Pull symmetricsecrethelper package up to generator

- rename symmetricsecrethelper.New => generator.NewSymmetricSecretHelper
This commit is contained in:
aram price 2020-12-14 17:38:01 -08:00
parent b1ee434ddf
commit b799515f84
6 changed files with 43 additions and 54 deletions

View File

@ -36,7 +36,6 @@ import (
"go.pinniped.dev/internal/config/supervisor" "go.pinniped.dev/internal/config/supervisor"
"go.pinniped.dev/internal/controller/supervisorconfig" "go.pinniped.dev/internal/controller/supervisorconfig"
"go.pinniped.dev/internal/controller/supervisorconfig/generator" "go.pinniped.dev/internal/controller/supervisorconfig/generator"
"go.pinniped.dev/internal/controller/supervisorconfig/generator/symmetricsecrethelper"
"go.pinniped.dev/internal/controller/supervisorconfig/upstreamwatcher" "go.pinniped.dev/internal/controller/supervisorconfig/upstreamwatcher"
"go.pinniped.dev/internal/controller/supervisorstorage" "go.pinniped.dev/internal/controller/supervisorstorage"
"go.pinniped.dev/internal/controllerlib" "go.pinniped.dev/internal/controllerlib"
@ -165,13 +164,13 @@ func startControllers(
). ).
WithController( WithController(
generator.NewOIDCProviderSecretsController( generator.NewOIDCProviderSecretsController(
symmetricsecrethelper.New( generator.NewSymmetricSecretHelper(
"pinniped-oidc-provider-hmac-key-", "pinniped-oidc-provider-hmac-key-",
cfg.Labels, cfg.Labels,
rand.Reader, rand.Reader,
func(parent *configv1alpha1.OIDCProvider, child *corev1.Secret) { func(parent *configv1alpha1.OIDCProvider, child *corev1.Secret) {
plog.Debug("setting hmac secret", "issuer", parent.Spec.Issuer) plog.Debug("setting hmac secret", "issuer", parent.Spec.Issuer)
secretCache.SetTokenHMACKey(parent.Spec.Issuer, child.Data[symmetricsecrethelper.SymmetricSecretDataKey]) secretCache.SetTokenHMACKey(parent.Spec.Issuer, child.Data[generator.SymmetricSecretDataKey])
}, },
), ),
kubeClient, kubeClient,
@ -183,13 +182,13 @@ func startControllers(
). ).
WithController( WithController(
generator.NewOIDCProviderSecretsController( generator.NewOIDCProviderSecretsController(
symmetricsecrethelper.New( generator.NewSymmetricSecretHelper(
"pinniped-oidc-provider-upstream-state-signature-key-", "pinniped-oidc-provider-upstream-state-signature-key-",
cfg.Labels, cfg.Labels,
rand.Reader, rand.Reader,
func(parent *configv1alpha1.OIDCProvider, child *corev1.Secret) { func(parent *configv1alpha1.OIDCProvider, child *corev1.Secret) {
plog.Debug("setting state signature key", "issuer", parent.Spec.Issuer) plog.Debug("setting state signature key", "issuer", parent.Spec.Issuer)
secretCache.SetStateEncoderHashKey(parent.Spec.Issuer, child.Data[symmetricsecrethelper.SymmetricSecretDataKey]) secretCache.SetStateEncoderHashKey(parent.Spec.Issuer, child.Data[generator.SymmetricSecretDataKey])
}, },
), ),
kubeClient, kubeClient,
@ -201,13 +200,13 @@ func startControllers(
). ).
WithController( WithController(
generator.NewOIDCProviderSecretsController( generator.NewOIDCProviderSecretsController(
symmetricsecrethelper.New( generator.NewSymmetricSecretHelper(
"pinniped-oidc-provider-upstream-state-encryption-key-", "pinniped-oidc-provider-upstream-state-encryption-key-",
cfg.Labels, cfg.Labels,
rand.Reader, rand.Reader,
func(parent *configv1alpha1.OIDCProvider, child *corev1.Secret) { func(parent *configv1alpha1.OIDCProvider, child *corev1.Secret) {
plog.Debug("setting state encryption key", "issuer", parent.Spec.Issuer) plog.Debug("setting state encryption key", "issuer", parent.Spec.Issuer)
secretCache.SetStateEncoderBlockKey(parent.Spec.Issuer, child.Data[symmetricsecrethelper.SymmetricSecretDataKey]) secretCache.SetStateEncoderBlockKey(parent.Spec.Issuer, child.Data[generator.SymmetricSecretDataKey])
}, },
), ),
kubeClient, kubeClient,

