mirrors/pinniped
1
0
Fork 0
mirror of https://github.com/vmware-tanzu/pinniped.git synced 2026-01-08 15:21:55 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
962 Commits 20 Branches 50 Tags
946b0539d2929a34e94d9783da3c354015f0ea07
Commit Graph

962 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Andrew Keesler
946b0539d2 Add JWTAuthenticator API type 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-08 15:41:48 -05:00
Andrew Keesler
8f51993db2 Merge pull request #265 from vmware-tanzu/scope-constants 
Use constants for scope values
 2020-12-08 14:32:09 -05:00
aram price
8d2b8ae6b5 Use constants for scope values 2020-12-08 10:46:05 -08:00
Margo Crawford
b7b6816531 Merge pull request #259 from mattmoyer/add-cli-request-audience 
Add a `--request-audience` flag to the `pinniped login oidc` CLI command
 2020-12-08 09:26:19 -08:00
Matt Moyer
bfcd2569e9 Add a --request-audience flag to the pinniped login oidc CLI command. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2020-12-08 10:22:20 -06:00
Ryan Richard
6a90a10123 Merge pull request #249 from vmware-tanzu/token-endpoint 
OIDC token endpoint supports authcode flow
 2020-12-07 15:08:07 -08:00
Ryan Richard
12e5f94e75 Merge branch 'main' into token-endpoint 2020-12-07 14:23:40 -08:00
Ryan Richard
e1ae48f2e4 Discovery does not return token_endpoint_auth_signing_alg_values_supported 
`token_endpoint_auth_signing_alg_values_supported` is only related to
private_key_jwt and client_secret_jwt client authentication methods
at the token endpoint, which we do not support. See
https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
for more details.

Signed-off-by: Aram Price <pricear@vmware.com>
 2020-12-07 14:15:31 -08:00
Matt Moyer
dcaf9166dc Merge pull request #261 from mattmoyer/remove-goerr113-linter 
Disable the goerr113 linter.
 2020-12-07 16:07:11 -06:00
Matt Moyer
9e945d7547 Disable the goerr113 linter. 
This linter is nice in principle, but I've found it more annoying than helpful in practice.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-07 15:53:41 -06:00
Aram Price
648fa4b9ba Backfill test for token endpoint error when JWK is not yet available 
Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-12-07 11:53:24 -08:00
Ryan Richard
e0b6133bf1 Integration tests call supervisor token endpoint and validate response 
Signed-off-by: Aram Price <pricear@vmware.com>
 2020-12-04 17:07:04 -08:00
Aram Price
ac19782405 Merge branch 'main' into token-endpoint 
Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-12-04 15:52:49 -08:00
Ryan Richard
858356610c Make assertions about how many secrets were stored by fosite in tests 
In both callback_handler_test.go and token_handler_test.go

Signed-off-by: Aram Price <pricear@vmware.com>
 2020-12-04 15:40:17 -08:00
Matt Moyer
040ad3293a Merge pull request #255 from mattmoyer/reduce-default-cli-scopes 
Remove "email" and "profile" from default scopes requested by CLI.
 2020-12-04 17:04:03 -06:00
Matt Moyer
66270fded0 Merge pull request #257 from mattmoyer/prefactoring-for-cli-request-audience 
Prefactor before adding CLI "request audience" functionality.
 2020-12-04 17:03:38 -06:00
Aram Price
26a8747509 Use the more specific label name of "storage.pinniped.dev/type" 
Instead of the less specific "storage.pinniped.dev"

Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-12-04 14:39:11 -08:00
Ryan Richard
ac83633888 Add fosite kube storage for access and refresh tokens 
Also switched the token_handler_test.go to use kube storage.

Signed-off-by: Aram Price <pricear@vmware.com>
 2020-12-04 14:31:06 -08:00
Matt Moyer
c6ead9d7dd Remove "email" and "profile" from default scopes requested by CLI. 
We decided that we don't really need these in every case, since we'll be returning username and groups in a custom claim.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-04 16:02:16 -06:00
Matt Moyer
8c3be3ffb2 Refactor UpstreamOIDCIdentityProviderI claim handling. 
This refactors the `UpstreamOIDCIdentityProviderI` interface and its implementations to pass ID token claims through a `*oidctypes.Token` return parameter rather than as a third return parameter.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-04 15:35:35 -06:00
Matt Moyer
014d760f3d Add validated ID token claims to the oidctypes.Token structure. 
This is just a more convenient copy of these values which are already stored inside the ID token. This will save us from having to pass them around seprately or re-parse them later.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-04 15:18:41 -06:00
Andrew Keesler
8d5f4a93ed Get rid of an unnecessary comment from 58237d0e7d 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-04 11:16:32 -05:00
Andrew Keesler
37631b41ea Don't set our TokenURL - we don't need it right now 
TokenURL is used by Fosite to validate clients authenticating with the
private_key_jwt method. We don't have any use for this right now, so just leave
this blank until we need it.

See when Ryan brought this up in
https://github.com/vmware-tanzu/pinniped/pull/239#discussion_r528022162.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-04 10:18:45 -05:00
Andrew Keesler
03806629b8 Cleanup code via TODOs accumulated during token endpoint work 
We opened https://github.com/vmware-tanzu/pinniped/issues/254 for the TODO in
dynamicOpenIDConnectECDSAStrategy.GenerateToken().

