diff --git a/internal/crud/crud.go b/internal/crud/crud.go index dee3f49b..e9982734 100644 --- a/internal/crud/crud.go +++ b/internal/crud/crud.go @@ -11,6 +11,7 @@ import ( "encoding/json" "fmt" "strings" + "time" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -22,7 +23,8 @@ import ( //nolint:gosec // ignore lint warnings that these are credentials const ( - SecretLabelKey = "storage.pinniped.dev/type" + SecretLabelKey = "storage.pinniped.dev/type" + SecretLifetimeAnnotationKey = "storage.pinniped.dev/garbage-collect-after" secretNameFormat = "pinniped-storage-%s-%s" secretTypeFormat = "storage.pinniped.dev/%s" @@ -45,12 +47,14 @@ type Storage interface { type JSON interface{} // document that we need valid JSON types -func New(resource string, secrets corev1client.SecretInterface) Storage { +func New(resource string, secrets corev1client.SecretInterface, clock func() time.Time, lifetime time.Duration) Storage { return &secretsStorage{ resource: resource, secretType: corev1.SecretType(fmt.Sprintf(secretTypeFormat, resource)), secretVersion: []byte(secretVersion), secrets: secrets, + clock: clock, + lifetime: lifetime, } } @@ -59,6 +63,8 @@ type secretsStorage struct { secretType corev1.SecretType secretVersion []byte secrets corev1client.SecretInterface + clock func() time.Time + lifetime time.Duration } func (s *secretsStorage) Create(ctx context.Context, signature string, data JSON, additionalLabels map[string]string) (string, error) { @@ -162,12 +168,16 @@ func (s *secretsStorage) toSecret(signature, resourceVersion string, data JSON, for labelName, labelValue := range additionalLabels { labels[labelName] = labelValue } + annotations := map[string]string{ + SecretLifetimeAnnotationKey: s.clock().Add(s.lifetime).UTC().String(), + } return &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Name: s.getName(signature), ResourceVersion: resourceVersion, Labels: labels, + Annotations: annotations, OwnerReferences: nil, }, Data: map[string][]byte{ diff --git a/internal/crud/crud_test.go b/internal/crud/crud_test.go index 58c5f6ed..9e4ed216 100644 --- a/internal/crud/crud_test.go +++ b/internal/crud/crud_test.go @@ -8,6 +8,7 @@ import ( "errors" "fmt" "testing" + "time" "github.com/ory/fosite/compose" "github.com/stretchr/testify/require" @@ -45,6 +46,9 @@ func TestStorage(t *testing.T) { validateSecretName := validation.NameIsDNSSubdomain // matches k/k + var fakeNow = time.Date(2030, time.January, 1, 0, 0, 0, 0, time.UTC) + var fakeDuration = time.Minute * 10 + const ( namespace = "test-ns" authorizationCode1 = "81qE408EKL-e99gcXo3UnXBz9W05yGm92_hBmvXeadM.R5h38Bmw7yOaWNy0ypB3feh9toM-3T2zlwMXQyeE9B0" @@ -119,6 +123,11 @@ func TestStorage(t *testing.T) { Labels: map[string]string{ "storage.pinniped.dev/type": "access-tokens", }, + Annotations: map[string]string{ + "storage.pinniped.dev/garbage-collect-after": metav1.Time{ + Time: fakeNow.Add(fakeDuration), + }.String(), + }, }, Data: map[string][]byte{ "pinniped-storage-data": []byte(`{"Data":"create-and-get"}`), @@ -137,6 +146,11 @@ func TestStorage(t *testing.T) { Labels: map[string]string{ "storage.pinniped.dev/type": "access-tokens", }, + Annotations: map[string]string{ + "storage.pinniped.dev/garbage-collect-after": metav1.Time{ + Time: fakeNow.Add(fakeDuration), + }.String(), + }, }, Data: map[string][]byte{ "pinniped-storage-data": []byte(`{"Data":"create-and-get"}`), @@ -179,6 +193,11 @@ func TestStorage(t *testing.T) { "label1": "value1", "label2": "value2", }, + Annotations: map[string]string{ + "storage.pinniped.dev/garbage-collect-after": metav1.Time{ + Time: fakeNow.Add(fakeDuration), + }.String(), + }, }, Data: map[string][]byte{ "pinniped-storage-data": []byte(`{"Data":"create-and-get"}`), @@ -199,6 +218,11 @@ func TestStorage(t *testing.T) { "label1": "value1", "label2": "value2", }, + Annotations: map[string]string{ + "storage.pinniped.dev/garbage-collect-after": metav1.Time{ + Time: fakeNow.Add(fakeDuration), + }.String(), + }, }, Data: map[string][]byte{ "pinniped-storage-data": []byte(`{"Data":"create-and-get"}`), @@ -221,6 +245,11 @@ func TestStorage(t *testing.T) { Labels: map[string]string{ "storage.pinniped.dev/type": "pandas-are-best", }, + Annotations: map[string]string{ + "storage.pinniped.dev/garbage-collect-after": metav1.Time{ + Time: fakeNow.Add(fakeDuration), + }.String(), + }, }, Data: map[string][]byte{ "pinniped-storage-data": []byte(`{"Data":"snorlax"}`), @@ -256,6 +285,11 @@ func TestStorage(t *testing.T) { Labels: map[string]string{ "storage.pinniped.dev/type": "pandas-are-best", }, + Annotations: map[string]string{ + "storage.pinniped.dev/garbage-collect-after": metav1.Time{ + Time: fakeNow.Add(fakeDuration), + }.String(), + }, }, Data: map[string][]byte{ "pinniped-storage-data": []byte(`{"Data":"snorlax"}`), @@ -278,6 +312,11 @@ func TestStorage(t *testing.T) { Labels: map[string]string{ "storage.pinniped.dev/type": "stores", }, + Annotations: map[string]string{ + "storage.pinniped.dev/garbage-collect-after": metav1.Time{ + Time: fakeNow.Add(fakeDuration), + }.String(), + }, }, Data: map[string][]byte{ "pinniped-storage-data": []byte(`{"Data":"pants"}`), @@ -327,6 +366,11 @@ func TestStorage(t *testing.T) { Labels: map[string]string{ "storage.pinniped.dev/type": "stores", }, + Annotations: map[string]string{ + "storage.pinniped.dev/garbage-collect-after": metav1.Time{ + Time: fakeNow.Add(fakeDuration), + }.String(), + }, }, Data: map[string][]byte{ "pinniped-storage-data": []byte(`{"Data":"shirts"}`), @@ -345,6 +389,11 @@ func TestStorage(t *testing.T) { Labels: map[string]string{ "storage.pinniped.dev/type": "stores", }, + Annotations: map[string]string{ + "storage.pinniped.dev/garbage-collect-after": metav1.Time{ + Time: fakeNow.Add(fakeDuration), + }.String(), + }, }, Data: map[string][]byte{ "pinniped-storage-data": []byte(`{"Data":"shirts"}`), @@ -367,6 +416,11 @@ func TestStorage(t *testing.T) { Labels: map[string]string{ "storage.pinniped.dev/type": "seals", }, + Annotations: map[string]string{ + "storage.pinniped.dev/garbage-collect-after": metav1.Time{ + Time: fakeNow.Add(fakeDuration), + }.String(), + }, }, Data: map[string][]byte{ "pinniped-storage-data": []byte(`{"Data":"sad-seal"}`), @@ -402,6 +456,11 @@ func TestStorage(t *testing.T) { "storage.pinniped.dev/type": "seals", "additionalLabel": "matching-value", }, + Annotations: map[string]string{ + "storage.pinniped.dev/garbage-collect-after": metav1.Time{ + Time: fakeNow.Add(fakeDuration), + }.String(), + }, }, Data: map[string][]byte{ "pinniped-storage-data": []byte(`{"Data":"sad-seal"}`), @@ -418,6 +477,11 @@ func TestStorage(t *testing.T) { "storage.pinniped.dev/type": "seals", "additionalLabel": "matching-value", }, + Annotations: map[string]string{ + "storage.pinniped.dev/garbage-collect-after": metav1.Time{ + Time: fakeNow.Add(fakeDuration), + }.String(), + }, }, Data: map[string][]byte{ "pinniped-storage-data": []byte(`{"Data":"happy-seal"}`), @@ -434,6 +498,11 @@ func TestStorage(t *testing.T) { "storage.pinniped.dev/type": "seals", // same