mirrors/pinniped
1
0
Fork 0
mirror of https://github.com/vmware-tanzu/pinniped.git synced 2026-01-10 07:58:07 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
3,836 Commits 21 Branches 50 Tags
cd86d57763459e253ccb88b9296e2e41b2619e8f
Commit Graph

1186 Commits

Author SHA1 Message Date
Benjamin A. Petersen
cd86d57763 review cleanup, remove TODOs 2024-04-25 17:02:07 -04:00
Joshua Casey
be1915d2d7 fixed fuzzing 2024-04-25 17:02:07 -04:00
Benjamin A. Petersen
42ef46b74e expand TestUpstreamGitHubIdentityProvider 2024-04-25 17:02:07 -04:00
Benjamin A. Petersen
79d0e74056 Fix github_upstream_watcher so GitHub is listed in Supervisor idp discovery doc 2024-04-25 17:02:06 -04:00
Benjamin A. Petersen
0e3641bba2 Fix test idp lister 2024-04-25 17:02:06 -04:00
Benjamin A. Petersen
e3aa495e0b Update idp discovery handler test 2024-04-25 17:02:06 -04:00
Benjamin A. Petersen
7968ed6d69 Allow GitHubIdentityProvider IDP type by FederationDomainWatcher 2024-04-25 17:02:05 -04:00
Benjamin A. Petersen
44edba6f75 Add tests for Github in FederationDomain ListerFinder 2024-04-25 17:01:57 -04:00
Benjamin A. Petersen
0c7e95539f Add GitHub to FederationDomain IdP ListerFinder 2024-04-25 16:51:47 -04:00
Joshua Casey
14b1b7c862 Polish up the github_upstream_watcher: default and verify spec.claims correctly 2024-04-24 13:37:40 -05:00
Joshua Casey
c8b90df6f1 Inline using phttp.Default 2024-04-23 18:06:26 -05:00
Joshua Casey
fe5d037600 Merge branch 'main' into jtc/merge-main-5fe94c4e-into-github 2024-04-23 12:42:07 -05:00
Ryan Richard
1d8310ed44 clarify error message for when there is no healthy controller manager 2024-04-22 09:29:37 -07:00
Ryan Richard
0ef98f0558 Use new helpers to assert that all webhook dials use ptls settings 2024-04-19 11:15:59 -07:00
Joshua Casey
94bee9e882 Remove testutil.TLSTestServerWithCert in favor of the testutil/tlsserver package 2024-04-19 10:30:23 -05:00
Joshua Casey
da135d9958 Webhookcachefiller now uses a real tls.Dial, which means we can test IPv6 2024-04-19 09:24:17 -05:00
Ryan Richard
e048859afd Use ptls package when calling webhook during authentication 2024-04-18 16:00:57 -07:00
Ryan Richard
8c081c50d4 Use ptls package to determine TLS config when probing webhook for status 2024-04-18 12:55:49 -07:00
Joshua Casey
c9b61ef010 Populate internal GitHub IDP Config from CRD 2024-04-16 14:33:01 -05:00
Joshua Casey
8ea339139e ldap.Conn.Start() is now deprecated as of https://github.com/go-ldap/ldap/releases/tag/v3.4.7 2024-04-08 06:49:03 -05:00
Benjamin A. Petersen
e2db152c6c Stub in TestUpstreamGithubIdentityProvider for unit tests 2024-04-02 13:59:11 -04:00
Benjamin A. Petersen
5c490e999d Stub in unit tests for github_upstream_watcher 2024-04-02 12:38:06 -04:00
Benjamin A. Petersen
a11e1527f0 Add github-upstream-observer Controller 2024-04-02 10:53:26 -04:00
Benjamin A. Petersen
c6b0820438 Fix some utils, spacing, func naming, test inputs, etc. 2024-03-26 16:22:51 -04:00
Benjamin A. Petersen
f86c46e160 Update WebhookAuthenticator Status WebhookConnectionValid 
- ConnectionProbeValid -> WebhookConnectionValid
  - This is to conform with the pattern of other controllers, ex:
    LDAPConnectionValid
 2024-03-26 15:33:44 -04:00
Ben Petersen
eed0c9d5b0 Update ParseFromURL usage comment. 
- Carefully note the rfc27732 design for IPv6 in URLs, while also clarifying the handling of IPv6 in Golang.

