ContainerImage.Pinniped/internal/oidc/provider/manager/manager.go

// Copyright 2020 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

package manager

import (
	"net/http"
	"sync"

	"k8s.io/klog/v2"

	"go.pinniped.dev/internal/oidc"
	"go.pinniped.dev/internal/oidc/discovery"
	"go.pinniped.dev/internal/oidc/jwks"
	"go.pinniped.dev/internal/oidc/provider"
)

// Manager can manage multiple active OIDC providers. It acts as a request router for them.
//
// It is thread-safe.
type Manager struct {
	mu                  sync.RWMutex
	providers           []*provider.OIDCProvider
	providerHandlers    map[string]http.Handler  // map of all routes for all providers
	nextHandler         http.Handler             // the next handler in a chain, called when this manager didn't know how to handle a request
	dynamicJWKSProvider jwks.DynamicJWKSProvider // in-memory cache of per-issuer JWKS data
}

// NewManager returns an empty Manager.
// nextHandler will be invoked for any requests that could not be handled by this manager's providers.
// dynamicJWKSProvider will be used as an in-memory cache for per-issuer JWKS data.
func NewManager(nextHandler http.Handler, dynamicJWKSProvider jwks.DynamicJWKSProvider) *Manager {
	return &Manager{
		providerHandlers:    make(map[string]http.Handler),
		nextHandler:         nextHandler,
		dynamicJWKSProvider: dynamicJWKSProvider,
	}
}

// SetProviders adds or updates all the given providerHandlers using each provider's issuer string
// as the name of the provider to decide if it is an add or update operation.
//
// It also removes any providerHandlers that were previously added but were not passed in to
// the current invocation.
//
// This method assumes that all of the OIDCProvider arguments have already been validated
// by someone else before they are passed to this method.
func (m *Manager) SetProviders(oidcProviders ...*provider.OIDCProvider) {
	m.mu.Lock()
	defer m.mu.Unlock()

	m.providers = oidcProviders
	m.providerHandlers = make(map[string]http.Handler)

	for _, incomingProvider := range oidcProviders {
		wellKnownURL := incomingProvider.IssuerHost() + "/" + incomingProvider.IssuerPath() + oidc.WellKnownEndpointPath
		m.providerHandlers[wellKnownURL] = discovery.NewHandler(incomingProvider.Issuer())

		jwksURL := incomingProvider.IssuerHost() + "/" + incomingProvider.IssuerPath() + oidc.JWKSEndpointPath
		m.providerHandlers[jwksURL] = jwks.NewHandler(incomingProvider.Issuer(), m.dynamicJWKSProvider)

		klog.InfoS("oidc provider manager added or updated issuer", "issuer", incomingProvider.Issuer())
	}
}

// ServeHTTP implements the http.Handler interface.
func (m *Manager) ServeHTTP(resp http.ResponseWriter, req *http.Request) {
	requestHandler := m.findHandler(req)

	klog.InfoS(
		"oidc provider manager examining request",
		"method", req.Method,
		"host", req.Host,
		"path", req.URL.Path,
		"foundMatchingIssuer", requestHandler != nil,
	)

	if requestHandler == nil {
		requestHandler = m.nextHandler // couldn't find an issuer to handle the request
	}
	requestHandler.ServeHTTP(resp, req)
}

func (m *Manager) findHandler(req *http.Request) http.Handler {
	m.mu.RLock()
	defer m.mu.RUnlock()

	return m.providerHandlers[req.Host+"/"+req.URL.Path]
}
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still 2020-10-08 02:18:34 +00:00			`// Copyright 2020 the Pinniped contributors. All Rights Reserved.`
			`// SPDX-License-Identifier: Apache-2.0`

Several small refactors related to OIDC providers 2020-10-08 18:28:21 +00:00			`package manager`
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still 2020-10-08 02:18:34 +00:00
			`import (`
			`"net/http"`
			`"sync"`

			`"k8s.io/klog/v2"`

			`"go.pinniped.dev/internal/oidc"`
			`"go.pinniped.dev/internal/oidc/discovery"`
Implement per-issuer OIDC JWKS endpoint 2020-10-17 00:51:40 +00:00			`"go.pinniped.dev/internal/oidc/jwks"`
Several small refactors related to OIDC providers 2020-10-08 18:28:21 +00:00			`"go.pinniped.dev/internal/oidc/provider"`
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still 2020-10-08 02:18:34 +00:00			`)`

