Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support a browser-based login flow for LDAP and Active Directory providers #1163

Merged
merged 29 commits into from
May 24, 2022
Merged

Support a browser-based login flow for LDAP and Active Directory providers #1163

merged 29 commits into from
May 24, 2022

Conversation

cfryanr
Copy link
Member

@cfryanr cfryanr commented May 11, 2022
edited
Loading

Implements the LDAP/AD web UI proposal from #1116.

Note that this PR changes how the pinniped get kubeconfig cli deals with ambiguous flows. Previously, if there was more than one flow advertised for an IDP, the cli would require users to use the flag --upstream-identity-provider-flow. Now it chooses a default flow based on the IDP type (by choosing the first flow type in the Supervisor's discovery response).

Here's a screenshot of the new LDAP/AD login page, which is hosted by Supervisor:

Screen Shot 2022-06-02 at 10 55 15 AM

When using the Pinniped CLI, a successful login takes the user to the regular form_post success page, just like the previously supported browser authcode flow for an OIDCIdentityProvider:

Screen Shot 2022-06-02 at 10 55 34 AM

Release note:

End users can optionally use a new browser-based login flow from `kubectl` with LDAPIdentityProviders and ActiveDirectoryIdentityProviders.
The new login UI web page is hosted by the Pinniped Supervisor.

margocrawf and others added 26 commits April 25, 2022 14:54
@margocrawf
Advertise browser_authcode flow in ldap idp discovery
694e4d6 
To keep this backwards compatible, this PR changes how
the cli deals with ambiguous flows. Previously, if there
was more than one flow advertised, the cli would require users
to set the flag --upstream-identity-provider-flow. Now it
chooses the first one in the list.

Signed-off-by: Margo Crawford <margaretc@vmware.com>
@margocrawf
WIP: Add login handler for LDAP/AD web login
8832362 
Also change state param to include IDP type
@margocrawf
Update authorization endpoint to redirect to new login page
eb1d381 
Also fix some test failures on the callback handler, register the
new login handler in manager.go and add a (half baked) integration test

Signed-off-by: Margo Crawford <margaretc@vmware.com>
@cfryanr
Implement login_handler.go to defer to other handlers
65eed7e 
The other handlers for GET and POST requests are not yet implemented in
this commit. The shared handler code in login_handler.go takes care of
things checking the method, checking the CSRF cookie, decoding the state
param, and adding security headers on behalf of both the GET and POST
handlers.

Some code has been extracted from callback_handler.go to be shared.
@margocrawf
when password header but not username is sent to password grant, error
379a803 
also add more unit tests

Signed-off-by: Margo Crawford <margaretc@vmware.com>
@margocrawf
Some refactoring of shared code between OIDC and LDAP browser flows
ae60d43 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
@margocrawf
Allow browser_authcode flow for pinniped login command
77f016f 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
@margocrawf
Add basic outline of login get handler
07b2306 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
@margocrawf
Fix some errors and pass state as form element
453c69a 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
@margocrawf
Show error message on login page
646c6ec 
Also add autocomplete attribute and title element

Signed-off-by: Margo Crawford <margaretc@vmware.com>
@cfryanr
Implement post_login_handler.go to accept form post and auth to LDAP/AD
69e5169 
Also extract some helpers from auth_handler.go so they can be shared
with the new handler.
@margocrawf
Fix bug where form was posting to the wrong path
388cdb6 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
@cfryanr
Use security headers for the form_post page in the POST /login endpoint
2e031f7 
Also use more specific test assertions where security headers are
expected. And run the unit tests for the login package in parallel.
@cfryanr
Merge branch 'main' into ldap-login-ui
656f221
@margocrawf
Add the full end to end test for ldap web ui
329d41a 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
@cfryanr
Add unit test for rendering form_post response from POST /login
6ca7c93
@cfryanr
Login page styling/structure for users, screen readers, passwd managers
cffa353 
Also:
- Add CSS to login page
- Refactor login page HTML and CSS into a new package
- New custom CSP headers for the login page, because the requirements
  are different from the form_post page
@cfryanr
Add --flow to choose login flow in prepare-supervisor-on-kind.sh
00d6884
@cfryanr
Update login page CSS selectors in e2e test
6e6e1f4
@cfryanr
Add Pinniped favicon to login UI page 🦭
ec22b57
@cfryanr
Don't add pinniped_idp_name pinniped_idp_type params into upstream state
4c44f58
@cfryanr
Extract browsertest.LoginToUpstreamLDAP() integration test helper
a4e32d8
@cfryanr
Add AD via browser login e2e test and refactor e2e tests to share code
ab302cf
@cfryanr
Add LDAP browser flow login test to supervisor_login_test.go
0b106c2
@cfryanr
Add LDAP browser flow login failure tests to supervisor_login_test.go
aa732a4 
Also do some refactoring to share more common test setup code in
supervisor_login_test.go.
@cfryanr
Update docs for new LDAP/AD browser-based login flow
4101a55 
Also fix some comments that didn't fit onto one line in the yaml
examples, be consistent about putting a blank line above `---` yaml
separators, and some other small doc improvements.
@cfryanr cfryanr mentioned this pull request May 11, 2022
Closed
@codecov
Copy link