Co-authored-by: Ryan Richard <richardry@vmware.com>
 2024-03-26 15:32:15 -04:00
Benjamin A. Petersen
e38a27d93d Add endpointaddr.ParseFromURL helper, WebhookAuthenticator handle additional IPv6 cases 2024-03-22 15:57:57 -04:00
Benjamin A. Petersen
b0904c2e99 change TestNewWebhookAuthenticator to test table style 2024-03-20 11:39:55 -04:00
Benjamin A. Petersen
bec5fe85cc change WebhookAuthenticator TLSConnectionNegotiationValid to ConnectionProbeValid 2024-03-19 18:00:40 -04:00
Joshua Casey
90e7343fb5 Add IPv6 test to WebhookAuthenticator ctrl tests 
Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
 2024-03-19 16:48:08 -04:00
Benjamin A. Petersen
5c0d67dc50 refactor WebhookAuthenticator newWebhookAuthenticator func 2024-03-19 16:48:08 -04:00
Benjamin A. Petersen
b6512bcbb6 add WebhookCacheFiller updateStatus tests 2024-03-19 16:48:07 -04:00
Benjamin A. Petersen
097e6d5340 Always pass spec to CreateTestWebhookAuthenticator 2024-03-19 16:48:07 -04:00
Benjamin A. Petersen
a45a537cdb Improve JWTAuthenticator validation of Issuer,Discovery 2024-03-19 16:48:06 -04:00
Benjamin A. Petersen
0467e5c1d5 Refactor logLines to SplitByNewline, deduplicate 2024-03-19 16:48:06 -04:00
Benjamin A. Petersen
337459feb0 Update webhook status integration tests 
- total api fields test 260->261
 2024-03-19 16:48:05 -04:00
Benjamin A. Petersen
590e2d18f7 Add WebhookAuthenticator integration tests, expand unit tests 
- Add WebhookAuthenticator unit tests, update generated code
- Add validateTLSNegotiation(), update tests
- Update validateTLSNegotiation, add unit tests, factor out helpers
- Update generated code
 2024-03-19 16:48:05 -04:00
Benjamin A. Petersen
ef36b454ba Improve WebhookAuthenticator Status and Validations 
- Validate TLS Configuration
- Validate Endpoint
- Validate TLS Negotiation
  - Report status handshake negotiation with webhook
- Unit tests
- Integration tests
 2024-03-19 16:48:03 -04:00
Joshua Casey
bc8aebeffe Use go.uber.org/mock instead of github.com/golang/mock and rerun mock generation 2024-03-11 13:42:30 -05:00
Joshua Casey
ffc49d96b3 Integration tests should use a valid value for CredentialIssuer spec.impersonationProxy.service.type 2024-03-08 11:19:15 -06:00
Joshua Casey
ab0682917a whoami integration test now allows for additional extra fields in K8s 1.30+ 2024-03-07 08:09:16 -06:00
Benjamin A. Petersen
e8482ab9e9 Update jwtauthenticator unit tests to check actions 
- Add test to verify timestamps are particularly updated
- Improve diff output in tests for actions
- Make jwtauthenticator status tests parallel
- Update copyright headers in multiple files
 2024-02-27 15:45:32 -08:00
Benjamin A. Petersen
42acf8dcce Add Status & tests for jwks key fetching 2024-02-27 15:45:32 -08:00
Benjamin A. Petersen
1c7e7048a8 Update copyright year in modified files 2024-02-27 15:45:32 -08:00
Benjamin A. Petersen
73e4d3144b Add integration tests for JWTAuthenticators 
- paired with changes to e2e_test.go, adds Status.Condition assertions
  around JWTAuthenticators
 2024-02-27 15:45:32 -08:00
Benjamin A. Petersen
084c3114f4 Improve jwtcachefiller tests 
- some format updates
- add timestamp to test
- fix order of expect,actual in some assertions
- remove some commented code no longer needed
 2024-02-27 15:45:32 -08:00
Benjamin A. Petersen
47639340ec extract status comparison test helpers 2024-02-27 15:45:32 -08:00
Benjamin A. Petersen
fd14a5794e ldap upstream watcher: rename local var for clarity 2024-02-27 15:45:32 -08:00
Benjamin A. Petersen
a4447fa606 Add .Status to JWTAuthenticator with Conditions,Phase 
- "Ready" condition & supporting conditions
- Legacy "Phase" for convenience
- Refactor newCachedJWTAuthenticator() func
  to improve ability to provide additional conditions
- Update JWTAuthenticator.Status type
- Update RBAC for SA to get/watch/update JWTAuthenticator.Status
- Update logger to plog, add tests for logs & statuses
- update Sync() to reduce enqueue when error is config/user managed, perhaps remove validateJWKSResponse()
 2024-02-27 15:45:32 -08:00
Ryan Richard
0d31e955ae Don't skip upstream group memberships when groups scope is not granted 
Background: For dynamic clients, the groups scope is not always allowed
and/or requested by the client, so it will not always be granted by the
Supervisor for an authorization request.

Previously, when the groups scope was not granted, we would skip
searching for upstream groups in some scenarios.

This commit changes the behavior of authorization flows so that even
when the groups scope is not granted we still search for the upstream
group memberships as configured, and we pass the upstream group
memberships into any configured identity transformations. The identity
transformations could potentially reject the user's authentication based
on their upstream group membership.

When the groups scope is not granted, we don't include the groups in
the final Supervisor-issued ID token. This behavior is not changed.
 2024-02-21 13:12:18 -08:00