djpbessems
/
ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Manager uses dynamiccodec.Codec for cookie encoding 

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
This commit is contained in:
aram price 2020-12-10 11:35:32 -08:00
parent 1291380611
commit 2f87be3f94
1 changed files with 8 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
internal/oidc/provider/manager/manager.go
View File

@ -8,7 +8,8 @@ import (
"strings" "strings"
"sync" "sync"
"github.com/gorilla/securecookie" "go.pinniped.dev/internal/oidc/dynamiccodec"
corev1client "k8s.io/client-go/kubernetes/typed/core/v1" corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
"go.pinniped.dev/internal/oidc" "go.pinniped.dev/internal/oidc"
@ -88,14 +89,13 @@ func (m *Manager) SetProviders(oidcProviders ...*provider.OIDCProvider) {
// 1. we would like to state to have an embedded expiration date while the cookie does not need that // 1. we would like to state to have an embedded expiration date while the cookie does not need that
// 2. we would like each downstream provider to use different secrets for signing/encrypting the upstream state, not share secrets // 2. we would like each downstream provider to use different secrets for signing/encrypting the upstream state, not share secrets
// 3. we would like *all* downstream providers to use the *same* signing key for the CSRF cookie (which doesn't need to be encrypted) because cookies are sent per-domain and our issuers can share a domain name (but have different paths) // 3. we would like *all* downstream providers to use the *same* signing key for the CSRF cookie (which doesn't need to be encrypted) because cookies are sent per-domain and our issuers can share a domain name (but have different paths)
var upstreamStateEncoderHashKey = []byte("fake-state-hash-secret") // TODO replace this secret var upstreamStateEncoderHashKeyFunc = func() []byte { return []byte("fake-state-hash-secret") } // TODO replace this secret
var upstreamStateEncoderBlockKey = []byte("16-bytes-STATE01") // TODO replace this secret var upstreamStateEncoderBlockKeyFunc = func() []byte { return []byte("16-bytes-STATE01") } // TODO replace this secret
var upstreamStateEncoder = securecookie.New(upstreamStateEncoderHashKey, upstreamStateEncoderBlockKey) var upstreamStateEncoder = dynamiccodec.New(upstreamStateEncoderHashKeyFunc, upstreamStateEncoderBlockKeyFunc)
upstreamStateEncoder.SetSerializer(securecookie.JSONEncoder{})
var csrfCookieEncoderHashKey = []byte("fake-csrf-hash-secret") // TODO replace this secret var csrfCookieEncoderHashKeyFunc = func() []byte { return []byte("fake-csrf-hash-secret") } // TODO replace this secret
var csrfCookieEncoder = securecookie.New(csrfCookieEncoderHashKey, nil) var csrEncoderBlockKeyFunc = func() []byte { return nil } // TODO replace this secret
csrfCookieEncoder.SetSerializer(securecookie.JSONEncoder{}) var csrfCookieEncoder = dynamiccodec.New(csrfCookieEncoderHashKeyFunc, csrEncoderBlockKeyFunc)
m.providerHandlers[(issuerHostWithPath + oidc.WellKnownEndpointPath)] = discovery.NewHandler(issuer) m.providerHandlers[(issuerHostWithPath + oidc.WellKnownEndpointPath)] = discovery.NewHandler(issuer)