Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue and refresh downstream ID tokens derived from a GitHub IDP #1963

Merged
merged 25 commits into from
May 30, 2024
Merged

Issue and refresh downstream ID tokens derived from a GitHub IDP #1963

merged 25 commits into from
May 30, 2024

Conversation

joshuatcasey
Copy link
Member

@joshuatcasey joshuatcasey commented May 20, 2024
edited
Loading

The Supervisor will now issue downstream tokens when logging in with GitHub as an identity provider. Will check the user's organization and team membership and ensure that the user meets the login policy specified on the GitHub IDP CR.

Refreshing a GitHub-derived identity is virtually identical to logging in, so that was implemented as well.

@codecov Codecov
Copy link

codecov bot commented May 20, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 82.74510% with 88 lines in your changes are missing coverage. Please review.

Project coverage is 30.57%. Comparing base (80c7022) to head (02ffff0).
Report is 3 commits behind head on github_identity_provider.

Files Patch % Lines
test/testlib/browsertest/browsertest.go 0.00% 55 Missing ⚠️
test/testlib/env.go 0.00% 11 Missing ⚠️
...ternal/testutil/oidctestutil/testgithubprovider.go 86.88% 6 Missing and 2 partials ⚠️
internal/githubclient/githubclient.go 95.80% 4 Missing and 2 partials ⚠️
test/testlib/skip.go 0.00% 6 Missing ⚠️
internal/testutil/testidplister/testidplister.go 95.55% 1 Missing and 1 partial ⚠️
Additional details and impacted files 
@@                     Coverage Diff                      @@
##           github_identity_provider    #1963      +/-   ##
============================================================
+ Coverage                     30.14%   30.57%   +0.43%     
============================================================
  Files                           358      362       +4     
  Lines                         59869    60335     +466     
============================================================
+ Hits                          18046    18448     +402     
- Misses                        41293    41353      +60     
- Partials                        530      534       +4

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@joshuatcasey joshuatcasey force-pushed the github-issues-downstream-tokens branch 3 times, most recently from cd5591d to 1289fa8 Compare May 22, 2024 14:47
joshuatcasey and others added 15 commits May 22, 2024 21:21
@joshuatcasey @cfryanr
Add github-specific tests in callback_handler_github_test.go
b7f79f0 
Co-authored-by: Ryan Richard <richardry@vmware.com>
@cfryanr @joshuatcasey
Add GetUser() interface and implement LoginFromCallback() for GitHub
49c468f 
ALso fixed some of the GitHub test helpers
@joshuatcasey
Add client wrapper for github.com/google/go-github/v62
c087e33
@joshuatcasey @cfryanr
Empty allowedOrganizations will return all teams
a12a5f3 
Co-authored-by: Ryan Richard <richardry@vmware.com>
@joshuatcasey @cfryanr
Use passed-in context
555b1c8 
Co-authored-by: Ryan Richard <richardry@vmware.com>
@cfryanr @joshuatcasey
Handle empty or invalid github API responses
16fa12f 
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
@joshuatcasey @cfryanr
Standardize error messages and url handling within NewGitHubClient
8719c7a 
Co-authored-by: Ryan Richard <richardry@vmware.com>
@joshuatcasey
upstreamgitub.go now uses githubclient to determine username and groups
938bea9
@joshuatcasey
fix lint
ba2d122
@cfryanr @joshuatcasey
Finish initial github login flow
8923704 
Also:
- fix github teams query: fix bug and sort/unique the results
- add IDP display name to github downstream subject
- fix error types returned by LoginFromCallback
- add trace logs to github API results
- update e2e test
- implement placeholder version of refresh for github
@cfryanr @joshuatcasey
Make github org comparison case-insensitive, but return original case
8f8db3f 
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
@cfryanr @joshuatcasey
Add github integration tests to supervisor_login_test.go
e69eb46 
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
@cfryanr @joshuatcasey
Merge callback_handler_github_test.go into callback_handler_test.go
0a15d48 
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
@cfryanr @joshuatcasey
implement upstream refresh for github
fef4949
@cfryanr @joshuatcasey
slow down github integration tests to avoid OTP reuse errors from github
bb1737d
@joshuatcasey joshuatcasey force-pushed the github-issues-downstream-tokens branch from ac6d56f to bb1737d Compare May 23, 2024 02:21
@joshuatcasey joshuatcasey marked this pull request as ready for review May 23, 2024 02:48
@joshuatcasey joshuatcasey changed the title [DRAFT] GitHub issues downstream tokens GitHub issues downstream tokens May 23, 2024
@codecov-commenter
Copy link

codecov-commenter commented May 23, 2024
edited by codecov bot
Loading

Codecov Report

Attention: Patch coverage is 82.72425% with 104 lines in your changes are missing coverage. Please review.

Project coverage is 30.60%. Comparing base (80c7022) to head (6327f51).
Report is 3 commits behind head on github_identity_provider.

Files Patch % Lines
test/testlib/browsertest/browsertest.go 0.00% 55 Missing ⚠️
test/testlib/skip.go 0.00% 15 Missing ⚠️
test/testlib/env.go 0.00% 14 Missing ⚠️
...ternal/testutil/oidctestutil/testgithubprovider.go 87.50% 6 Missing and 2 partials ⚠️
internal/githubclient/githubclient.go 95.80% 4 Missing and 2 partials ⚠️
...util/oidctestutil/expected_upstream_state_param.go 60.00% 2 Missing ⚠️
internal/testutil/testidplister/testidplister.go 98.01% 1 Missing and 1 partial ⚠️
internal/testutil/oidctestutil/testldapprovider.go 87.50% 1 Missing ⚠️
internal/testutil/oidctestutil/testoidcprovider.go 75.00% 1 Missing ⚠️
Additional details and impacted files 
@@                     Coverage Diff                      @@
##           github_identity_provider    #1963      +/-   ##
============================================================
+ Coverage                     30.14%   30.60%   +0.46%     
============================================================
  Files                           358      362       +4     
  Lines                         59869    60383     +514     
============================================================
+ Hits                          18046    18481     +435     
- Misses                        41293    41368      +75     
- Partials                        530      534       +4

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@joshuatcasey joshuatcasey changed the title GitHub issues downstream tokens Issue and refresh downstream ID tokens derived from a GitHub IDP May 28, 2024
@joshuatcasey joshuatcasey merged commit 037fa65 into github_identity_provider May 30, 2024
38 checks passed
@joshuatcasey joshuatcasey deleted the github-issues-downstream-tokens branch May 30, 2024 21:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cfryanr cfryanr cfryanr approved these changes

Assignees
No one assigned
Labels
cla-not-required
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@joshuatcasey @codecov-commenter @cfryanr @vmwclabot