mirrors/pinniped
1
0
Fork 0
mirror of https://github.com/vmware-tanzu/pinniped.git synced 2026-02-04 12:02:36 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
4,824 Commits 29 Branches 51 Tags
5d9b7a3346a9307e4e5dafba2a3c2f94de73cb89
Commit Graph

1485 Commits

Author SHA1 Message Date
Ryan Richard
67bf54a9f9 Use an interface for storage in token_handler_test.go 
Signed-off-by: Aram Price <pricear@vmware.com>
 2020-12-03 11:05:47 -08:00
Andrew Keesler
2f1a67ef0d Merge remote-tracking branch 'upstream/callback-endpoint' into token-endpoint 2020-12-03 11:14:37 -05:00
Andrew Keesler
fe2e2bdff1 Our ID token signing algorithm is ES256, not RS256 
We are currently using EC keys to sign ID tokens, so we should reflect that in
our OIDC discovery metadata.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-03 07:46:07 -05:00
Ryan Richard
95093ab0af Use kube storage for the supervisor callback endpoint's fosite sessions 2020-12-02 17:40:01 -08:00
Margo Crawford
1dd7c82af6 Added id token verification 2020-12-02 16:55:48 -08:00
Ryan Richard
6ed9107df0 Remove a couple of todos that will be resolved in Slack conversations 2020-12-02 14:20:18 -08:00
Ryan Richard
c320132289 Back-fill some more unit tests on authorizationcode_test.go 2020-12-02 14:20:18 -08:00
Matt Moyer
c0f13ef4ac Merge remote-tracking branch 'origin/main' into callback-endpoint 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-02 16:09:08 -06:00
Matt Moyer
22953cdb78 Add a CA.Pool() method to ./internal/certauthority. 
This is convenient for at least one test and is simple enough to write and test.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-02 15:55:34 -06:00
Matt Moyer
fde56164cd Add a redirectURI parameter to ExchangeAuthcodeAndValidateTokens() method. 
We missed this in the original interface specification, but the `grant_type=authorization_code` requires it, per RFC6749 (https://tools.ietf.org/html/rfc6749#section-4.1.3).

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-02 15:55:33 -06:00
Matt Moyer
4fe691de92 Save an http.Client with each upstreamoidc.ProviderConfig object. 
This allows the token exchange request to be performed with the correct TLS configuration.

We go to a bit of extra work to make sure the `http.Client` object is cached between reconcile operations so that connection pooling works as expected.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-02 15:55:33 -06:00
Matt Moyer
c23c54f500 Add an explicit Path=/; to our CSRF cookie, per the spec. 
> [...] a cookie named "__Host-cookie1" MUST contain a "Path" attribute with a value of "/".

https://tools.ietf.org/html/draft-ietf-httpbis-cookie-prefixes-00#section-3.2

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-02 15:55:33 -06:00
Margo Crawford
9419b7392d WIP: start to validate ID token returned from token endpoint 
This won't compile, but we are passing this between two teammates.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-02 16:26:47 -05:00
Andrew Keesler
09e6c86c46 token_handler.go: complete some TODOs and strengthen double auth code test 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-02 15:33:57 -05:00
Andrew Keesler
8e4c85d816 WIP: get linting and unit tests passing after token endpoint first draft 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-02 11:16:02 -05:00
Andrew Keesler
970be58847 token_handler.go: first draft of token handler, with a bunch of TODOs 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-02 11:14:45 -05:00
Margo Crawford
d60c184424 Add pkce and openidconnect storage 
- Also refactor authorizationcode_test

Signed-off-by: Ryan Richard <rrichard@vmware.com>
 2020-12-01 17:18:32 -08:00
Ryan Richard
f38c150f6a Finished tests for pkce storage and added it to kubestorage 
- Also fixed some lint errors with v1.33.0 of the linter

Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2020-12-01 14:53:22 -08:00
Margo Crawford
c8eaa3f383 WIP towards using k8s fosite storage in the supervisor's callback endpoint 
- Note that this WIP commit includes a failing unit test, which will
  be addressed in the next commit

Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-12-01 11:01:42 -08:00
Matt Moyer
b272b3f331 Refactor oidcclient.Login to use new upstreamoidc package. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-30 17:37:14 -06:00
Matt Moyer
4b60c922ef Add generated mock of UpstreamOIDCIdentityProviderI. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-30 17:37:14 -06:00
Matt Moyer
25ee99f93a Add ValidateToken method to UpstreamOIDCIdentityProviderI interface. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-30 17:37:14 -06:00
Matt Moyer
d32583dd7f Move OIDC Token structs into a new oidctypes package. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-30 17:02:03 -06:00
Matt Moyer
d64acbb5a9 Add upstreamoidc.ProviderConfig type implementing provider.UpstreamOIDCIdentityProviderI. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-30 15:22:56 -06:00
Matt Moyer
24c4bc0dd4 Tweak some stdlib usage so we compile under Go 1.14. 
Mainly, avoid using some `testing` helpers that were added in 1.14, as well as a couple of other niceties we can live without.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-30 10:11:41 -06:00
Ryan Richard
e6b6c0e3ab Merge branch 'main' into callback-endpoint 2020-11-20 15:50:26 -08:00
Ryan Richard
ccddeb4cda Merge branch 'main' into callback-endpoint 2020-11-20 15:13:25 -08:00
Monis Khan
d39cc08b66 Set defaults for fosite config 
Signed-off-by: Monis Khan <mok@vmware.com>
 2020-11-20 17:18:52 -05:00
Ryan Richard
c4ff1ca304 auth_handler.go: Ignore invalid CSRF cookies rather than return error 
Generate a new cookie for the user and move on as if they had not sent
a bad cookie. Hopefully this will make the user experience better if,
for example, the server rotated cookie signing keys and then a user
submitted a very old cookie.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-20 13:56:35 -08:00
Andrew Keesler
b21f0035d7 callback_handler.go: Get upstream name from state instead of path 
Also use ConstantTimeCompare() to compare CSRF tokens to prevent
leaking any information in how quickly we reject bad tokens.

Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-11-20 13:33:08 -08:00
Ryan Richard
72321fc106 Use /callback (without IDP name) path for callback endpoint (part 1) 
This is much nicer UX for an administrator installing a UpstreamOIDCProvider
CRD. They don't have to guess as hard at what the callback endpoint path should
be for their UpstreamOIDCProvider.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-20 16:14:45 -05:00
Andrew Keesler
541019eb98 callback_handler.go: simplify stored ID token claims 
Fosite is gonna set these fields for us.

Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-11-20 15:36:51 -05:00
Andrew Keesler
488d1b663a internal/oidc/provider/manager: route to callback endpoint 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-20 10:44:56 -05:00
Andrew Keesler
8f5d1709a1 callback_handler.go: assert behavior about PKCE and IDSession storage 
Also aggresively refactor for readability:
- Make helper validations functions for each type of storage
- Try to label symbols based on their downstream/upstream use and group them
  accordingly

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-20 09:41:49 -05:00
Andrew Keesler
f8d76066c5 callback_handler.go: assert nonce is stored correctly 
I think we want to do this here since we are storing all of the
other ID token claims?

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-20 08:38:23 -05:00
Monis Khan
4a28d1f800 Temporarily disable max inflight checks for mutating requests 
Signed-off-by: Monis Khan <mok@vmware.com>
 2020-11-19 21:21:10 -05:00
Andrew Keesler
b25696a1fb callback_handler.go: Prepend iss to sub when making default username 
- Also handle several more error cases
- Move RequireTimeInDelta to shared testutils package so other tests
  can also use it
- Move all of the oidc test helpers into a new oidc/oidctestutils
  package to break a circular import dependency. The shared testutil
  package can't depend on any of our other packages or else we
  end up with circular dependencies.
- Lots more assertions about what was stored at the end of the
  request to build confidence that we are going to pass all of the
  right settings over to the token endpoint through the storage, and
  also to avoid accidental regressions in that area in the future

Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-11-19 17:57:07 -08:00
Andrew Keesler
b49d37ca54 callback_handler.go: test invalid upstream ID token username/groups 
Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-11-19 15:53:21 -05:00
Ryan Richard
83101eefce callback_handler.go: start to test upstream token corner cases 
Also refactor to get rid of duplicate test structs.

Also also don't default groups ID token claim because there is no standard one.

Also also also add some logging that will hopefully help us in debugging in the
future.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-19 14:19:01 -05:00
Monis Khan
86865d155a Switch fuzzing test to UTC 
Signed-off-by: Monis Khan <mok@vmware.com>
 2020-11-19 14:04:25 -05:00
Monis Khan
3575be7742 Add authorization code storage 
Signed-off-by: Monis Khan <mok@vmware.com>
 2020-11-19 13:18:27 -05:00
Monis Khan
b7d823a077 Add generic Kube API based CRUD storage 
Signed-off-by: Monis Khan <mok@vmware.com>
 2020-11-19 13:18:02 -05:00
Ryan Richard
a47617cad0 callback_handler.go: Add JWT Audience claim to storage 2020-11-19 08:53:53 -08:00
Ryan Richard
ee84f31f42 callback_handler.go: Add JWT Issuer claim to storage 2020-11-19 08:35:23 -08:00
Andrew Keesler
ace861f722 callback_handler.go: get some thoughts down about default upstream claims 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-19 11:08:21 -05:00
Andrew Keesler
2e62be3ebb callback_handler.go: assert correct args are passed to token exchange 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-19 10:20:46 -05:00
Andrew Keesler
48e0250649 callback_handler.go: test that we request openid scope correctly 
Also add some testing.T.Log() calls to make debugging handler test failures
easier.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-19 09:28:56 -05:00
Andrew Keesler
6c72507bca callback_handler.go: add test for failed upstream exchange/validation 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-19 09:00:41 -05:00
Andrew Keesler
63b8c6e4b2 callback_handler.go: test when state missing a needed param 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-19 08:51:23 -05:00
Andrew Keesler
ffdb7fa795 callback_handler.go: add a test for invalid state auth params 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-19 08:41:44 -05:00