mirrors/pinniped
1
0
Fork 0
mirror of https://github.com/vmware-tanzu/pinniped.git synced 2026-02-03 11:32:31 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
1,308 Commits 28 Branches 51 Tags
8697488126dfabc96cd4b7fc2465c00a2fa4d75d
Commit Graph

39 Commits

Author SHA1 Message Date
Ryan Richard
6ef7ec21cd Merge branch 'release-0.4' into main 2021-01-25 15:13:14 -08:00
Ryan Richard
b77297c68d Validate the upstream email_verified claim when it makes sense 2021-01-25 15:10:41 -08:00
Matt Moyer
04c4cd9534 Upgrade to github.com/coreos/go-oidc v3.0.0. 
See https://github.com/coreos/go-oidc/releases/tag/v3.0.0 for release notes.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2021-01-21 12:08:14 -06:00
Margo Crawford
d11a73c519 PR feedback-- omit empty groups, keep groups as nil until last minute 
Also log keys and values for claims
 2021-01-14 15:11:00 -08:00
Andrew Keesler
6fce1bd6bb Allow arrays of type interface 
and always set the groups claim to an
array in the downstream token

Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2021-01-14 17:21:41 -05:00
Monis Khan
3c3da9e75d Wire in new env vars for user info testing 
Signed-off-by: Monis Khan <mok@vmware.com>
 2021-01-12 11:23:25 -05:00
Matt Moyer
7dae166a69 Merge branch 'main' into username-and-subject-claims 2020-12-16 15:23:19 -06:00
Matt Moyer
8527c363bb Rename the "pinniped.sts.unrestricted" scope to "pinniped:request-audience". 
This is a bit more clear. We're changing this now because it is a non-backwards-compatible change that we can make now since none of this RFC8693 token exchange stuff has been released yet.

There is also a small typo fix in some flag usages (s/RF8693/RFC8693/)

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-16 14:24:13 -06:00
Ryan Richard
40c6a67631 Merge branch 'main' into username-and-subject-claims 2020-12-15 18:09:44 -08:00
Ryan Richard
43bb7117b7 Allow upstream group claim values to be either arrays or strings 2020-12-15 08:34:24 -08:00
Ryan Richard
16dfab0aff token_handler_test.go: Add tests for username and groups custom claims 2020-12-14 18:27:14 -08:00
Margo Crawford
afcd5e3e36 WIP: Adjust subject and username claims 
Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-12-14 17:05:53 -08:00
Ryan Richard
16907e4453 Add Cache-Control, Pragma, Expires, and X-DNS-Prefetch-Control headers 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2020-12-14 15:28:32 -08:00
Matt Moyer
644cb687b9 Grant the Pinniped STS scope in authorize/callback handlers. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-09 09:36:45 -06:00
Aram Price
d91baba240 authorize and callback endpoints now handle the offline_access scope 
- This is in preparation for the token endpoint to support the refresh
  grant

Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-12-07 17:22:34 -08:00
Matt Moyer
8c3be3ffb2 Refactor UpstreamOIDCIdentityProviderI claim handling. 
This refactors the `UpstreamOIDCIdentityProviderI` interface and its implementations to pass ID token claims through a `*oidctypes.Token` return parameter rather than as a third return parameter.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-04 15:35:35 -06:00
Matt Moyer
fde56164cd Add a redirectURI parameter to ExchangeAuthcodeAndValidateTokens() method. 
We missed this in the original interface specification, but the `grant_type=authorization_code` requires it, per RFC6749 (https://tools.ietf.org/html/rfc6749#section-4.1.3).

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-02 15:55:33 -06:00
Andrew Keesler
b21f0035d7 callback_handler.go: Get upstream name from state instead of path 
Also use ConstantTimeCompare() to compare CSRF tokens to prevent
leaking any information in how quickly we reject bad tokens.

Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-11-20 13:33:08 -08:00
Andrew Keesler
541019eb98 callback_handler.go: simplify stored ID token claims 
Fosite is gonna set these fields for us.

Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-11-20 15:36:51 -05:00
Andrew Keesler
8f5d1709a1 callback_handler.go: assert behavior about PKCE and IDSession storage 
Also aggresively refactor for readability:
- Make helper validations functions for each type of storage
- Try to label symbols based on their downstream/upstream use and group them
  accordingly

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-20 09:41:49 -05:00
Andrew Keesler
f8d76066c5 callback_handler.go: assert nonce is stored correctly 
I think we want to do this here since we are storing all of the
other ID token claims?

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-20 08:38:23 -05:00
Andrew Keesler
b25696a1fb callback_handler.go: Prepend iss to sub when making default username 
- Also handle several more error cases
- Move RequireTimeInDelta to shared testutils package so other tests
  can also use it
- Move all of the oidc test helpers into a new oidc/oidctestutils
  package to break a circular import dependency. The shared testutil
  package can't depend on any of our other packages or else we
  end up with circular dependencies.
- Lots more assertions about what was stored at the end of the
  request to build confidence that we are going to pass all of the
  right settings over to the token endpoint through the storage, and
  also to avoid accidental regressions in that area in the future

Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-11-19 17:57:07 -08:00
Andrew Keesler
b49d37ca54 callback_handler.go: test invalid upstream ID token username/groups 
Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-11-19 15:53:21 -05:00
Ryan Richard
83101eefce callback_handler.go: start to test upstream token corner cases 
Also refactor to get rid of duplicate test structs.

Also also don't default groups ID token claim because there is no standard one.

Also also also add some logging that will hopefully help us in debugging in the
future.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-19 14:19:01 -05:00
Ryan Richard
a47617cad0 callback_handler.go: Add JWT Audience claim to storage 2020-11-19 08:53:53 -08:00
Ryan Richard
ee84f31f42 callback_handler.go: Add JWT Issuer claim to storage 2020-11-19 08:35:23 -08:00
Andrew Keesler
ace861f722 callback_handler.go: get some thoughts down about default upstream claims 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-19 11:08:21 -05:00
Andrew Keesler
2e62be3ebb callback_handler.go: assert correct args are passed to token exchange 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-19 10:20:46 -05:00
Andrew Keesler
48e0250649 callback_handler.go: test that we request openid scope correctly 
Also add some testing.T.Log() calls to make debugging handler test failures
easier.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-19 09:28:56 -05:00
Andrew Keesler
6c72507bca callback_handler.go: add test for failed upstream exchange/validation 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-19 09:00:41 -05:00
Andrew Keesler
63b8c6e4b2 callback_handler.go: test when state missing a needed param 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-19 08:51:23 -05:00
Andrew Keesler
ffdb7fa795 callback_handler.go: add a test for invalid state auth params 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-19 08:41:44 -05:00
Ryan Richard
652ea6bd2a Start using fosite in the Supervisor's callback handler 2020-11-18 17:15:01 -08:00
Ryan Richard
227fbd63aa Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider 
Because we want it to implement an AuthcodeExchanger interface and
do it in a way that will be more unit test-friendly than the underlying
library that we intend to use inside its implementation.
 2020-11-18 13:38:13 -08:00
Andrew Keesler
1c7601a2b5 callback_handler.go: start happy path test with redirect 
Next steps: fosite storage?

Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-11-16 17:07:34 -05:00
Ryan Richard
052cdc40dc callback_handler.go: add CSRF and version state validations 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-16 14:41:00 -05:00
Andrew Keesler
4138c9244f callback_handler.go: write 2 invalid cookie tests 
Also common-ize some more constants shared between the auth and callback
endpoints.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-16 11:47:49 -05:00
Andrew Keesler
3ef1171667 Tiny bit more code for Supervisor's callback_handler.go 
Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-11-13 15:59:51 -08:00
Andrew Keesler
81b9a48437 callback_handler.go: initial API/test shape with 1 test 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-13 12:32:35 -05:00