type as above "additionalLabel": "non-matching-value", // different value for the same label }, + Annotations: map[string]string{ + "storage.pinniped.dev/garbage-collect-after": metav1.Time{ + Time: fakeNow.Add(fakeDuration), + }.String(), + }, }, Data: map[string][]byte{ "pinniped-storage-data": []byte(`{"Data":"sad-seal2"}`), @@ -450,6 +519,11 @@ func TestStorage(t *testing.T) { "storage.pinniped.dev/type": "walruses", // different type from above "additionalLabel": "matching-value", // same value for the same label as above }, + Annotations: map[string]string{ + "storage.pinniped.dev/garbage-collect-after": metav1.Time{ + Time: fakeNow.Add(fakeDuration), + }.String(), + }, }, Data: map[string][]byte{ "pinniped-storage-data": []byte(`{"Data":"sad-seal3"}`), @@ -479,6 +553,11 @@ func TestStorage(t *testing.T) { "storage.pinniped.dev/type": "seals", // same type as above "additionalLabel": "non-matching-value", // different value for the same label }, + Annotations: map[string]string{ + "storage.pinniped.dev/garbage-collect-after": metav1.Time{ + Time: fakeNow.Add(fakeDuration), + }.String(), + }, }, Data: map[string][]byte{ "pinniped-storage-data": []byte(`{"Data":"sad-seal2"}`), @@ -496,6 +575,11 @@ func TestStorage(t *testing.T) { "storage.pinniped.dev/type": "walruses", // different type from above "additionalLabel": "matching-value", // same value for the same label as above }, + Annotations: map[string]string{ + "storage.pinniped.dev/garbage-collect-after": metav1.Time{ + Time: fakeNow.Add(fakeDuration), + }.String(), + }, }, Data: map[string][]byte{ "pinniped-storage-data": []byte(`{"Data":"sad-seal3"}`), @@ -519,6 +603,11 @@ func TestStorage(t *testing.T) { "storage.pinniped.dev/type": "seals", "additionalLabel": "matching-value", }, + Annotations: map[string]string{ + "storage.pinniped.dev/garbage-collect-after": metav1.Time{ + Time: fakeNow.Add(fakeDuration), + }.String(), + }, }, Data: map[string][]byte{ "pinniped-storage-data": []byte(`{"Data":"sad-seal"}`), @@ -549,6 +638,11 @@ func TestStorage(t *testing.T) { "storage.pinniped.dev/type": "seals", "additionalLabel": "matching-value", }, + Annotations: map[string]string{ + "storage.pinniped.dev/garbage-collect-after": metav1.Time{ + Time: fakeNow.Add(fakeDuration), + }.String(), + }, }, Data: map[string][]byte{ "pinniped-storage-data": []byte(`{"Data":"sad-seal"}`), @@ -602,6 +696,11 @@ func TestStorage(t *testing.T) { Labels: map[string]string{ "storage.pinniped.dev/type": "candies", }, + Annotations: map[string]string{ + "storage.pinniped.dev/garbage-collect-after": metav1.Time{ + Time: fakeNow.Add(fakeDuration), + }.String(), + }, }, Data: map[string][]byte{ "pinniped-storage-data": []byte(`{"Data":"twizzlers"}`), @@ -637,6 +736,11 @@ func TestStorage(t *testing.T) { Labels: map[string]string{ "storage.pinniped.dev/type": "candies", }, + Annotations: map[string]string{ + "storage.pinniped.dev/garbage-collect-after": metav1.Time{ + Time: fakeNow.Add(fakeDuration), + }.String(), + }, }, Data: map[string][]byte{ "pinniped-storage-data": []byte(`{"Data":"twizzlers"}`), @@ -659,6 +763,11 @@ func TestStorage(t *testing.T) { Labels: map[string]string{ "storage.pinniped.dev/type": "candies-are-bad", }, + Annotations: map[string]string{ + "storage.pinniped.dev/garbage-collect-after": metav1.Time{ + Time: fakeNow.Add(fakeDuration), + }.String(), + }, }, Data: map[string][]byte{ "pinniped-storage-data": []byte(`{"Data":"twizzlers"}`), @@ -694,6 +803,11 @@ func TestStorage(t *testing.T) { Labels: map[string]string{ "storage.pinniped.dev/type": "candies-are-bad", }, + Annotations: map[string]string{ + "storage.pinniped.dev/garbage-collect-after": metav1.Time{ + Time: fakeNow.Add(fakeDuration), + }.String(), + }, }, Data: map[string][]byte{ "pinniped-storage-data": []byte(`{"Data":"twizzlers"}`), @@ -716,6 +830,11 @@ func TestStorage(t *testing.T) { Labels: map[string]string{ "storage.pinniped.dev/type": "candies", }, + Annotations: map[string]string{ + "storage.pinniped.dev/garbage-collect-after": metav1.Time{ + Time: fakeNow.Add(fakeDuration), + }.String(), + }, }, Data: map[string][]byte{ "pinniped-storage-data": []byte(`{"Data":"twizzlers"}`), @@ -751,6 +870,11 @@ func TestStorage(t *testing.T) { Labels: map[string]string{ "storage.pinniped.dev/type": "candies", }, + Annotations: map[string]string{ + "storage.pinniped.dev/garbage-collect-after": metav1.Time{ + Time: fakeNow.Add(fakeDuration), + }.String(), + }, }, Data: map[string][]byte{ "pinniped-storage-data": []byte(`{"Data":"twizzlers"}`), @@ -773,6 +897,11 @@ func TestStorage(t *testing.T) { Labels: map[string]string{ "storage.pinniped.dev/type": "candies", }, + Annotations: map[string]string{ + "storage.pinniped.dev/garbage-collect-after": metav1.Time{ + Time: fakeNow.Add(fakeDuration), + }.String(), + }, }, Data: map[string][]byte{ "pinniped-storage-data": []byte(`}}bad data{{`), @@ -807,6 +936,11 @@ func TestStorage(t *testing.T) { Labels: map[string]string{ "storage.pinniped.dev/type": "candies", }, + Annotations: map[string]string{ + "storage.pinniped.dev/garbage-collect-after": metav1.Time{ + Time: fakeNow.Add(fakeDuration), + }.String(), + }, }, Data: map[string][]byte{ "pinniped-storage-data": []byte(`}}bad data{{`), @@ -828,7 +962,7 @@ func TestStorage(t *testing.T) { tt.mocks(t, client) } secrets := client.CoreV1().Secrets(namespace) - storage := New(tt.resource, secrets) + storage := New(tt.resource, secrets, func() time.Time { return fakeNow }, fakeDuration) err := tt.run(t, storage) diff --git a/internal/fositestorage/authorizationcode/authorizationcode.go b/internal/fositestorage/authorizationcode/authorizationcode.go index fc4cb1e7..99b2c5bd 100644 --- a/internal/fositestorage/authorizationcode/authorizationcode.go +++ b/internal/fositestorage/authorizationcode/authorizationcode.go @@ -7,6 +7,7 @@ import ( "context" stderrors "errors" "fmt" + "time" "github.com/ory/fosite" "github.com/ory/fosite/handler/oauth2" @@ -40,8 +41,8 @@ type AuthorizeCodeSession struct { Version string `json:"version"` } -func New(secrets corev1client.SecretInterface) oauth2.AuthorizeCodeStorage { - return &authorizeCodeStorage{storage: crud.New(TypeLabelValue, secrets)} +func New(secrets corev1client.SecretInterface, clock func() time.Time, sessionStorageLifetime time.Duration) oauth2.AuthorizeCodeStorage { + return &authorizeCodeStorage{storage: crud.New(TypeLabelValue, secrets, clock, sessionStorageLifetime)} } func (a *authorizeCodeStorage) CreateAuthorizeCodeSession(ctx context.Context, signature string, requester fosite.Requester) error { diff --git a/internal/fositestorage/authorizationcode/authorizationcode_test.go b/internal/fositestorage/authorizationcode/authorizationcode_test.go index 904d6074..4139feca 100644 --- a/internal/fositestorage/authorizationcode/authorizationcode_test.go +++ b/internal/fositestorage/authorizationcode/authorizationcode_test.go @@ -35,6 +35,9 @@ import ( const namespace = "test-ns" +var fakeNow = time.Date(2030, time.January, 1, 0, 