GO-2022-0981: Pinniped Supervisor Insufficient Session Expiration vulnerability in go.pinniped.dev

provider

package

v0.12.0 Latest Latest Go to latest Published: Sep 16, 2021 License: Apache-2.0 Imports: 12 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/vmware-tanzu/pinniped

Links

Open Source Insights

Documentation ¶

Index ¶

type DynamicTLSCertProvider
- func NewDynamicTLSCertProvider() DynamicTLSCertProvider
type DynamicUpstreamIDPProvider
- func NewDynamicUpstreamIDPProvider() DynamicUpstreamIDPProvider
type FederationDomainIssuer
- func NewFederationDomainIssuer(issuer string) (*FederationDomainIssuer, error)
type UpstreamLDAPIdentityProviderI
type UpstreamOIDCIdentityProviderI

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type DynamicTLSCertProvider ¶

type DynamicTLSCertProvider interface {
	SetIssuerHostToTLSCertMap(issuerToJWKSMap map[string]*tls.Certificate)
	SetDefaultTLSCert(certificate *tls.Certificate)
	GetTLSCert(lowercaseIssuerHostName string) *tls.Certificate
	GetDefaultTLSCert() *tls.Certificate
}

func NewDynamicTLSCertProvider ¶

func NewDynamicTLSCertProvider() DynamicTLSCertProvider

type DynamicUpstreamIDPProvider ¶ added in v0.3.0

type DynamicUpstreamIDPProvider interface {
	SetOIDCIdentityProviders(oidcIDPs []UpstreamOIDCIdentityProviderI)
	GetOIDCIdentityProviders() []UpstreamOIDCIdentityProviderI
	SetLDAPIdentityProviders(ldapIDPs []UpstreamLDAPIdentityProviderI)
	GetLDAPIdentityProviders() []UpstreamLDAPIdentityProviderI
	SetActiveDirectoryIdentityProviders(adIDPs []UpstreamLDAPIdentityProviderI)
	GetActiveDirectoryIdentityProviders() []UpstreamLDAPIdentityProviderI
}

func NewDynamicUpstreamIDPProvider ¶ added in v0.3.0

func NewDynamicUpstreamIDPProvider() DynamicUpstreamIDPProvider

type FederationDomainIssuer ¶ added in v0.3.0

type FederationDomainIssuer struct {
	// contains filtered or unexported fields
}

FederationDomainIssuer represents all of the settings and state for a downstream OIDC provider as defined by a FederationDomain.

func NewFederationDomainIssuer ¶ added in v0.3.0

func NewFederationDomainIssuer(issuer string) (*FederationDomainIssuer, error)

func (*FederationDomainIssuer) Issuer ¶ added in v0.3.0

func (p *FederationDomainIssuer) Issuer() string

func (*FederationDomainIssuer) IssuerHost ¶ added in v0.3.0

func (p *FederationDomainIssuer) IssuerHost() string

func (*FederationDomainIssuer) IssuerPath ¶ added in v0.3.0

func (p *FederationDomainIssuer) IssuerPath() string

type UpstreamLDAPIdentityProviderI ¶ added in v0.9.0

type UpstreamLDAPIdentityProviderI interface {
	// GetName returns a name for this upstream provider.
	GetName() string

	// GetURL returns a URL which uniquely identifies this LDAP provider, e.g. "ldaps://host.example.com:1234".
	// This URL is not used for connecting to the provider, but rather is used for creating a globally unique user
	// identifier by being combined with the user's UID, since user UIDs are only unique within one provider.
	GetURL() *url.URL

	// UserAuthenticator adds an interface method for performing user authentication against the upstream LDAP provider.
	authenticators.UserAuthenticator
}

type UpstreamOIDCIdentityProviderI ¶ added in v0.3.0

type UpstreamOIDCIdentityProviderI interface {
	// GetName returns a name for this upstream provider, which will be used as a component of the path for the
	// callback endpoint hosted by the Supervisor.
	GetName() string

	// GetClientID returns the OAuth client ID registered with the upstream provider to be used in the authorization code flow.
	GetClientID() string

	// GetAuthorizationURL returns the Authorization Endpoint fetched from discovery.
	GetAuthorizationURL() *url.URL

	// GetScopes returns the scopes to request in authorization (authcode or password grant) flow.
	GetScopes() []string

	// GetUsernameClaim returns the ID Token username claim name. May return empty string, in which case we
	// will use some reasonable defaults.
	GetUsernameClaim() string

	// GetGroupsClaim returns the ID Token groups claim name. May return empty string, in which case we won't
	// try to read groups from the upstream provider.
	GetGroupsClaim() string

	// AllowsPasswordGrant returns true if a client should be allowed to use the resource owner password credentials grant
	// flow with this upstream provider. When false, it should not be allowed.
	AllowsPasswordGrant() bool

	// PasswordCredentialsGrantAndValidateTokens performs upstream OIDC resource owner password credentials grant and
	// token validation. Returns the validated raw tokens as well as the parsed claims of the ID token.
	PasswordCredentialsGrantAndValidateTokens(ctx context.Context, username, password string) (*oidctypes.Token, error)

	// ExchangeAuthcodeAndValidateTokens performs upstream OIDC authorization code exchange and token validation.
	// Returns the validated raw tokens as well as the parsed claims of the ID token.
	ExchangeAuthcodeAndValidateTokens(
		ctx context.Context,
		authcode string,
		pkceCodeVerifier pkce.Code,
		expectedIDTokenNonce nonce.Nonce,
		redirectURI string,
	) (*oidctypes.Token, error)

	ValidateToken(ctx context.Context, tok *oauth2.Token, expectedIDTokenNonce nonce.Nonce) (*oidctypes.Token, error)
}

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
formposthtml Package formposthtml defines HTML templates used by the Supervisor.	Package formposthtml defines HTML templates used by the Supervisor.
manager

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL