2021-05-11 18:09:37 +00:00
|
|
|
// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
|
2020-12-11 01:34:05 +00:00
|
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
|
|
|
|
package supervisorstorage
|
|
|
|
|
|
|
|
import (
|
2021-10-22 21:32:26 +00:00
|
|
|
"errors"
|
2020-12-11 01:34:05 +00:00
|
|
|
"time"
|
|
|
|
|
2020-12-11 23:21:34 +00:00
|
|
|
v1 "k8s.io/api/core/v1"
|
2020-12-11 01:34:05 +00:00
|
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
|
|
"k8s.io/apimachinery/pkg/labels"
|
2020-12-11 23:21:34 +00:00
|
|
|
"k8s.io/apimachinery/pkg/util/clock"
|
2020-12-11 01:34:05 +00:00
|
|
|
corev1informers "k8s.io/client-go/informers/core/v1"
|
|
|
|
"k8s.io/client-go/kubernetes"
|
|
|
|
|
|
|
|
pinnipedcontroller "go.pinniped.dev/internal/controller"
|
|
|
|
"go.pinniped.dev/internal/controllerlib"
|
|
|
|
"go.pinniped.dev/internal/crud"
|
2021-10-22 21:32:26 +00:00
|
|
|
"go.pinniped.dev/internal/fositestorage/accesstoken"
|
|
|
|
"go.pinniped.dev/internal/fositestorage/authorizationcode"
|
|
|
|
"go.pinniped.dev/internal/fositestorage/openidconnect"
|
|
|
|
"go.pinniped.dev/internal/fositestorage/pkce"
|
|
|
|
"go.pinniped.dev/internal/fositestorage/refreshtoken"
|
|
|
|
"go.pinniped.dev/internal/oidc/provider"
|
2020-12-11 01:34:05 +00:00
|
|
|
"go.pinniped.dev/internal/plog"
|
|
|
|
)
|
|
|
|
|
2020-12-11 23:21:34 +00:00
|
|
|
const minimumRepeatInterval = 30 * time.Second
|
|
|
|
|
2020-12-11 01:34:05 +00:00
|
|
|
type garbageCollectorController struct {
|
2021-10-22 21:32:26 +00:00
|
|
|
idpCache UpstreamOIDCIdentityProviderICache
|
2020-12-11 23:21:34 +00:00
|
|
|
secretInformer corev1informers.SecretInformer
|
|
|
|
kubeClient kubernetes.Interface
|
|
|
|
clock clock.Clock
|
|
|
|
timeOfMostRecentSweep time.Time
|
2020-12-11 01:34:05 +00:00
|
|
|
}
|
|
|
|
|
2021-10-22 21:32:26 +00:00
|
|
|
// UpstreamOIDCIdentityProviderICache is a thread safe cache that holds a list of validated upstream OIDC IDP configurations.
