mirrors/pinniped
1
0
Fork 0
mirror of https://github.com/vmware-tanzu/pinniped.git synced 2026-02-03 03:22:37 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
4,824 Commits 28 Branches 51 Tags
5d9b7a3346a9307e4e5dafba2a3c2f94de73cb89
Commit Graph

99 Commits

Author SHA1 Message Date
Ryan Richard
44509d016e standardize import of "k8s.io/client-go/kubernetes/fake" 2025-12-22 10:34:53 -08:00
Ryan Richard
9d1c65c3e6 fix deprecation of NewSimpleClientset by using NewClientset or ignoring 2025-12-19 12:00:56 -08:00
Ryan Richard
c600cf7949 upgrade linter to latest 2025-05-12 15:19:50 -07:00
Ryan Richard
749633e43c support response_mode=form_post in upstream OIDC IDPs 2025-03-06 15:28:47 -08:00
Ryan Richard
90c95866d1 upgrade fosite to v0.49.0 and handle its API changes 2024-12-13 10:17:42 -08:00
Joshua Casey
87640ca54a Callback endpoint emits audit log with authorizeID even when code param not found 
Co-authored-by: Ryan Richard <richardry@vmware.com>
 2024-12-09 12:47:54 -06:00
Ryan Richard
ecd23e86ce callback endpoint renders more useful user-facing error messages 
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
 2024-11-27 13:53:03 -06:00
Ryan Richard
54b35c30da rename tokenIdentifier to tokenID in the audit logs 
Because `tokenID` is more consistent with the names of
the other correlation keys.
 2024-11-27 13:53:03 -06:00
Ryan Richard
4423d472da allow audit correlation between token being issued and being used 2024-11-27 13:53:03 -06:00
Joshua Casey
ce2dcbdbb3 simplify godoc 2024-11-27 13:53:02 -06:00
Joshua Casey
c7e9ee1c61 Backfill unit tests for paramsSafeToLog 2024-11-27 13:53:02 -06:00
Ryan Richard
51fc86f950 don't audit log missing username or password, change query param value 
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
 2024-11-27 13:53:02 -06:00
Ryan Richard
a84b76e56a audit log session ID in token handler for every grant type 
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
 2024-11-27 13:53:02 -06:00
Joshua Casey
f388513145 resolve TODO by adding docs 2024-11-27 13:53:02 -06:00
Ryan Richard
c16ebe1707 add unit test for audit logging when token refresh updates groups 2024-11-27 13:53:02 -06:00
Ryan Richard
b54365c199 audit log request params on GET and POST login handlers 2024-11-27 13:53:02 -06:00
Ryan Richard
51d1cc7a96 refactor and add unit test for AuditRequestParams() 2024-11-27 13:53:02 -06:00
Ryan Richard
c06141c871 token handler uses common method to audit HTTP request parameters 2024-11-27 13:53:02 -06:00
Ryan Richard
eab3fde3af introduce common method to audit HTTP request parameters 2024-11-27 13:53:02 -06:00
Joshua Casey
611de03e01 Add audit event 'Incorrect Username Or Password' to auth_handler and audit event 'Using Upstream IDP' to callback_handler 2024-11-27 13:53:01 -06:00
Joshua Casey
de722332b1 Add audit logging to post_login_handler 2024-11-27 13:53:01 -06:00
Joshua Casey
37e12b4024 Start backfilling some audit unit tests in post_login_handler 2024-11-27 13:53:01 -06:00
Ryan Richard
e126ee5495 all callers of Audit() identify which keys may contain PII 2024-11-27 13:53:01 -06:00
Ryan Richard
c5f4cce3ae make Audit() take struct as param for all optional params and redact PII 2024-11-27 13:53:01 -06:00
Ryan Richard
ced8686d11 add config for audit logging, remove Audit() from Logger interface 
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
 2024-11-27 13:53:01 -06:00
