GO-2022-0981: Pinniped Supervisor Insufficient Session Expiration vulnerability in go.pinniped.dev

provider

package

v0.3.0 Latest Latest Go to latest Published: Dec 18, 2020 License: Apache-2.0 Imports: 11 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/vmware-tanzu/pinniped

Links

Open Source Insights

Documentation ¶

Index ¶

type DynamicTLSCertProvider
- func NewDynamicTLSCertProvider() DynamicTLSCertProvider
type DynamicUpstreamIDPProvider
- func NewDynamicUpstreamIDPProvider() DynamicUpstreamIDPProvider
type FederationDomainIssuer
- func NewFederationDomainIssuer(issuer string) (*FederationDomainIssuer, error)
type UpstreamOIDCIdentityProviderI

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type DynamicTLSCertProvider ¶

type DynamicTLSCertProvider interface {
	SetIssuerHostToTLSCertMap(issuerToJWKSMap map[string]*tls.Certificate)
	SetDefaultTLSCert(certificate *tls.Certificate)
	GetTLSCert(lowercaseIssuerHostName string) *tls.Certificate
	GetDefaultTLSCert() *tls.Certificate
}

func NewDynamicTLSCertProvider ¶

func NewDynamicTLSCertProvider() DynamicTLSCertProvider

type DynamicUpstreamIDPProvider ¶ added in v0.3.0

type DynamicUpstreamIDPProvider interface {
	SetIDPList(oidcIDPs []UpstreamOIDCIdentityProviderI)
	GetIDPList() []UpstreamOIDCIdentityProviderI
}

func NewDynamicUpstreamIDPProvider ¶ added in v0.3.0

func NewDynamicUpstreamIDPProvider() DynamicUpstreamIDPProvider

type FederationDomainIssuer ¶ added in v0.3.0

type FederationDomainIssuer struct {
	// contains filtered or unexported fields
}

FederationDomainIssuer represents all of the settings and state for a downstream OIDC provider as defined by a FederationDomain.

func NewFederationDomainIssuer ¶ added in v0.3.0

func NewFederationDomainIssuer(issuer string) (*FederationDomainIssuer, error)

func (*FederationDomainIssuer) Issuer ¶ added in v0.3.0

func (p *FederationDomainIssuer) Issuer() string

func (*FederationDomainIssuer) IssuerHost ¶ added in v0.3.0

func (p *FederationDomainIssuer) IssuerHost() string

func (*FederationDomainIssuer) IssuerPath ¶ added in v0.3.0

func (p *FederationDomainIssuer) IssuerPath() string

type UpstreamOIDCIdentityProviderI ¶ added in v0.3.0

type UpstreamOIDCIdentityProviderI interface {
	// A name for this upstream provider, which will be used as a component of the path for the callback endpoint
	// hosted by the Supervisor.
	GetName() string

	// The Oauth client ID registered with the upstream provider to be used in the authorization code flow.
	GetClientID() string

	// The Authorization Endpoint fetched from discovery.
	GetAuthorizationURL() *url.URL

	// Scopes to request in authorization flow.
	GetScopes() []string

	// ID Token username claim name. May return empty string, in which case we will use some reasonable defaults.
	GetUsernameClaim() string

	// ID Token groups claim name. May return empty string, in which case we won't try to read groups from the upstream provider.
	GetGroupsClaim() string

	// Performs upstream OIDC authorization code exchange and token validation.
	// Returns the validated raw tokens as well as the parsed claims of the ID token.
	ExchangeAuthcodeAndValidateTokens(
		ctx context.Context,
		authcode string,
		pkceCodeVerifier pkce.Code,
		expectedIDTokenNonce nonce.Nonce,
		redirectURI string,
	) (*oidctypes.Token, error)

	ValidateToken(ctx context.Context, tok *oauth2.Token, expectedIDTokenNonce nonce.Nonce) (*oidctypes.Token, error)
}

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
manager

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL