2020-12-01 19:01:23 +00:00
|
|
|
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
|
|
|
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
|
|
|
|
|
|
package oidc
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"context"
|
|
|
|
|
"time"
|
|
|
|
|
|
|
|
|
|
"github.com/ory/fosite"
|
|
|
|
|
"github.com/ory/fosite/handler/oauth2"
|
2020-12-02 01:18:32 +00:00
|
|
|
"github.com/ory/fosite/handler/openid"
|
|
|
|
|
fositepkce "github.com/ory/fosite/handler/pkce"
|
2020-12-01 19:01:23 +00:00
|
|
|
corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
|
|
|
|
|
|
|
|
|
|
"go.pinniped.dev/internal/constable"
|
2020-12-04 22:31:06 +00:00
|
|
|
"go.pinniped.dev/internal/fositestorage/accesstoken"
|
2020-12-01 19:01:23 +00:00
|
|
|
"go.pinniped.dev/internal/fositestorage/authorizationcode"
|
2020-12-02 01:18:32 +00:00
|
|
|
"go.pinniped.dev/internal/fositestorage/openidconnect"
|
|
|
|
|
"go.pinniped.dev/internal/fositestorage/pkce"
|
2020-12-04 22:31:06 +00:00
|
|
|
"go.pinniped.dev/internal/fositestorage/refreshtoken"
|
2020-12-01 19:01:23 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
const errKubeStorageNotImplemented = constable.Error("KubeStorage does not implement this method. It should not have been called.")
|
|
|
|
|
|
|
|
|
|
type KubeStorage struct {
|
|
|
|
|
authorizationCodeStorage oauth2.AuthorizeCodeStorage
|
2020-12-01 22:53:22 +00:00
|
|
|
pkceStorage fositepkce.PKCERequestStorage
|
2020-12-02 01:18:32 +00:00
|
|
|
oidcStorage openid.OpenIDConnectRequestStorage
|
2020-12-04 22:31:06 +00:00
|
|
|
accessTokenStorage accesstoken.RevocationStorage
|
|
|
|
|
refreshTokenStorage refreshtoken.RevocationStorage
|
2020-12-01 19:01:23 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func NewKubeStorage(secrets corev1client.SecretInterface) *KubeStorage {
|
2020-12-01 22:53:22 +00:00
|
|
|
return &KubeStorage{
|
|
|
|
|
authorizationCodeStorage: authorizationcode.New(secrets),
|
|
|
|
|
pkceStorage: pkce.New(secrets),
|
2020-12-02 01:18:32 +00:00
|
|
|
oidcStorage: openidconnect.New(secrets),
|
2020-12-04 22:31:06 +00:00
|
|
|
accessTokenStorage: accesstoken.New(secrets),
|
|
|
|
|
refreshTokenStorage: refreshtoken.New(secrets),
|
2020-12-01 22:53:22 +00:00
|
|
|
}
|
2020-12-01 19:01:23 +00:00
|
|
|
}
|
|
|
|
|
|
2020-12-04 22:31:06 +00:00
|
|
|
func (k KubeStorage) RevokeRefreshToken(ctx context.Context, requestID string) error {
|
|
|
|
|
return k.refreshTokenStorage.RevokeRefreshToken(ctx, requestID)
|
2020-12-01 19:01:23 +00:00
|
|
|
}
|
|
|
|
|
|
2020-12-04 22:31:06 +00:00
|
|
|
func (k KubeStorage) RevokeAccessToken(ctx context.Context, requestID string) error {
|
|
|
|
|
return k.accessTokenStorage.RevokeAccessToken(ctx, requestID)
|
2020-12-01 19:01:23 +00:00
|
|
|
}
|
|
|
|
|
|
2020-12-04 22:31:06 +00:00
|
|
|
func (k KubeStorage) CreateRefreshTokenSession(ctx context.Context, signature string, request fosite.Requester) (err error) {
|
|
|
|
|
return k.refreshTokenStorage.CreateRefreshTokenSession(ctx, signature, request)
|
2020-12-01 19:01:23 +00:00
|
|
|
}
|
|
|
|
|
|
2020-12-04 22:31:06 +00:00
|
|
|
func (k KubeStorage) GetRefreshTokenSession(ctx context.Context, signature string, session fosite.Session) (request fosite.Requester, err error) {
|
|
|
|
|
return k.refreshTokenStorage.GetRefreshTokenSession(ctx, signature, session)
|
2020-12-01 19:01:23 +00:00
|
|
|
}
|
|
|
|
|
|
2020-12-04 22:31:06 +00:00
|
|
|
func (k KubeStorage) DeleteRefreshTokenSession(ctx context.Context, signature string) (err error) {
|
|
|
|
|
return k.refreshTokenStorage.DeleteRefreshTokenSession(ctx, signature)
|
2020-12-01 19:01:23 +00:00
|
|
|
}
|
|
|
|
|
|
2020-12-04 22:31:06 +00:00
|
|
|
func (k KubeStorage) CreateAccessTokenSession(ctx context.Context, signature string, requester fosite.Requester) (err error) {