0, 0, 0, time.UTC) +var fakeDuration = time.Minute * 10 + func TestAuthorizationCodeStorage(t *testing.T) { ctx := context.Background() secretsGVR := schema.GroupVersionResource{ @@ -51,6 +54,11 @@ func TestAuthorizationCodeStorage(t *testing.T) { Labels: map[string]string{ "storage.pinniped.dev/type": "authcode", }, + Annotations: map[string]string{ + "storage.pinniped.dev/garbage-collect-after": metav1.Time{ + Time: fakeNow.Add(fakeDuration), + }.String(), + }, }, Data: map[string][]byte{ "pinniped-storage-data": []byte(`{"active":true,"request":{"id":"abcd-1","requestedAt":"0001-01-01T00:00:00Z","client":{"id":"pinny","redirect_uris":null,"grant_types":null,"response_types":null,"scopes":null,"audience":null,"public":true,"jwks_uri":"where","jwks":null,"token_endpoint_auth_method":"something","request_uris":null,"request_object_signing_alg":"","token_endpoint_auth_signing_alg":""},"scopes":null,"grantedScopes":null,"form":{"key":["val"]},"session":{"Claims":null,"Headers":null,"ExpiresAt":null,"Username":"snorlax","Subject":"panda"},"requestedAudience":null,"grantedAudience":null},"version":"1"}`), @@ -67,6 +75,11 @@ func TestAuthorizationCodeStorage(t *testing.T) { Labels: map[string]string{ "storage.pinniped.dev/type": "authcode", }, + Annotations: map[string]string{ + "storage.pinniped.dev/garbage-collect-after": metav1.Time{ + Time: fakeNow.Add(fakeDuration), + }.String(), + }, }, Data: map[string][]byte{ "pinniped-storage-data": []byte(`{"active":false,"request":{"id":"abcd-1","requestedAt":"0001-01-01T00:00:00Z","client":{"id":"pinny","redirect_uris":null,"grant_types":null,"response_types":null,"scopes":null,"audience":null,"public":true,"jwks_uri":"where","jwks":null,"token_endpoint_auth_method":"something","request_uris":null,"request_object_signing_alg":"","token_endpoint_auth_signing_alg":""},"scopes":null,"grantedScopes":null,"form":{"key":["val"]},"session":{"Claims":null,"Headers":null,"ExpiresAt":null,"Username":"snorlax","Subject":"panda"},"requestedAudience":null,"grantedAudience":null},"version":"1"}`), @@ -78,7 +91,7 @@ func TestAuthorizationCodeStorage(t *testing.T) { client := fake.NewSimpleClientset() secrets := client.CoreV1().Secrets(namespace) - storage := New(secrets) + storage := New(secrets, func() time.Time { return fakeNow }, fakeDuration) request := &fosite.Request{ ID: "abcd-1", @@ -136,7 +149,7 @@ func TestGetNotFound(t *testing.T) { ctx := context.Background() client := fake.NewSimpleClientset() secrets := client.CoreV1().Secrets(namespace) - storage := New(secrets) + storage := New(secrets, func() time.Time { return fakeNow }, fakeDuration) _, notFoundErr := storage.GetAuthorizeCodeSession(ctx, "non-existent-signature", nil) require.EqualError(t, notFoundErr, "not_found") @@ -147,7 +160,7 @@ func TestInvalidateWhenNotFound(t *testing.T) { ctx := context.Background() client := fake.NewSimpleClientset() secrets := client.CoreV1().Secrets(namespace) - storage := New(secrets) + storage := New(secrets, func() time.Time { return fakeNow }, fakeDuration) notFoundErr := storage.InvalidateAuthorizeCodeSession(ctx, "non-existent-signature") require.EqualError(t, notFoundErr, "not_found") @@ -158,7 +171,7 @@ func TestInvalidateWhenConflictOnUpdateHappens(t *testing.T) { ctx := context.Background() client := fake.NewSimpleClientset() secrets := client.CoreV1().Secrets(namespace) - storage := New(secrets) + storage := New(secrets, func() time.Time { return fakeNow }, fakeDuration) client.PrependReactor("update", "secrets", func(_ kubetesting.Action) (bool, runtime.Object, error) { return true, nil, apierrors.NewConflict(schema.GroupResource{ @@ -182,7 +195,7 @@ func TestWrongVersion(t *testing.T) { ctx := context.Background() client := fake.NewSimpleClientset() secrets := client.CoreV1().Secrets(namespace) - storage := New(secrets) + storage := New(secrets, func() time.Time { return fakeNow }, fakeDuration) secret := &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ @@ -210,7 +223,7 @@ func TestNilSessionRequest(t *testing.T) { ctx := context.Background() client := fake.NewSimpleClientset() secrets := client.CoreV1().Secrets(namespace) - storage := New(secrets) + storage := New(secrets, func() time.Time { return fakeNow }, fakeDuration) secret := &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ @@ -238,7 +251,7 @@ func TestCreateWithNilRequester(t *testing.T) { ctx := context.Background() client := fake.NewSimpleClientset() secrets := client.CoreV1().Secrets(namespace) - storage := New(secrets) + storage := New(secrets, func() time.Time { return fakeNow }, fakeDuration) err := storage.CreateAuthorizeCodeSession(ctx, "signature-doesnt-matter", nil) require.EqualError(t, err, "requester must be of type fosite.Request") @@ -248,7 +261,7 @@ func TestCreateWithWrongRequesterDataTypes(t *testing.T) { ctx := context.Background() client := fake.NewSimpleClientset() secrets := client.CoreV1().Secrets(namespace) - storage := New(secrets) + storage := New(secrets, func() time.Time { return fakeNow }, fakeDuration) request := &fosite.Request{ Session: nil, @@ -365,7 +378,7 @@ func TestFuzzAndJSONNewValidEmptyAuthorizeCodeSession(t *testing.T) { const name = "fuzz" // value is irrelevant ctx := context.Background() secrets := fake.NewSimpleClientset().CoreV1().Secrets(name) - storage := New(secrets) + storage := New(secrets, func() time.Time { return fakeNow }, fakeDuration) // issue a create using the fuzzed request to confirm that marshalling works err = storage.CreateAuthorizeCodeSession(ctx, name, validSession.Request) diff --git a/internal/fositestorage/pkce/pkce.go b/internal/fositestorage/pkce/pkce.go index 24d554d2..35aec20c 100644 --- a/internal/fositestorage/pkce/pkce.go +++ b/internal/fositestorage/pkce/pkce.go @@ -39,7 +39,7 @@ type session struct { } func New(secrets corev1client.SecretInterface) pkce.PKCERequestStorage { - return &pkceStorage{storage: crud.New(TypeLabelValue, secrets)} + return &pkceStorage{storage: crud.New(TypeLabelValue, secrets, nil, 0)} } func (a *pkceStorage) CreatePKCERequestSession(ctx context.Context, signature string, requester fosite.Requester) error { diff --git a/internal/oidc/callback/callback_handler_test.go b/internal/oidc/callback/callback_handler_test.go index df0c2779..dfc153f1 100644 --- a/internal/oidc/callback/callback_handler_test.go +++ b/internal/oidc/callback/callback_handler_test.go @@ -457,11 +457,12 @@ func TestCallbackEndpoint(t *testing.T) { // Configure fosite the same way that the production code would. // Inject this into our test subject at the last second so we get a fresh storage for every test. - oauthStore := oidc.NewKubeStorage(secrets) + timeoutsConfiguration := oidc.DefaultOIDCTimeoutsConfiguration() + oauthStore := oidc.NewKubeStorage(secrets, timeoutsConfiguration) hmacSecret := []byte("some secret - must have at least 32 bytes") require.GreaterOrEqual(t, len(hmacSecret), 32, "fosite requires that hmac secrets have at least 32 bytes") jwksProviderIsUnused := jwks.NewDynamicJWKSProvider() - oauthHelper := oidc.FositeOauth2Helper(oauthStore, downstreamIssuer, hmacSecret, jwksProviderIsUnused, oidc.DefaultOIDCTimeoutsConfiguration()) + oauthHelper := oidc.FositeOauth2Helper(oauthStore, downstreamIssuer, hmacSecret, jwksProviderIsUnused, timeoutsConfiguration) idpListGetter := oidctestutil.NewIDPListGetter(&test.idp) subject := NewHandler(idpListGetter, oauthHelper, happyStateCodec, happyCookieCodec, happyUpstreamRedirectURI) diff --git a/internal/oidc/kube_storage.go b/internal/oidc/kube_storage.go index b4329722..bbc00b46 100644 --- a/internal/oidc/kube_storage.go +++ b/internal/oidc/kube_storage.go @@ -31,9 +31,9 @@ type KubeStorage struct { refreshTokenStorage refreshtoken.RevocationStorage } -func NewKubeStorage(secrets corev1client.SecretInterface) *KubeStorage { +func NewKubeStorage(secrets corev1client.SecretInterface, timeoutsConfiguration TimeoutsConfiguration) *KubeStorage { return &KubeStorage{ - authorizationCodeStorage: authorizationcode.New(secrets), + authorizationCodeStorage: authorizationcode.New(secrets, time.Now, timeoutsConfiguration.AuthorizationCodeSessionStorageLifetime), pkceStorage: pkce.New(secrets), oidcStorage: openidconnect.New(secrets), accessTokenStorage: accesstoken.New(secrets), diff --git a/internal/oidc/provider/manager/manager.go b/internal/oidc/provider/manager/manager.go index fc4ff1eb..907bbd73 100644 --- a/internal/oidc/provider/manager/manager.go +++ b/internal/oidc/provider/manager/manager.go @@ -77,12 +77,14 @@ func (m *Manager) SetProviders(oidcProviders ...*provider.OIDCProvider) { fositeHMACSecretForThisProvider := []byte("some secret - must have at least 32 bytes") // TODO replace this secret + timeoutsConfiguration := oidc.DefaultOIDCTimeoutsConfiguration() + // Use NullStorage for the authorize endpoint because we do not actually want to store anything until // the upstream callback endpoint is called later. - oauthHelperWithNullStorage := oidc.FositeOauth2Helper(oidc.NullStorage{}, issuer, fositeHMACSecretForThisProvider, nil, oidc.DefaultOIDCTimeoutsConfiguration()) + oauthHelperWithNullStorage := oidc.FositeOauth2Helper(oidc.NullStorage{}, issuer, fositeHMACSecretForThisProvider, nil, timeoutsConfiguration) // For all the other endpoints, make another oauth helper with exactly the same settings except use real storage. - oauthHelperWithKubeStorage := oidc.FositeOauth2Helper(oidc.NewKubeStorage(m.secretsClient), issuer, fositeHMACSecretForThisProvider, m.dynamicJWKSProvider, oidc.DefaultOIDCTimeoutsConfiguration()) + oauthHelperWithKubeStorage := oidc.FositeOauth2Helper(oidc.NewKubeStorage(m.secretsClient, timeoutsConfiguration), issuer, fositeHMACSecretForThisProvider, m.dynamicJWKSProvider, timeoutsConfiguration) // TODO use different codecs for the state and the cookie, because: // 1. we would like to state to have an embedded expiration date while the cookie does not need that diff --git a/internal/oidc/token/token_handler_test.go b/internal/oidc/token/token_handler_test.go index d0ae5f3a..87d3c637 100644 --- a/internal/oidc/token/token_handler_test.go +++ b/internal/oidc/token/token_handler_test.go @@ -1155,7 +1155,7 @@ func exchangeAuthcodeForTokens(t *testing.T, test authcodeExchangeInputs) ( var oauthHelper fosite.OAuth2Provider - oauthStore = oidc.NewKubeStorage(secrets) + oauthStore = oidc.NewKubeStorage(secrets, oidc.DefaultOIDCTimeoutsConfiguration()) if test.makeOathHelper != nil { oauthHelper, authCode, jwtSigningKey = test.makeOathHelper(t, authRequest, oauthStore) } else {