This commit also ensures that linting and unit tests are passing again.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-04 10:09:42 -05:00
Andrew Keesler
83e0934864 Add logging in dynamic OIDC ECDSA strategy 
I'm worried that these errors are going to be really burried from the user, so
add some log statements to try to make them a tiny bit more observable.

Also follow some of our error message convetions by using lowercase error
messages.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-04 09:05:39 -05:00
Andrew Keesler
2dc3ab1840 Merge remote-tracking branch 'upstream/main' into token-endpoint 2020-12-04 08:58:18 -05:00
Matt Moyer
7b088d611d Merge pull request #252 from mattmoyer/fix-csrf-cookie-same-site 
Switch CSRF cookie from `Same-Site=Strict` to `Same-Site=Lax`.
 2020-12-03 21:53:24 -06:00
Matt Moyer
f0ebd808d7 Switch CSRF cookie from Same-Site=Strict to Same-Site=Lax. 
This CSRF cookie needs to be included on the request to the callback endpoint triggered by the redirect from the OIDC upstream provider. This is not allowed by `Same-Site=Strict` but is allowed by `Same-Site=Lax` because it is a "cross-site top-level navigation" [1].

We didn't catch this earlier with our Dex-based tests because the upstream and downstream issuers were on the same parent domain `*.svc.cluster.local` so the cookie was allowed even with `Strict` mode.

[1]: https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00#section-3.2

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-03 21:30:00 -06:00
Margo Crawford
0bb2b10b3b Passing signing key through to the token endpoint 2020-12-03 17:16:08 -08:00
Matt Moyer
fa94ebfbd1 Merge pull request #229 from vmware-tanzu/callback-endpoint 
Implement supervisor OIDC upstream callback endpoint used during authorize flow
 2020-12-03 16:28:02 -06:00
Matt Moyer
c18c670765 Merge remote-tracking branch 'origin/main' into callback-endpoint 2020-12-03 14:53:26 -06:00
Matt Moyer
f410da0ed2 Merge pull request #242 from rajat404/refactor-docs 
Remove duplicate docs from the repo and change all links to point to …
 2020-12-03 14:52:51 -06:00
Andrew Keesler
58237d0e7d WIP: start to wire signing key into token handler 
This commit includes a failing test (amongst other compiler failures) for the
dynamic signing key fetcher that we will inject into fosite. We are checking it
in so that we can pass the WIP off.

Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2020-12-03 15:37:25 -05:00
Matt Moyer
c8abc79d9b Fix this comment (and retrigger CI). 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-03 14:24:26 -06:00
Matt Moyer
9455a66be8 This trailing dash is now taken care of by the library method. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-03 13:56:24 -06:00
aram price
05085d8e23 Use anonymous interface in test for Storage 2020-12-03 11:26:36 -08:00
Matt Moyer
8563c05baf Tweak these timeouts to be a bit faster (and retrigger CI). 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-03 13:22:27 -06:00
Ryan Richard
67bf54a9f9 Use an interface for storage in token_handler_test.go 
Signed-off-by: Aram Price <pricear@vmware.com>
 2020-12-03 11:05:47 -08:00
Matt Moyer
408fbe4f76 Parameterize the supervisor_redirect_uri in the test env Dex. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-03 12:45:56 -06:00
Matt Moyer
cb5e494815 Dump out proxy access logs in TestSupervisorLogin. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-03 11:28:48 -06:00
Matt Moyer
954591d2db Add some debugging logs to our proxy client code. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-03 10:25:26 -06:00
Andrew Keesler
2f1a67ef0d Merge remote-tracking branch 'upstream/callback-endpoint' into token-endpoint 2020-12-03 11:14:37 -05:00
Matt Moyer
d7b1ab8e43 Try to capture more logs from the TestSupervisorLogin test. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-03 09:39:33 -06:00
Matt Moyer
1d44a0cdfa Add a small integration test library to dump pod logs on test failures. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-03 09:39:33 -06:00
Matt Moyer
1fa41c4d0a Merge remote-tracking branch 'origin/main' into callback-endpoint 2020-12-03 08:50:31 -06:00
Matt Moyer
0deb7cc09a Merge pull request #250 from mattmoyer/fix-ipv6-test-regression 
Fix a test regression with IPv6 localhost interfaces.
 2020-12-03 08:48:57 -06:00
Andrew Keesler
fe2e2bdff1 Our ID token signing algorithm is ES256, not RS256 
We are currently using EC keys to sign ID tokens, so we should reflect that in
our OIDC discovery metadata.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-03 07:46:07 -05:00
Ryan Richard
95093ab0af Use kube storage for the supervisor callback endpoint's fosite sessions 2020-12-02 17:40:01 -08:00
Margo Crawford
1dd7c82af6 Added id token verification 2020-12-02 16:55:48 -08:00
Matt Moyer
64ef53402d In TestSupervisorLogin, wrap the discovery request in an Eventually(). 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-02 18:07:52 -06:00