Joshua Casey
2db5dda266 Add last audit log unit tests to auth_handler 
Co-authored-by: Ryan Richard <richardry@vmware.com>
 2024-11-27 13:53:01 -06:00
Ryan Richard
8cf9c59957 refactor to move audit event message types to their own pkg 2024-11-27 13:53:01 -06:00
Ryan Richard
088556193d auth handler audit logs headers and params when http method is wrong 
also refactor some related code into a helper, and fix linter errors
 2024-11-27 13:53:01 -06:00
Joshua Casey
18d3ab3d15 The 'HTTP Request Parameters' audit event now logs params as a JSON object 2024-11-27 13:53:01 -06:00
Joshua Casey
dc6faa33bb Log params to token_handler endpoint even during error cases 2024-11-27 13:53:01 -06:00
Joshua Casey
362d982906 Start to backfill some audit unit tests for the token_handler 2024-11-27 13:53:01 -06:00
Ryan Richard
1006dd9379 resolve some todos 2024-11-27 13:53:01 -06:00
Joshua Casey
369316556a Add configuration to audit internal endpoints and backfill unit tests 2024-11-27 13:53:01 -06:00
Joshua Casey
cf4b29de4b Clarify docs 2024-11-27 13:53:00 -06:00
Joshua Casey
09ca7920ea Extract testutil helper function 2024-11-27 13:53:00 -06:00
Joshua Casey
9994e033b2 Add audit event tests for login_handler 2024-11-27 13:53:00 -06:00
Joshua Casey
dd56f2b47f Add audit event tests for callback_handler 2024-11-27 13:53:00 -06:00
Joshua Casey
dd42f35db0 plog.TestLogger returns a buffer that holds the logs 
# Conflicts:
#	internal/controller/apicerts/certs_expirer_test.go
#	internal/plog/plog_test.go
#	internal/plog/testing.go
#	pkg/oidcclient/login_test.go
 2024-11-27 13:53:00 -06:00
Joshua Casey
a67af9455b Refactor: don't copy the loop variable in test loops 2024-11-27 13:53:00 -06:00
Joshua Casey
d729c82f84 fix lint 2024-11-27 13:53:00 -06:00
Joshua Casey
44e218194b Add 'AuthorizeID From Parameters' audit logs to the /callback and /login endpoints 
Co-authored-by: Ryan Richard <richardry@vmware.com>
 2024-11-27 13:53:00 -06:00
Joshua Casey
bf1e37f149 Use a helper to verify audit messages 2024-11-27 13:53:00 -06:00
Joshua Casey
aee56c388f Check the sessionID as well 
Co-authored-by: Ryan Richard <richardry@vmware.com>
 2024-11-27 13:53:00 -06:00
Joshua Casey
fd5a10bee7 WIP: Add audit event when upstream redirect occurs and backfill tests 2024-11-27 13:53:00 -06:00
Ryan Richard
4f9530eec7 audit logging WIP 2024-11-27 13:53:00 -06:00
Joshua Casey
08abff1cae Bump golanglint-ci to 1.60.3 2024-09-04 20:52:01 -05:00
Ryan Richard
f194594e5b failed token exchanges should show in log at default log config 2024-08-22 10:09:19 -07:00
Ryan Richard
e5cfa521da remove unnecessary warning log message 
This message is not needed because the IDP chooser page will take
care of the case where a browser-based authorization flow did not
request any specific IDP. For browserless flows (only allowed for
the `pinniped-cli` client), the client must request a specific IDP
(except in backwards-compatibility mode) because there is no browser
in which to show the IDP chooser page. Failing to request a specific
IDP in a browserless flow will result in a helpful error message
being returned.
 2024-07-10 09:32:23 -07:00
Ryan Richard
0380a9ce33 upgrade github.com/go-jose/go-jose and github.com/coreos/go-oidc 
Also standardize some related imports and fix some whitespace in a test
 2024-06-21 11:16:40 -07:00
Joshua Casey
678be9902a Lint new files from the GitHub branch 2024-06-11 10:16:18 -05:00