|
|
|
|
|
return k.accessTokenStorage.CreateAccessTokenSession(ctx, signature, requester)
|
2020-12-01 19:01:23 +00:00
|
|
|
}
|
|
|
|
|
|
2020-12-04 22:31:06 +00:00
|
|
|
func (k KubeStorage) GetAccessTokenSession(ctx context.Context, signature string, session fosite.Session) (request fosite.Requester, err error) {
|
|
|
|
|
return k.accessTokenStorage.GetAccessTokenSession(ctx, signature, session)
|
2020-12-01 19:01:23 +00:00
|
|
|
}
|
|
|
|
|
|
2020-12-04 22:31:06 +00:00
|
|
|
func (k KubeStorage) DeleteAccessTokenSession(ctx context.Context, signature string) (err error) {
|
|
|
|
|
return k.accessTokenStorage.DeleteAccessTokenSession(ctx, signature)
|
2020-12-01 19:01:23 +00:00
|
|
|
}
|
|
|
|
|
|
2020-12-02 01:18:32 +00:00
|
|
|
func (k KubeStorage) CreateOpenIDConnectSession(ctx context.Context, authcode string, requester fosite.Requester) error {
|
|
|
|
|
return k.oidcStorage.CreateOpenIDConnectSession(ctx, authcode, requester)
|
2020-12-01 19:01:23 +00:00
|
|
|
}
|
|
|
|
|
|
2020-12-02 01:18:32 +00:00
|
|
|
func (k KubeStorage) GetOpenIDConnectSession(ctx context.Context, authcode string, requester fosite.Requester) (fosite.Requester, error) {
|
|
|
|
|
return k.oidcStorage.GetOpenIDConnectSession(ctx, authcode, requester)
|
2020-12-01 19:01:23 +00:00
|
|
|
}
|
|
|
|
|
|
2020-12-02 01:18:32 +00:00
|
|
|
func (k KubeStorage) DeleteOpenIDConnectSession(ctx context.Context, authcode string) error {
|
|
|
|
|
return k.oidcStorage.DeleteOpenIDConnectSession(ctx, authcode)
|
2020-12-01 19:01:23 +00:00
|
|
|
}
|
|
|
|
|
|
2020-12-01 22:53:22 +00:00
|
|
|
func (k KubeStorage) GetPKCERequestSession(ctx context.Context, signature string, session fosite.Session) (fosite.Requester, error) {
|
|
|
|
|
return k.pkceStorage.GetPKCERequestSession(ctx, signature, session)
|
2020-12-01 19:01:23 +00:00
|
|
|
}
|
|
|
|
|
|
2020-12-01 22:53:22 +00:00
|
|
|
func (k KubeStorage) CreatePKCERequestSession(ctx context.Context, signature string, requester fosite.Requester) error {
|
|
|
|
|
return k.pkceStorage.CreatePKCERequestSession(ctx, signature, requester)
|
2020-12-01 19:01:23 +00:00
|
|
|
}
|
|
|
|
|
|
2020-12-01 22:53:22 +00:00
|
|
|
func (k KubeStorage) DeletePKCERequestSession(ctx context.Context, signature string) error {
|
|
|
|
|
return k.pkceStorage.DeletePKCERequestSession(ctx, signature)
|
2020-12-01 19:01:23 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (k KubeStorage) CreateAuthorizeCodeSession(ctx context.Context, signature string, r fosite.Requester) (err error) {
|
|
|
|
|
return k.authorizationCodeStorage.CreateAuthorizeCodeSession(ctx, signature, r)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (k KubeStorage) GetAuthorizeCodeSession(ctx context.Context, signature string, s fosite.Session) (request fosite.Requester, err error) {
|
|
|
|
|
return k.authorizationCodeStorage.GetAuthorizeCodeSession(ctx, signature, s)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (k KubeStorage) InvalidateAuthorizeCodeSession(ctx context.Context, signature string) (err error) {
|
|
|
|
|
return k.authorizationCodeStorage.InvalidateAuthorizeCodeSession(ctx, signature)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (KubeStorage) GetClient(_ context.Context, id string) (fosite.Client, error) {
|
|
|
|
|
client := PinnipedCLIOIDCClient()
|
|
|
|
|
if client.ID == id {
|
|
|
|
|
return client, nil
|
|
|
|
|
}
|
|
|
|
|
return nil, fosite.ErrNotFound
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (KubeStorage) ClientAssertionJWTValid(_ context.Context, _ string) error {
|
|
|
|
|
return errKubeStorageNotImplemented
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (KubeStorage) SetClientAssertionJWT(_ context.Context, _ string, _ time.Time) error {
|
|
|
|
|
return errKubeStorageNotImplemented
|
|
|
|
|
}
|