|
|
|
|
type UpstreamOIDCIdentityProviderICache interface {
|
|
|
|
GetOIDCIdentityProviders() []provider.UpstreamOIDCIdentityProviderI
|
|
|
|
}
|
|
|
|
|
2020-12-11 01:34:05 +00:00
|
|
|
func GarbageCollectorController(
|
2021-10-22 21:32:26 +00:00
|
|
|
idpCache UpstreamOIDCIdentityProviderICache,
|
2020-12-11 23:21:34 +00:00
|
|
|
clock clock.Clock,
|
2020-12-11 01:34:05 +00:00
|
|
|
kubeClient kubernetes.Interface,
|
|
|
|
secretInformer corev1informers.SecretInformer,
|
|
|
|
withInformer pinnipedcontroller.WithInformerOptionFunc,
|
|
|
|
) controllerlib.Controller {
|
2020-12-18 17:36:28 +00:00
|
|
|
isSecretWithGCAnnotation := func(obj metav1.Object) bool {
|
|
|
|
secret, ok := obj.(*v1.Secret)
|
|
|
|
if !ok {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
_, ok = secret.Annotations[crud.SecretLifetimeAnnotationKey]
|
|
|
|
return ok
|
|
|
|
}
|
2020-12-11 01:34:05 +00:00
|
|
|
return controllerlib.New(
|
|
|
|
controllerlib.Config{
|
|
|
|
Name: "garbage-collector-controller",
|
|
|
|
Syncer: &garbageCollectorController{
|
2021-10-22 21:32:26 +00:00
|
|
|
idpCache: idpCache,
|
2020-12-11 01:34:05 +00:00
|
|
|
secretInformer: secretInformer,
|
|
|
|
kubeClient: kubeClient,
|
2020-12-11 23:21:34 +00:00
|
|
|
clock: clock,
|
2020-12-11 01:34:05 +00:00
|
|
|
},
|
|
|
|
},
|
|
|
|
withInformer(
|
|
|
|
secretInformer,
|
2020-12-18 17:36:28 +00:00
|
|
|
controllerlib.FilterFuncs{
|
|
|
|
AddFunc: isSecretWithGCAnnotation,
|
|
|
|
UpdateFunc: func(oldObj, newObj metav1.Object) bool {
|
|
|
|
return isSecretWithGCAnnotation(oldObj) || isSecretWithGCAnnotation(newObj)
|
|
|
|
},
|
|
|
|
DeleteFunc: func(obj metav1.Object) bool { return false }, // ignore all deletes
|
2021-05-04 16:38:47 +00:00
|
|
|
ParentFunc: pinnipedcontroller.SingletonQueue(),
|
2020-12-18 17:36:28 +00:00
|
|
|
},
|
2020-12-11 01:34:05 +00:00
|
|
|
controllerlib.InformerOption{},
|
|
|
|
),
|
|
|
|
)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *garbageCollectorController) Sync(ctx controllerlib.Context) error {
|
2021-05-04 16:38:47 +00:00
|
|
|
// make sure we have a consistent, static meaning for the current time during the sync loop
|
|
|
|
frozenClock := clock.NewFakeClock(c.clock.Now())
|
|
|
|
|
2020-12-11 23:21:34 +00:00
|
|
|
// The Sync method is triggered upon any change to any Secret, which would make this
|
|
|
|
// controller too chatty, so it rate limits itself to a more reasonable interval.
|
|
|
|
// Note that even during a period when no secrets are changing, it will still run
|
|
|
|
// at the informer's full-resync interval (as long as there are some secrets).
|
2021-05-04 16:38:47 +00:00
|
|
|
if since := frozenClock.Since(c.timeOfMostRecentSweep); since < minimumRepeatInterval {
|
|
|
|
ctx.Queue.AddAfter(ctx.Key, minimumRepeatInterval-since)
|
2020-12-11 23:21:34 +00:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
plog.Info("starting storage garbage collection sweep")
|
2021-05-04 16:38:47 +00:00
|
|
|
c.timeOfMostRecentSweep = frozenClock.Now()
|
2020-12-11 23:21:34 +00:00
|
|
|
|
2020-12-11 01:34:05 +00:00
|
|
|
listOfSecrets, err := c.secretInformer.Lister().List(labels.Everything())
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2020-12-11 23:21:34 +00:00
|
|
|
|
2020-12-11 01:34:05 +00:00
|
|
|
for i := range listOfSecrets {
|
|
|
|
secret := listOfSecrets[i]
|
2020-12-11 23:21:34 +00:00
|
|
|
|
|
|
|
timeString, ok := secret.Annotations[crud.SecretLifetimeAnnotationKey]
|
2020-12-11 01:34:05 +00:00
|
|
|
if !ok {
|
|
|
|
continue
|
|
|
|
}
|
2020-12-11 23:21:34 +00:00
|
|
|
|
|
|
|
garbageCollectAfterTime, err := time.Parse(crud.SecretLifetimeAnnotationDateFormat, timeString)
|
2020-12-11 01:34:05 +00:00
|
|
|
if err != nil {
|
2020-12-11 23:21:34 +00:00
|
|
|
plog.WarningErr("could not parse resource timestamp for garbage collection", err, logKV(secret))
|
2020-12-11 01:34:05 +00:00
|
|
|
continue
|
|
|
|
}
|
2020-12-11 23:21:34 +00:00
|
|
|
|
2021-05-04 16:38:47 +00:00
|
|
|
if garbageCollectAfterTime.Before(frozenClock.Now()) {
|
2021-10-22 21:32:26 +00:00
|
|
|
storageType, isSessionStorage := secret.Labels[crud.SecretLabelKey]
|
|
|
|
if isSessionStorage {
|
|
|
|
err := c.maybeRevokeUpstreamOIDCRefreshToken(storageType, secret)
|
|
|
|
if err != nil {
|
|
|
|
// Log the error for debugging purposes, but still carry on to delete the Secret despite the error.