codecov bot commented May 11, 2022
edited
Loading

Codecov Report

Merging #1163 (438ab0a) into main (7388097) will decrease coverage by 0.42%.
The diff coverage is 73.96%.

@@            Coverage Diff             @@
##             main    #1163      +/-   ##
==========================================
- Coverage   79.73%   79.30%   -0.43%     
==========================================
  Files         136      141       +5     
  Lines       10055    10240     +185     
==========================================
+ Hits         8017     8121     +104     
- Misses       1767     1847      +80     
- Partials      271      272       +1
Impacted Files Coverage Δ
internal/oidc/oidc.go 0.00% <0.00%> (ø)
internal/oidc/login/post_login_handler.go 90.90% <90.90%> (ø)
internal/oidc/login/login_handler.go 95.00% <95.00%> (ø)
internal/oidc/auth/auth_handler.go 99.32% <98.51%> (+1.96%) ⬆️
cmd/pinniped/cmd/kubeconfig.go 84.15% <100.00%> (-0.03%) ⬇️
cmd/pinniped/cmd/login_oidc.go 91.62% <100.00%> (ø)
internal/oidc/callback/callback_handler.go 100.00% <100.00%> (ø)
...nternal/oidc/idpdiscovery/idp_discovery_handler.go 86.04% <100.00%> (ø)
internal/oidc/login/get_login_handler.go 100.00% <100.00%> (ø)
internal/oidc/login/loginhtml/loginhtml.go 100.00% <100.00%> (ø)
... and 3 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 7388097...438ab0a. Read the comment docs.

@cfryanr cfryanr mentioned this pull request May 11, 2022
Closed
enj
enj reviewed May 13, 2022
View reviewed changes
Copy link
Contributor

@enj enj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am still looking through some of the tests.

cmd/pinniped/cmd/kubeconfig.go Outdated Show resolved Hide resolved
internal/oidc/provider/manager/manager.go Outdated Show resolved Hide resolved
internal/oidc/oidc.go Outdated Show resolved Hide resolved
internal/oidc/login/get_login_handler.go Outdated Show resolved Hide resolved
internal/oidc/login/loginhtml/login_form.gohtml Show resolved Hide resolved
internal/oidc/login/loginhtml/loginhtml.go Outdated Show resolved Hide resolved
internal/oidc/login/loginhtml/loginhtml.go Show resolved Hide resolved
internal/oidc/login/post_login_handler.go Show resolved Hide resolved
internal/oidc/auth/auth_handler.go Outdated Show resolved Hide resolved
site/content/docs/howto/configure-supervisor-with-workspace_one_access.md Outdated Show resolved Hide resolved
enj
enj suggested changes May 23, 2022
View reviewed changes
Copy link
Contributor

@enj enj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The change to internal/oidc/provider/manager/manager.go looks incorrect?

@cfryanr cfryanr merged commit 03ccef0 into main May 24, 2022
@cfryanr cfryanr deleted the ldap-login-ui branch May 24, 2022 14:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@margocrawf margocrawf margocrawf left review comments

@enj enj enj approved these changes

Assignees
No one assigned
Labels
cla-not-required
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@cfryanr @enj @margocrawf @vmwclabot