djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

wip003

Browse Source 
Signed-off-by: Monis Khan <mok@vmware.com>
This commit is contained in:
Monis Khan 2022-07-15 11:55:30 -04:00
parent 2e36cea786
commit 983c6116ef
No known key found for this signature in database
GPG Key ID: 52C90ADA01B269B8
2 changed files with 17 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
internal/oidcclientsecretstorage/oidcclientsecretstorage.go
View File

@ -69,7 +69,7 @@ func (s *OIDCClientSecretStorage) Set(ctx context.Context, oidcClientName string
if errors.IsNotFound(err) {
ownerReferences := []metav1.OwnerReference{
{
APIVersion: configv1alpha1.SchemeGroupVersion.String(), // TODO uh API group suffix?
APIVersion: configv1alpha1.SchemeGroupVersion.String(),
Kind: "OIDCClient",
Name: oidcClientName,
UID: oidcClientUID,

24
internal/registry/clientsecretrequest/rest.go
View File

@ -26,7 +26,13 @@ import (
"go.pinniped.dev/internal/oidcclientsecretstorage"
)
const cost = 15 // a good bcrypt cost for 2022, should take about a second to validate
// cost is a good bcrypt cost for 2022, should take about a second to validate
// this is meant to scale up automatically if bcrypt.DefaultCost increases
// it must be kept private because validation of client secrets cannot rely
// on a cost that changes without some form client secret storage migration
// TODO write a unit test that fails when this changes so that we know if/when it happens
// also write a unit test that fails in 2023 to ask this to be updated to latest recommendation
const cost = bcrypt.DefaultCost + 5
func NewREST(resource schema.GroupResource, client *kubeclient.Client, namespace string) *REST {
return &REST{
@ -122,18 +128,20 @@ func (r *REST) Create(ctx context.Context, obj runtime.Object, createValidation
}
hashes = append([]string{string(hash)}, hashes...)
err = r.secretStorage.Set(ctx, oidcClient.Name, oidcClient.UID, hashes)
if err != nil {
return nil, err // TODO obfuscate
}
}
if req.Spec.RevokeOldSecrets && len(hashes) > 0 {
needsRevoke := req.Spec.RevokeOldSecrets && len(hashes) > 0
if needsRevoke {
hashes = []string{hashes[0]}
}
// do not let them have more than 100? secrets
// TODO do not let them have more than 100? secrets
if req.Spec.GenerateNewSecret || needsRevoke {
if err := r.secretStorage.Set(ctx, oidcClient.Name, oidcClient.UID, hashes); err != nil {
return nil, err // TODO obfuscate
}
}
return &clientsecretapi.OIDCClientSecretRequest{
Status: clientsecretapi.OIDCClientSecretRequestStatus{