From b799515f849469965a8caeadb641ed949c775473 Mon Sep 17 00:00:00 2001 From: aram price Date: Mon, 14 Dec 2020 17:38:01 -0800 Subject: [PATCH] Pull symmetricsecrethelper package up to generator - rename symmetricsecrethelper.New => generator.NewSymmetricSecretHelper --- cmd/pinniped-supervisor/main.go | 13 +++--- .../supervisorconfig/generator/generator.go | 13 ++---- .../generator/oidc_provider_secrets.go | 11 ----- ...tric_secret_helper.go => secret_helper.go} | 46 +++++++++++-------- ...t_helper_test.go => secret_helper_test.go} | 10 ++-- .../generator/supervisor_secrets.go | 4 +- 6 files changed, 43 insertions(+), 54 deletions(-) rename internal/controller/supervisorconfig/generator/{symmetricsecrethelper/symmetric_secret_helper.go => secret_helper.go} (71%) rename internal/controller/supervisorconfig/generator/{symmetricsecrethelper/symmetric_secret_helper_test.go => secret_helper_test.go} (91%) diff --git a/cmd/pinniped-supervisor/main.go b/cmd/pinniped-supervisor/main.go index 53eec937..bc142a65 100644 --- a/cmd/pinniped-supervisor/main.go +++ b/cmd/pinniped-supervisor/main.go @@ -36,7 +36,6 @@ import ( "go.pinniped.dev/internal/config/supervisor" "go.pinniped.dev/internal/controller/supervisorconfig" "go.pinniped.dev/internal/controller/supervisorconfig/generator" - "go.pinniped.dev/internal/controller/supervisorconfig/generator/symmetricsecrethelper" "go.pinniped.dev/internal/controller/supervisorconfig/upstreamwatcher" "go.pinniped.dev/internal/controller/supervisorstorage" "go.pinniped.dev/internal/controllerlib" @@ -165,13 +164,13 @@ func startControllers( ). WithController( generator.NewOIDCProviderSecretsController( - symmetricsecrethelper.New( + generator.NewSymmetricSecretHelper( "pinniped-oidc-provider-hmac-key-", cfg.Labels, rand.Reader, func(parent *configv1alpha1.OIDCProvider, child *corev1.Secret) { plog.Debug("setting hmac secret", "issuer", parent.Spec.Issuer) - secretCache.SetTokenHMACKey(parent.Spec.Issuer, child.Data[symmetricsecrethelper.SymmetricSecretDataKey]) + secretCache.SetTokenHMACKey(parent.Spec.Issuer, child.Data[generator.SymmetricSecretDataKey]) }, ), kubeClient, @@ -183,13 +182,13 @@ func startControllers( ). WithController( generator.NewOIDCProviderSecretsController( - symmetricsecrethelper.New( + generator.NewSymmetricSecretHelper( "pinniped-oidc-provider-upstream-state-signature-key-", cfg.Labels, rand.Reader, func(parent *configv1alpha1.OIDCProvider, child *corev1.Secret) { plog.Debug("setting state signature key", "issuer", parent.Spec.Issuer) - secretCache.SetStateEncoderHashKey(parent.Spec.Issuer, child.Data[symmetricsecrethelper.SymmetricSecretDataKey]) + secretCache.SetStateEncoderHashKey(parent.Spec.Issuer, child.Data[generator.SymmetricSecretDataKey]) }, ), kubeClient, @@ -201,13 +200,13 @@ func startControllers( ). WithController( generator.NewOIDCProviderSecretsController( - symmetricsecrethelper.New( + generator.NewSymmetricSecretHelper( "pinniped-oidc-provider-upstream-state-encryption-key-", cfg.Labels, rand.Reader, func(parent *configv1alpha1.OIDCProvider, child *corev1.Secret) { plog.Debug("setting state encryption key", "issuer", parent.Spec.Issuer) - secretCache.SetStateEncoderBlockKey(parent.Spec.Issuer, child.Data[symmetricsecrethelper.SymmetricSecretDataKey]) + secretCache.SetStateEncoderBlockKey(parent.Spec.Issuer, child.Data[generator.SymmetricSecretDataKey]) }, ), kubeClient, diff --git a/internal/controller/supervisorconfig/generator/generator.go b/internal/controller/supervisorconfig/generator/generator.go index bed18e36..3aeed955 100644 --- a/internal/controller/supervisorconfig/generator/generator.go +++ b/internal/controller/supervisorconfig/generator/generator.go @@ -15,11 +15,6 @@ import ( ) const ( - symmetricKeySecretType = "secrets.pinniped.dev/symmetric" - symmetricKeySecretDataKey = "key" - - symmetricKeySize = 32 - opKind = "OIDCProvider" ) @@ -32,11 +27,11 @@ func generateSymmetricKey() ([]byte, error) { } func isValid(secret *corev1.Secret) bool { - if secret.Type != symmetricKeySecretType { + if secret.Type != SymmetricSecretType { return false } - data, ok := secret.Data[symmetricKeySecretDataKey] + data, ok := secret.Data[SymmetricSecretDataKey] if !ok { return false } @@ -54,7 +49,7 @@ func