			`// Manager can manage multiple active OIDC providers. It acts as a request router for them.`
			`//`
			`// It is thread-safe.`
			`type Manager struct {`
Implement per-issuer OIDC JWKS endpoint 2020-10-17 00:51:40 +00:00			`mu sync.RWMutex`
			`providers []*provider.OIDCProvider`
			`providerHandlers map[string]http.Handler // map of all routes for all providers`
			`nextHandler http.Handler // the next handler in a chain, called when this manager didn't know how to handle a request`
			`dynamicJWKSProvider jwks.DynamicJWKSProvider // in-memory cache of per-issuer JWKS data`
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still 2020-10-08 02:18:34 +00:00			`}`

Several small refactors related to OIDC providers 2020-10-08 18:28:21 +00:00			`// NewManager returns an empty Manager.`
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still 2020-10-08 02:18:34 +00:00			`// nextHandler will be invoked for any requests that could not be handled by this manager's providers.`
Implement per-issuer OIDC JWKS endpoint 2020-10-17 00:51:40 +00:00			`// dynamicJWKSProvider will be used as an in-memory cache for per-issuer JWKS data.`
			`func NewManager(nextHandler http.Handler, dynamicJWKSProvider jwks.DynamicJWKSProvider) *Manager {`
			`return &Manager{`
			`providerHandlers: make(map[string]http.Handler),`
			`nextHandler: nextHandler,`
			`dynamicJWKSProvider: dynamicJWKSProvider,`
			`}`
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still 2020-10-08 02:18:34 +00:00			`}`

			`// SetProviders adds or updates all the given providerHandlers using each provider's issuer string`
			`// as the name of the provider to decide if it is an add or update operation.`
			`//`
			`// It also removes any providerHandlers that were previously added but were not passed in to`
			`// the current invocation.`
			`//`
			`// This method assumes that all of the OIDCProvider arguments have already been validated`
			`// by someone else before they are passed to this method.`
Refactor provider.Manager - And also handle when an issuer's path is a subpath of another issuer Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-10-08 21:40:56 +00:00			`func (m Manager) SetProviders(oidcProviders ...provider.OIDCProvider) {`
			`m.mu.Lock()`
			`defer m.mu.Unlock()`

			`m.providers = oidcProviders`
			`m.providerHandlers = make(map[string]http.Handler)`

Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still 2020-10-08 02:18:34 +00:00			`for _, incomingProvider := range oidcProviders {`
Implement per-issuer OIDC JWKS endpoint 2020-10-17 00:51:40 +00:00			`wellKnownURL := incomingProvider.IssuerHost() + "/" + incomingProvider.IssuerPath() + oidc.WellKnownEndpointPath`
			`m.providerHandlers[wellKnownURL] = discovery.NewHandler(incomingProvider.Issuer())`

			`jwksURL := incomingProvider.IssuerHost() + "/" + incomingProvider.IssuerPath() + oidc.JWKSEndpointPath`
			`m.providerHandlers[jwksURL] = jwks.NewHandler(incomingProvider.Issuer(), m.dynamicJWKSProvider)`

Refactor provider.Manager - And also handle when an issuer's path is a subpath of another issuer Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-10-08 21:40:56 +00:00			`klog.InfoS("oidc provider manager added or updated issuer", "issuer", incomingProvider.Issuer())`
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still 2020-10-08 02:18:34 +00:00			`}`
			`}`

			`// ServeHTTP implements the http.Handler interface.`
Refactor provider.Manager - And also handle when an issuer's path is a subpath of another issuer Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-10-08 21:40:56 +00:00			`func (m Manager) ServeHTTP(resp http.ResponseWriter, req http.Request) {`
			`requestHandler := m.findHandler(req)`

			`klog.InfoS(`
			`"oidc provider manager examining request",`
			`"method", req.Method,`
			`"host", req.Host,`
			`"path", req.URL.Path,`
			`"foundMatchingIssuer", requestHandler != nil,`
			`)`
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still 2020-10-08 02:18:34 +00:00
Refactor provider.Manager - And also handle when an issuer's path is a subpath of another issuer Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-10-08 21:40:56 +00:00			`if requestHandler == nil {`
			`requestHandler = m.nextHandler // couldn't find an issuer to handle the request`
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still 2020-10-08 02:18:34 +00:00			`}`
Refactor provider.Manager - And also handle when an issuer's path is a subpath of another issuer Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-10-08 21:40:56 +00:00			`requestHandler.ServeHTTP(resp, req)`
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still 2020-10-08 02:18:34 +00:00			`}`

Refactor provider.Manager - And also handle when an issuer's path is a subpath of another issuer Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-10-08 21:40:56 +00:00			`func (m Manager) findHandler(req http.Request) http.Handler {`
			`m.mu.RLock()`
			`defer m.mu.RUnlock()`

			`return m.providerHandlers[req.Host+"/"+req.URL.Path]`
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still 2020-10-08 02:18:34 +00:00			`}`