2022-06-17 12:56:53 -04:00
|
|
|
// Copyright 2022 the Pinniped contributors. All Rights Reserved.
|
|
|
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
|
|
|
|
|
|
package oidcclientsecretstorage
|
|
|
|
|
|
|
|
|
|
import (
|
2022-07-14 17:07:59 -04:00
|
|
|
"context"
|
2022-06-17 12:56:53 -04:00
|
|
|
"encoding/base64"
|
|
|
|
|
"fmt"
|
|
|
|
|
|
2022-07-14 17:07:59 -04:00
|
|
|
corev1 "k8s.io/api/core/v1"
|
|
|
|
|
"k8s.io/apimachinery/pkg/api/errors"
|
|
|
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
2022-06-17 12:56:53 -04:00
|
|
|
"k8s.io/apimachinery/pkg/types"
|
|
|
|
|
corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
|
|
|
|
|
|
2022-07-14 17:07:59 -04:00
|
|
|
configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1"
|
2022-06-17 12:56:53 -04:00
|
|
|
"go.pinniped.dev/internal/constable"
|
|
|
|
|
"go.pinniped.dev/internal/crud"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
const (
|
|
|
|
|
TypeLabelValue = "oidc-client-secret"
|
|
|
|
|
|
|
|
|
|
ErrOIDCClientSecretStorageVersion = constable.Error("OIDC client secret storage data has wrong version")
|
|
|
|
|
|
|
|
|
|
oidcClientSecretStorageVersion = "1"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
type OIDCClientSecretStorage struct {
|
|
|
|
|
storage crud.Storage
|
|
|
|
|
}
|
|
|
|
|
|
2022-07-14 17:07:59 -04:00
|
|
|
// storedClientSecret defines the format of the content of a client's secrets when stored in a Secret
|
2022-06-17 12:56:53 -04:00
|
|
|
// as a JSON string value.
|
2022-07-14 17:07:59 -04:00
|
|
|
type storedClientSecret struct {
|
2022-06-17 12:56:53 -04:00
|
|
|
// List of bcrypt hashes.
|
|
|
|
|
SecretHashes []string `json:"hashes"`
|
|
|
|
|
// The format version. Take care when updating. We cannot simply bump the storage version and drop/ignore old data.
|
|
|
|
|
// Updating this would require some form of migration of existing stored data.
|
|
|
|
|
Version string `json:"version"`
|
|
|
|
|
}
|
|
|
|
|
|
2022-07-14 17:07:59 -04:00
|
|
|
func New(secrets corev1client.SecretInterface) *OIDCClientSecretStorage {
|
|
|
|
|
return &OIDCClientSecretStorage{storage: crud.New(TypeLabelValue, secrets, nil, 0)}
|
2022-06-17 12:56:53 -04:00
|
|
|
}
|
|
|
|
|
|
2022-07-20 16:44:41 -04:00
|
|
|
func (s *OIDCClientSecretStorage) Get(ctx context.Context, oidcClientUID types.UID) (string, []string, error) {
|
2022-07-14 17:07:59 -04:00
|
|
|
secret := &storedClientSecret{}
|
2022-07-20 16:44:41 -04:00
|
|
|
rv, err := s.storage.Get(ctx, uidToName(oidcClientUID), secret)
|
2022-07-14 17:07:59 -04:00
|
|
|
if errors.IsNotFound(err) {
|
2022-07-20 16:44:41 -04:00
|
|
|
return "", nil, nil
|
2022-07-14 17:07:59 -04:00
|
|
|
}
|
|
|
|
|
if err != nil {
|
2022-07-20 16:44:41 -04:00
|
|
|
return "", nil, fmt.Errorf("failed to get client secret for uid %s: %w", oidcClientUID, err)
|
2022-07-14 17:07:59 -04:00
|
|
|
}
|
|
|
|
|
|
2022-07-20 16:44:41 -04:00
|
|
|
return rv, secret.SecretHashes, nil
|
2022-07-14 17:07:59 -04:00
|
|
|
}
|
|
|
|
|
|
2022-07-20 16:44:41 -04:00