secretDataFunc() (map[string][]byte, error) { } return map[string][]byte{ - symmetricKeySecretDataKey: symmetricKey, + SymmetricSecretDataKey: symmetricKey, }, nil } @@ -78,7 +73,7 @@ func generateSecret(namespace, name string, labels map[string]string, secretData }, Labels: labels, }, - Type: symmetricKeySecretType, + Type: SymmetricSecretType, Data: secretData, }, nil } diff --git a/internal/controller/supervisorconfig/generator/oidc_provider_secrets.go b/internal/controller/supervisorconfig/generator/oidc_provider_secrets.go index 4069e200..4baf0471 100644 --- a/internal/controller/supervisorconfig/generator/oidc_provider_secrets.go +++ b/internal/controller/supervisorconfig/generator/oidc_provider_secrets.go @@ -22,17 +22,6 @@ import ( "go.pinniped.dev/internal/plog" ) -// SecretHelper describes an object that can Generate() a Secret and determine whether a Secret -// IsValid(). It can also be Notify()'d about a Secret being persisted. -// -// A SecretHelper has a Name() that can be used to identify it from other SecretHelper instances. -type SecretHelper interface { - Name() string - Generate(*configv1alpha1.OIDCProvider) (*corev1.Secret, error) - IsValid(*configv1alpha1.OIDCProvider, *corev1.Secret) bool - Notify(*configv1alpha1.OIDCProvider, *corev1.Secret) -} - type oidcProviderSecretsController struct { secretHelper SecretHelper kubeClient kubernetes.Interface diff --git a/internal/controller/supervisorconfig/generator/symmetricsecrethelper/symmetric_secret_helper.go b/internal/controller/supervisorconfig/generator/secret_helper.go similarity index 71% rename from internal/controller/supervisorconfig/generator/symmetricsecrethelper/symmetric_secret_helper.go rename to internal/controller/supervisorconfig/generator/secret_helper.go index 1d5c790c..76e136f1 100644 --- a/internal/controller/supervisorconfig/generator/symmetricsecrethelper/symmetric_secret_helper.go +++ b/internal/controller/supervisorconfig/generator/secret_helper.go @@ -1,9 +1,7 @@ // Copyright 2020 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 -// Package symmetricsecrethelper provides a type that can generate and validate symmetric keys as -// Secret's. -package symmetricsecrethelper +package generator import ( "fmt" @@ -14,9 +12,19 @@ import ( "k8s.io/apimachinery/pkg/runtime/schema" configv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1" - "go.pinniped.dev/internal/controller/supervisorconfig/generator" ) +// SecretHelper describes an object that can Generate() a Secret and determine whether a Secret +// IsValid(). It can also be Notify()'d about a Secret being persisted. +// +// A SecretHelper has a Name() that can be used to identify it from other SecretHelper instances. +type SecretHelper interface { + Name() string + Generate(*configv1alpha1.OIDCProvider) (*corev1.Secret, error) + IsValid(*configv1alpha1.OIDCProvider, *corev1.Secret) bool + Notify(*configv1alpha1.OIDCProvider, *corev1.Secret) +} + const ( // SymmetricSecretType is corev1.Secret.Type of all corev1.Secret's generated by this helper. SymmetricSecretType = "secrets.pinniped.dev/symmetric" @@ -29,24 +37,15 @@ const ( symmetricKeySize = 32 ) -type secretHelper struct { - namePrefix string - labels map[string]string - rand io.Reader - notifyFunc func(parent *configv1alpha1.OIDCProvider, child *corev1.Secret) -} - -var _ generator.SecretHelper = &secretHelper{} - // New returns a SecretHelper that has been parameterized with common symmetric secret generation // knobs. -func New( +func NewSymmetricSecretHelper( namePrefix string, labels map[string]string, rand io.Reader, notifyFunc func(parent *configv1alpha1.OIDCProvider, child *corev1.Secret), -) generator.SecretHelper { - return &secretHelper{ +) SecretHelper { + return &symmetricSecretHelper{ namePrefix: namePrefix, labels: labels, rand: rand, @@ -54,10 +53,17 @@ func New( } } -func (s *secretHelper) Name() string { return s.namePrefix } +type symmetricSecretHelper struct { + namePrefix string + labels map[string]string + rand io.Reader + notifyFunc func(parent *configv1alpha1.OIDCProvider, child *corev1.Secret) +} + +func (s *symmetricSecretHelper) Name() string { return s.namePrefix } // Generate implements SecretHelper.Generate(). -func (s *secretHelper) Generate(parent *configv1alpha1.OIDCProvider) (*corev1.Secret, error) { +func (s *symmetricSecretHelper) Generate(parent *configv1alpha1.OIDCProvider) (*corev1.Secret, error) { key := make([]byte, symmetricKeySize) if _, err := s.rand.Read(key); err != nil { return nil, err @@ -84,7 +90,7 @@ func (s *secretHelper) Generate(parent *configv1alpha1.OIDCProvider) (*corev1.Se } // IsValid implements SecretHelper.IsValid(). -func (s *secretHelper) IsValid(parent *configv1alpha1.OIDCProvider, child *corev1.Secret) bool { +func (s *symmetricSecretHelper) IsValid(parent *configv1alpha1.OIDCProvider, child *corev1.Secret) bool { if !metav1.IsControlledBy(child, parent) { return false } @@ -105,6 +111,6 @@ func (s *secretHelper) IsValid(parent *configv1alpha1.OIDCProvider, child *corev } // Notify implements SecretHelper.Notify(). -func (s *secretHelper) Notify(parent *configv1alpha1.OIDCProvider, child *corev1.Secret) { +func (s *symmetricSecretHelper) Notify(parent *configv1alpha1.OIDCProvider, child *corev1.Secret) { s.notifyFunc(parent, child) } diff --git a/internal/controller/supervisorconfig/generator/symmetricsecrethelper/symmetric_secret_helper_test.go b/internal/controller/supervisorconfig/generator/secret_helper_test.go similarity index 91% rename from internal/controller/supervisorconfig/generator/symmetricsecrethelper/symmetric_secret_helper_test.go rename to internal/controller/supervisorconfig/generator/secret_helper_test.go index b0787a0d..b0330626 100644 --- a/internal/controller/supervisorconfig/generator/symmetricsecrethelper/symmetric_secret_helper_test.go +++ b/internal/controller/supervisorconfig/generator/secret_helper_test.go @@ -1,7 +1,7 @@ // Copyright 2020 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 -package symmetricsecrethelper +package generator import ( "strings" @@ -17,7 +17,7 @@ import ( const keyWith32Bytes = "0123456789abcdef0123456789abcdef" -func TestHelper(t *testing.T) { +func TestSymmetricSecretHHelper(t *testing.T) { labels := map[string]string{ "some-label-key-1": "some-label-value-1", "some-label-key-2": "some-label-value-2", @@ -25,7 +25,7 @@ func TestHelper(t *testing.T) { randSource := strings.NewReader(keyWith32Bytes) var notifyParent *configv1alpha1.OIDCProvider var notifyChild *corev1.Secret - h := New("some-name-prefix-", labels, randSource, func(parent *configv1alpha1.OIDCProvider, child *corev1.Secret) { + h := NewSymmetricSecretHelper("some-name-prefix-", labels, randSource, func(parent *configv1alpha1.OIDCProvider, child *corev1.Secret) { require.True(t, notifyParent == nil && notifyChild == nil, "expected notify func not to have been called yet") notifyParent = parent notifyChild = child @@ -65,7 +65,7 @@ func TestHelper(t *testing.T) { require.Equal(t, child, notifyChild) } -func TestHelperIsValid(t *testing.T) { +func TestSymmetricSecretHHelperIsValid(t *testing.T) { tests := []struct { name string child func(*corev1.Secret) @@ -115,7 +115,7 @@ func TestHelperIsValid(t *testing.T) { for _, test := range tests { test := test t.Run(test.name, func(t *testing.T) { - h := New("none of these args matter", nil, nil, nil) + h := NewSymmetricSecretHelper("none of these args matter", nil, nil, nil) parent := &configv1alpha1.OIDCProvider{ ObjectMeta: metav1.ObjectMeta{ diff --git a/internal/controller/supervisorconfig/generator/supervisor_secrets.go b/internal/controller/supervisorconfig/generator/supervisor_secrets.go index e27166ae..58d5583d 100644 --- a/internal/controller/supervisorconfig/generator/supervisor_secrets.go +++ b/internal/controller/supervisorconfig/generator/supervisor_secrets.go @@ -78,7 +78,7 @@ func (c *supervisorSecretsController) Sync(ctx controllerlib.Context) error { secretNeedsUpdate := isNotFound || !isValid(secret) if !secretNeedsUpdate { plog.Debug("secret is up to date", "secret", klog.KObj(secret)) - c.setCacheFunc(secret.Data[symmetricKeySecretDataKey]) + c.setCacheFunc(secret.Data[SymmetricSecretDataKey]) return nil } @@ -96,7 +96,7 @@ func (c *supervisorSecretsController) Sync(ctx controllerlib.Context) error { return fmt.Errorf("failed to create/update secret %s/%s: %w", newSecret.Namespace, newSecret.Name, err) } - c.setCacheFunc(newSecret.Data[symmetricKeySecretDataKey]) + c.setCacheFunc(newSecret.Data[SymmetricSecretDataKey]) return nil }