mirrors/pinniped
1
0
Fork 0
mirror of https://github.com/vmware-tanzu/pinniped.git synced 2025-12-23 06:15:47 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
4,547 Commits 21 Branches 49 Tags
b2b43e34404bbbe8a1e8aeb3bc645fcde0152086
Commit Graph

36 Commits

Author SHA1 Message Date
Joshua Casey
b2b43e3440 The 'ID Token Issued' audit event now includes token size 2025-01-02 12:21:13 -06:00
Ryan Richard
90c95866d1 upgrade fosite to v0.49.0 and handle its API changes 2024-12-13 10:17:42 -08:00
Ryan Richard
54b35c30da rename tokenIdentifier to tokenID in the audit logs 
Because `tokenID` is more consistent with the names of
the other correlation keys.
 2024-11-27 13:53:03 -06:00
Ryan Richard
4423d472da allow audit correlation between token being issued and being used 2024-11-27 13:53:03 -06:00
Joshua Casey
c7e9ee1c61 Backfill unit tests for paramsSafeToLog 2024-11-27 13:53:02 -06:00
Ryan Richard
a84b76e56a audit log session ID in token handler for every grant type 
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
 2024-11-27 13:53:02 -06:00
Ryan Richard
c16ebe1707 add unit test for audit logging when token refresh updates groups 2024-11-27 13:53:02 -06:00
Ryan Richard
c06141c871 token handler uses common method to audit HTTP request parameters 2024-11-27 13:53:02 -06:00
Ryan Richard
e126ee5495 all callers of Audit() identify which keys may contain PII 2024-11-27 13:53:01 -06:00
Ryan Richard
ced8686d11 add config for audit logging, remove Audit() from Logger interface 
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
 2024-11-27 13:53:01 -06:00
Joshua Casey
18d3ab3d15 The 'HTTP Request Parameters' audit event now logs params as a JSON object 2024-11-27 13:53:01 -06:00
Joshua Casey
dc6faa33bb Log params to token_handler endpoint even during error cases 2024-11-27 13:53:01 -06:00
Joshua Casey
362d982906 Start to backfill some audit unit tests for the token_handler 2024-11-27 13:53:01 -06:00
Ryan Richard
4f9530eec7 audit logging WIP 2024-11-27 13:53:00 -06:00
Ryan Richard
0380a9ce33 upgrade github.com/go-jose/go-jose and github.com/coreos/go-oidc 
Also standardize some related imports and fix some whitespace in a test
 2024-06-21 11:16:40 -07:00
Joshua Casey
678be9902a Lint new files from the GitHub branch 2024-06-11 10:16:18 -05:00
Joshua Casey
bafd578866 Merge branch 'main' into jtc/add-importas-linter 2024-06-11 09:39:48 -05:00
Ryan Richard
bb9cb739c6 more unit tests for github in token_handler_test.go 2024-05-29 08:55:41 -07:00
Ryan Richard
f323690049 refactor upstream refresh test helpers to be more specific to IDP type 2024-05-23 13:35:31 -07:00
Joshua Casey
02ffff01d5 fix lint 2024-05-23 12:32:18 -05:00
Joshua Casey
65682aa60d Add sample unit test for GitHub in token_handler_test.go 2024-05-22 23:04:15 -05:00
Joshua Casey
fe911a7b7a Prefer slices package and slices.Concat where possible 2024-05-21 09:31:16 -05:00
Joshua Casey
f5116cddb4 Enable 'makezero' and 'prealloc' linters, and require 'any' instead of 'interface{}' 
Enforce importas:

- go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1
- go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1
 2024-05-21 09:31:15 -05:00
Joshua Casey
7b36c8ab54 Enable 'copyloopvar' linter 2024-05-10 12:51:02 -05:00
Ryan Richard
a1efcefdce Unit tests for token endpoint for custom ID token lifetimes 2024-04-24 14:13:41 -07:00
Joshua Casey
c8bc192e0b Start working on units tests for configurable token lifetimes 2024-04-24 14:13:40 -07:00
Ryan Richard
0d31e955ae Don't skip upstream group memberships when groups scope is not granted 
Background: For dynamic clients, the groups scope is not always allowed
and/or requested by the client, so it will not always be granted by the
Supervisor for an authorization request.

Previously, when the groups scope was not granted, we would skip
searching for upstream groups in some scenarios.

This commit changes the behavior of authorization flows so that even
when the groups scope is not granted we still search for the upstream
group memberships as configured, and we pass the upstream group
memberships into any configured identity transformations. The identity
transformations could potentially reject the user's authentication based
on their upstream group membership.

When the groups scope is not granted, we don't include the groups in
the final Supervisor-issued ID token. This behavior is not changed.
 2024-02-21 13:12:18 -08:00
Ryan Richard
1e8e7b948e Refactor token endpoint to add interface for IDP upstream refresh 2024-02-20 09:26:34 -08:00
Ryan Richard
1bc13e94f7 Refactor to extract interface for upstream IDP interactions 
Create an interface to abstract the upstream IDP from the
authorize, IDP discovery, callback, choose IDP, and login
endpoints. This commit does not refactor the token endpoint,
which will be refactored in a similar way in the next commit.
 2024-02-20 09:26:34 -08:00
Ryan Richard
cf82cf996e Adjust tests and comments for upgrade to latest version of fosite 2024-02-13 10:16:41 -08:00
Ryan Richard
ca5ad85bbd Switch from gopkg.in/square/go-jose.v2 to github.com/go-jose/go-jose/v3 
Made the switch wherever possible, but since fosite still uses the old
gopkg.in/square/go-jose.v2 there was one test where we still need to use
it as a direct dependency.
 2023-12-04 11:05:12 -08:00
Ryan Richard
28210ab14d add units tests to token_handler_test.go 2023-09-11 11:15:40 -07:00
Ryan Richard
5ad7e9a8ca started add units tests for identity transforms to token_handler_test.go 2023-09-11 11:14:06 -07:00
Ryan Richard
d4611b829d use slices.Contains() instead of custom func in token_handler_test.go 2023-09-11 11:14:06 -07:00
Ryan Richard
b71e5964aa fix token_handler_test.go 2023-09-11 11:11:56 -07:00
Ryan Richard
86c791b8a6 reorganize federation domain packages to be more intuitive 
Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
 2023-09-11 11:11:52 -07:00