|
|
|
func (s *OIDCClientSecretStorage) Set(ctx context.Context, resourceVersion, oidcClientName string, oidcClientUID types.UID, secretHashes []string) error {
|
2022-07-14 17:07:59 -04:00
|
|
|
secret := &storedClientSecret{
|
|
|
|
|
SecretHashes: secretHashes,
|
|
|
|
|
Version: oidcClientSecretStorageVersion,
|
|
|
|
|
}
|
|
|
|
|
name := uidToName(oidcClientUID)
|
|
|
|
|
|
2022-07-20 16:44:41 -04:00
|
|
|
if mustBeCreate := len(resourceVersion) == 0; mustBeCreate {
|
2022-07-14 17:07:59 -04:00
|
|
|
ownerReferences := []metav1.OwnerReference{
|
|
|
|
|
{
|
2022-07-15 11:55:30 -04:00
|
|
|
APIVersion: configv1alpha1.SchemeGroupVersion.String(),
|
2022-07-14 17:07:59 -04:00
|
|
|
Kind: "OIDCClient",
|
|
|
|
|
Name: oidcClientName,
|
|
|
|
|
UID: oidcClientUID,
|
|
|
|
|
Controller: nil, // TODO should this be true?
|
|
|
|
|
BlockOwnerDeletion: nil,
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
_, err := s.storage.Create(ctx, name, secret, nil, ownerReferences)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return fmt.Errorf("failed to create client secret for uid %s: %w", oidcClientUID, err)
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2022-07-20 16:44:41 -04:00
|
|
|
_, err := s.storage.Update(ctx, name, resourceVersion, secret)
|
2022-07-14 17:07:59 -04:00
|
|
|
if err != nil {
|
|
|
|
|
return fmt.Errorf("failed to update client secret for uid %s: %w", oidcClientUID, err)
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
}
|
2022-06-17 12:56:53 -04:00
|
|
|
|
|
|
|
|
// GetName returns the name of the Secret which would be used to store data for the given signature.
|
|
|
|
|
func (s *OIDCClientSecretStorage) GetName(oidcClientUID types.UID) string {
|
2022-07-14 17:07:59 -04:00
|
|
|
return s.storage.GetName(uidToName(oidcClientUID))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func uidToName(oidcClientUID types.UID) string {
|
2022-06-17 12:56:53 -04:00
|
|
|
// Avoid having s.storage.GetName() base64 decode something that wasn't ever encoded by encoding it here.
|
2022-07-14 17:07:59 -04:00
|
|
|
return base64.RawURLEncoding.EncodeToString([]byte(oidcClientUID))
|
2022-06-17 12:56:53 -04:00
|
|
|
}
|
|
|
|
|
|
2022-07-14 17:07:59 -04:00
|
|
|
// ReadFromSecret reads the contents of a Secret as a storedClientSecret.
|
|
|
|
|
func ReadFromSecret(s *corev1.Secret) (*storedClientSecret, error) {
|
|
|
|
|
secret := &storedClientSecret{}
|
|
|
|
|
err := crud.FromSecret(TypeLabelValue, s, secret)
|
2022-06-17 12:56:53 -04:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2022-07-14 17:07:59 -04:00
|
|
|
if secret.Version != oidcClientSecretStorageVersion {
|
2022-06-17 12:56:53 -04:00
|
|
|
return nil, fmt.Errorf("%w: OIDC client secret storage has version %s instead of %s",
|
2022-07-14 17:07:59 -04:00
|
|
|
ErrOIDCClientSecretStorageVersion, secret.Version, oidcClientSecretStorageVersion)
|
2022-06-17 12:56:53 -04:00
|
|
|
}
|
2022-07-14 17:07:59 -04:00
|
|
|
return secret, nil
|
2022-06-17 12:56:53 -04:00
|
|
|
}
|
