mirrors/pinniped
1
0
Fork 0
mirror of https://github.com/vmware-tanzu/pinniped.git synced 2026-01-05 04:56:11 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
4,596 Commits 21 Branches 50 Tags
00c2c5cf6ef6acb136e9f2cb80470d697977a22c
Commit Graph

1444 Commits

Author SHA1 Message Date
Joshua Casey
5c39374915 Update code for fosite changes 2025-02-03 10:28:42 -06:00
Joshua Casey
1d873be184 Make sure that CEL errors are checked for the appropriate Kube version 2025-01-27 10:46:55 -06:00
Joshua Casey
31b45525ce Remove deprecated CredentialIssuer.status.kubeConfigInfo 2025-01-27 10:46:55 -06:00
Ryan Richard
abe3391cce use github.Ptr where deprecated github.String and github.Int64 were used 2025-01-14 09:40:48 -08:00
Ryan Richard
6ae27c87f6 upgrade dep to github.com/google/go-github/v68/github 2025-01-14 09:03:06 -08:00
Ryan Richard
7221be5a8a add doc describing all tokens and credentials 2025-01-08 12:35:34 -08:00
Ryan Richard
9619a0f226 change remoteAddr to sourceIPs in Supervisor audit log for incoming reqs 2025-01-06 21:21:01 -06:00
Ryan Richard
4872be0a84 upgrade golangci-lint to v1.63.4 2025-01-06 13:03:46 -08:00
Ryan Richard
b625b4a076 introduce build tags to optionally override some TLS settings 2024-12-20 10:28:32 -08:00
Ryan Richard
90c95866d1 upgrade fosite to v0.49.0 and handle its API changes 2024-12-13 10:17:42 -08:00
Joshua Casey
87640ca54a Callback endpoint emits audit log with authorizeID even when code param not found 
Co-authored-by: Ryan Richard <richardry@vmware.com>
 2024-12-09 12:47:54 -06:00
Ryan Richard
170cc3bba4 ran new hack script to update all majors: updated github mod 2024-12-03 12:52:29 -06:00
Joshua Casey
28e22d7dd2 Update error text assertion due to change in ory/fosite 
- db74aa7abd
 2024-12-02 11:08:30 -06:00
Ryan Richard
ae5aad178d TokenCredentialRequest uses actual cert expiry time instead of estimate 
and also audit logs both the NotBefore and NotAfter of the issued cert.
Implemented by changing the return type of the cert issuer helpers
to make them also return the NotBefore and NotAfter values of the new
cert, along with the key PEM and cert PEM.
 2024-11-27 13:53:03 -06:00
Ryan Richard
ecd23e86ce callback endpoint renders more useful user-facing error messages 
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
 2024-11-27 13:53:03 -06:00
Ryan Richard
54b35c30da rename tokenIdentifier to tokenID in the audit logs 
Because `tokenID` is more consistent with the names of
the other correlation keys.
 2024-11-27 13:53:03 -06:00
Ryan Richard
4423d472da allow audit correlation between token being issued and being used 2024-11-27 13:53:03 -06:00
Joshua Casey
ce2dcbdbb3 simplify godoc 2024-11-27 13:53:02 -06:00
Joshua Casey
c7e9ee1c61 Backfill unit tests for paramsSafeToLog 2024-11-27 13:53:02 -06:00
Ryan Richard
6bf9b64778 log response audit-id for tokencredentialrequests made from CLI 
Only logged when PINNIPED_DEBUG=true is used.

Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
 2024-11-27 13:53:02 -06:00
Joshua Casey
60bd118a9c pinniped CLI should print the audit-ID in certain error cases 
Co-authored-by: Ryan Richard <richardry@vmware.com>
 2024-11-27 13:53:02 -06:00
Ryan Richard
d0905c02dd use test helper in rest_test.go to reduce some duplication 
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
 2024-11-27 13:53:02 -06:00
Ryan Richard
51fc86f950 don't audit log missing username or password, change query param value 
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
 2024-11-27 13:53:02 -06:00
Ryan Richard
a84b76e56a audit log session ID in token handler for every grant type 
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
 2024-11-27 13:53:02 -06:00
Ryan Richard
c2018717b6 audit log OIDCClientSecretRequests 2024-11-27 13:53:02 -06:00
Joshua Casey
f388513145 resolve TODO by adding docs 2024-11-27 13:53:02 -06:00
Ryan Richard
c16ebe1707 add unit test for audit logging when token refresh updates groups 2024-11-27 13:53:02 -06:00
Ryan Richard
b54365c199 audit log request params on GET and POST login handlers 2024-11-27 13:53:02 -06:00
Ryan Richard
51d1cc7a96 refactor and add unit test for AuditRequestParams() 2024-11-27 13:53:02 -06:00
Ryan Richard
c06141c871 token handler uses common method to audit HTTP request parameters 2024-11-27 13:53:02 -06:00
Ryan Richard
eab3fde3af introduce common method to audit HTTP request parameters 2024-11-27 13:53:02 -06:00
Joshua Casey
de7781b7f9 Use correct caller when generating audit events 2024-11-27 13:53:02 -06:00
Joshua Casey
611de03e01 Add audit event 'Incorrect Username Or Password' to auth_handler and audit event 'Using Upstream IDP' to callback_handler 2024-11-27 13:53:01 -06:00
Joshua Casey
de722332b1 Add audit logging to post_login_handler 2024-11-27 13:53:01 -06:00
Ryan Richard
438ca437ec tokencredentialrequest audit logs failed requests 2024-11-27 13:53:01 -06:00
Ryan Richard
e21e1326b7 tokencredentialrequest audit logs successful responses 
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
 2024-11-27 13:53:01 -06:00
Joshua Casey
37e12b4024 Start backfilling some audit unit tests in post_login_handler 2024-11-27 13:53:01 -06:00
Ryan Richard
e126ee5495 all callers of Audit() identify which keys may contain PII 2024-11-27 13:53:01 -06:00
Ryan Richard
a308f3f22a audit log: keep key ordering in personalInfo, render nil slices and maps 2024-11-27 13:53:01 -06:00
Ryan Richard
c5f4cce3ae make Audit() take struct as param for all optional params and redact PII 2024-11-27 13:53:01 -06:00
Ryan Richard
ced8686d11 add config for audit logging, remove Audit() from Logger interface 
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
 2024-11-27 13:53:01 -06:00
Joshua Casey
76f6b725b8 Fix some rebase conflicts 2024-11-27 13:53:01 -06:00
Joshua Casey
f9e1dd4bec Backfill unit tests for garbage_collector audit logging 2024-11-27 13:53:01 -06:00
Joshua Casey
f4f393e5de Audit event 'HTTP Request Completed' will now log the location with err, error, and error_description query parameters 
Co-authored-by: Ryan Richard <richardry@vmware.com>
 2024-11-27 13:53:01 -06:00
Joshua Casey
2db5dda266 Add last audit log unit tests to auth_handler 
Co-authored-by: Ryan Richard <richardry@vmware.com>
 2024-11-27 13:53:01 -06:00
Ryan Richard
8cf9c59957 refactor to move audit event message types to their own pkg 2024-11-27 13:53:01 -06:00
Ryan Richard
088556193d auth handler audit logs headers and params when http method is wrong 
also refactor some related code into a helper, and fix linter errors
 2024-11-27 13:53:01 -06:00
Joshua Casey
18d3ab3d15 The 'HTTP Request Parameters' audit event now logs params as a JSON object 2024-11-27 13:53:01 -06:00
Joshua Casey
dc6faa33bb Log params to token_handler endpoint even during error cases 2024-11-27 13:53:01 -06:00
Joshua Casey
0d22ae2c1a Fix lint and unit test compilation 2024-11-27 13:53:01 -06:00