|
|
|
|
plog.DebugErr("garbage collector could not revoke upstream refresh token", err, logKV(secret))
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-08-18 04:14:38 +00:00
|
|
|
err = c.kubeClient.CoreV1().Secrets(secret.Namespace).Delete(ctx.Context, secret.Name, metav1.DeleteOptions{
|
|
|
|
Preconditions: &metav1.Preconditions{
|
|
|
|
UID: &secret.UID,
|
|
|
|
ResourceVersion: &secret.ResourceVersion,
|
|
|
|
},
|
|
|
|
})
|
2020-12-11 01:34:05 +00:00
|
|
|
if err != nil {
|
2020-12-11 23:21:34 +00:00
|
|
|
plog.WarningErr("failed to garbage collect resource", err, logKV(secret))
|
|
|
|
continue
|
2020-12-11 01:34:05 +00:00
|
|
|
}
|
2020-12-11 23:21:34 +00:00
|
|
|
plog.Info("storage garbage collector deleted resource", logKV(secret))
|
2020-12-11 01:34:05 +00:00
|
|
|
}
|
|
|
|
}
|
2020-12-11 23:21:34 +00:00
|
|
|
|
2020-12-11 01:34:05 +00:00
|
|
|
return nil
|
|
|
|
}
|
2020-12-11 23:21:34 +00:00
|
|
|
|
2021-10-22 21:32:26 +00:00
|
|
|
//nolint:godot // do not complain about the following to-do comment
|
|
|
|
// TODO write unit tests for all of the following cases. Note that there is already a test
|
|
|
|
// double implemented for the RevokeRefreshToken() method on the objects in the idpCache
|
|
|
|
// to help with the test mocking. See RevokeRefreshTokenCallCount() and RevokeRefreshTokenArgs(int)
|
|
|
|
// in TestUpstreamOIDCIdentityProvider (in file oidctestutil.go). This will allowing following
|
|
|
|
// the pattern used in other unit tests that fill the idpCache with mock providers using the builders
|
|
|
|
// from oidctestutil.go.
|
|
|
|
func (c *garbageCollectorController) maybeRevokeUpstreamOIDCRefreshToken(storageType string, secret *v1.Secret) error {
|
|
|
|
// All session storage types hold upstream refresh tokens when the upstream IDP is an OIDC provider.
|
|
|
|
// However, some of them will be outdated because they are not updated by fosite after creation.
|
|
|
|
// Our goal below is to always revoke the latest upstream refresh token that we are holding for the
|
|
|
|
// session, and only the latest.
|
|
|
|
switch storageType {
|
|
|
|
case authorizationcode.TypeLabelValue:
|
|
|
|
// For authcode storage, check if the authcode was used. If the authcode was never used, then its
|
|
|
|
// storage must contain the latest upstream refresh token, so revoke it.
