stateparam.Encoded
return empty
}
return encodedStateParam
path, err := url.Parse(fullURL)
require.NoError(t, err)
return stateparam.Encoded(path.Query().Get("state"))
}
func CompareAuditLogs(t *testing.T, wantAuditLogs []WantedAuditLog, actualAuditLogsOneLiner string) {