|
|
|
|
// TODO Use ReadFromSecret from the authorizationcode package under fositestorage to validate/parse the Secret, return any errors
|
|
|
|
// TODO return nil if the upstream type is not OIDC
|
|
|
|
// TODO return nil if the authcode is *NOT* active (meaning that it was already used)
|
|
|
|
// TODO lookup the idp by name in c.idpCache to get the cached provider interface, return error if not found
|
|
|
|
// TODO use the cached interface to revoke the refresh token, return any error
|
|
|
|
plog.Trace("garbage collector successfully revoked upstream refresh token", logKV(secret))
|
|
|
|
return nil
|
|
|
|
case accesstoken.TypeLabelValue:
|
|
|
|
// For access token storage, check if the "offline_access" scope was granted on the downstream
|
|
|
|
// session. If it was not, then the user could not possibly have performed a downstream refresh.
|
|
|
|
// In this case, the access token storage has the latest version of the upstream refresh token,
|
|
|
|
// so call the upstream issuer to revoke it.
|
|
|
|
// TODO Implement ReadFromSecret in the accesstoken package, similar to how it was done in the authorizationcode package
|
|
|
|
// TODO Use that the new ReadFromSecret func to validate/parse the Secret, return any errors
|
|
|
|
// TODO return nil if the upstream type is not OIDC
|
|
|
|
// TODO return nil if the "offline_access" scope was *NOT* granted on the downstream session
|
|
|
|
// TODO lookup the idp by name in c.idpCache to get the cached provider interface, return error if not found
|
|
|
|
// TODO use the cached interface to revoke the refresh token, return any error
|
|
|
|
plog.Trace("garbage collector successfully revoked upstream refresh token", logKV(secret))
|
|
|
|
return nil
|
|
|
|
case refreshtoken.TypeLabelValue:
|
|
|
|
// For refresh token storage, revoke its upstream refresh token. This refresh token storage could
|
|
|
|
// be the result of the authcode token exchange, or it could be the result of a downstream refresh.
|
|
|
|
// Either way, it always contains the latest upstream refresh token when it exists.
|
|
|
|
// TODO Implement ReadFromSecret in the refreshtoken package, similar to how it was done in the authorizationcode package
|
|
|
|
// TODO Use that new ReadFromSecret func to validate/parse the Secret, return any errors
|
|
|
|
// TODO return nil if the upstream type is not OIDC
|
|
|
|
// TODO lookup the idp by name in c.idpCache to get the cached provider interface, return error if not found
|
|
|
|
// TODO use the cached interface to always revoke the refresh token, return any error
|
|
|
|
plog.Trace("garbage collector successfully revoked upstream refresh token", logKV(secret))
|
|
|
|
return nil
|
|
|
|
case pkce.TypeLabelValue:
|
|
|
|
// For PKCE storage, its very existence means that the authcode was never exchanged, because these
|
|
|
|
// are deleted during authcode exchange. No need to do anything, since the upstream refresh token
|
|
|
|
// revocation is handled by authcode storage case above.
|
|
|
|
return nil
|
|
|
|
case openidconnect.TypeLabelValue:
|
|
|
|
// For OIDC storage, there is no need to do anything for reasons similar to the PKCE storage.
|
|
|
|
// These are not deleted during authcode exchange, probably due to a bug in fosite, even though it
|
|
|
|
// will never be read or updated again. However, the refresh token contained inside will be revoked
|
|
|
|
// by one of the other cases above.
|
|
|
|
return nil
|
|
|
|
default:
|
|
|
|
// There are no other storage types, so this should never happen in practice.
|
|
|
|
return errors.New("garbage collector saw invalid label on Secret when trying to determine if upstream revocation was needed")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-12-11 23:21:34 +00:00
|
|
|
func logKV(secret *v1.Secret) []interface{} {
|
|
|
|
return []interface{}{
|
|
|
|
"secretName", secret.Name,
|
|
|
|
"secretNamespace", secret.Namespace,
|
|
|
|
"secretType", string(secret.Type),
|
|
|
|
"garbageCollectAfter", secret.Annotations[crud.SecretLifetimeAnnotationKey],
|
2021-10-22 21:32:26 +00:00
|
|
|
"storageTypeLabelValue", secret.Labels[crud.SecretLabelKey],
|
2020-12-11 23:21:34 +00:00
|
|
|
}
|
|
|
|
}
|