View File

@ -15,11 +15,6 @@ import (
) )
const ( const (
symmetricKeySecretType = "secrets.pinniped.dev/symmetric"
symmetricKeySecretDataKey = "key"
symmetricKeySize = 32
opKind = "OIDCProvider" opKind = "OIDCProvider"
) )
@ -32,11 +27,11 @@ func generateSymmetricKey() ([]byte, error) {
} }
func isValid(secret *corev1.Secret) bool { func isValid(secret *corev1.Secret) bool {
if secret.Type != symmetricKeySecretType { if secret.Type != SymmetricSecretType {
return false return false
} }
data, ok := secret.Data[symmetricKeySecretDataKey] data, ok := secret.Data[SymmetricSecretDataKey]
if !ok { if !ok {
return false return false
} }
@ -54,7 +49,7 @@ func secretDataFunc() (map[string][]byte, error) {
} }
return map[string][]byte{ return map[string][]byte{
symmetricKeySecretDataKey: symmetricKey, SymmetricSecretDataKey: symmetricKey,
}, nil }, nil
} }
@ -78,7 +73,7 @@ func generateSecret(namespace, name string, labels map[string]string, secretData
}, },
Labels: labels, Labels: labels,
}, },
Type: symmetricKeySecretType, Type: SymmetricSecretType,
Data: secretData, Data: secretData,
}, nil }, nil
} }

View File

@ -22,17 +22,6 @@ import (
"go.pinniped.dev/internal/plog" "go.pinniped.dev/internal/plog"
) )
// SecretHelper describes an object that can Generate() a Secret and determine whether a Secret
// IsValid(). It can also be Notify()'d about a Secret being persisted.
//
// A SecretHelper has a Name() that can be used to identify it from other SecretHelper instances.
type SecretHelper interface {
Name() string
Generate(*configv1alpha1.OIDCProvider) (*corev1.Secret, error)
IsValid(*configv1alpha1.OIDCProvider, *corev1.Secret) bool
Notify(*configv1alpha1.OIDCProvider, *corev1.Secret)
}
type oidcProviderSecretsController struct { type oidcProviderSecretsController struct {
secretHelper SecretHelper secretHelper SecretHelper
kubeClient kubernetes.Interface kubeClient kubernetes.Interface

View File

@ -1,9 +1,7 @@
// Copyright 2020 the Pinniped contributors. All Rights Reserved. // Copyright 2020 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0 // SPDX-License-Identifier: Apache-2.0
// Package symmetricsecrethelper provides a type that can generate and validate symmetric keys as package generator
// Secret's.
package symmetricsecrethelper
import ( import (
"fmt" "fmt"
@ -14,9 +12,19 @@ import (
"k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apimachinery/pkg/runtime/schema"
configv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1" configv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1"
"go.pinniped.dev/internal/controller/supervisorconfig/generator"
) )
// SecretHelper describes an object that can Generate() a Secret and determine whether a Secret
// IsValid(). It can also be Notify()'d about a Secret being persisted.
//
// A SecretHelper has a Name() that can be used to identify it from other SecretHelper instances.
type SecretHelper interface {
Name() string
Generate(*configv1alpha1.OIDCProvider) (*corev1.Secret, error)
IsValid(*configv1alpha1.OIDCProvider, *corev1.Secret) bool
Notify(*configv1alpha1.OIDCProvider, *corev1.Secret)
}
const ( const (
// SymmetricSecretType is corev1.Secret.Type of all corev1.Secret's generated by this helper. // SymmetricSecretType is corev1.Secret.Type of all corev1.Secret's generated by this helper.
SymmetricSecretType = "secrets.pinniped.dev/symmetric" SymmetricSecretType = "secrets.pinniped.dev/symmetric"
@ -29,24 +37,15 @@ const (
symmetricKeySize = 32 symmetricKeySize = 32
) )
type secretHelper struct {
namePrefix string
labels map[string]string
rand io.Reader
notifyFunc func(parent *configv1alpha1.OIDCProvider, child *corev1.Secret)
}
var _ generator.SecretHelper = &secretHelper{}
// New returns a SecretHelper that has been parameterized with common symmetric secret generation // New returns a SecretHelper that has been parameterized with common symmetric secret generation
// knobs. // knobs.
func New( func NewSymmetricSecretHelper(
namePrefix string, namePrefix string,
labels map[string]string, labels map[string]string,
rand io.Reader, rand io.Reader,
notifyFunc func(parent *configv1alpha1.OIDCProvider, child *corev1.Secret), notifyFunc func(parent *configv1alpha1.OIDCProvider, child *corev1.Secret),
) generator.SecretHelper { ) SecretHelper {
return &secretHelper{ return &symmetricSecretHelper{
namePrefix: namePrefix, namePrefix: namePrefix,
labels: labels, labels: labels,
rand: rand, rand: rand,
@ -54,10 +53,17 @@ func New(
} }
} }
func (s *secretHelper) Name() string { return s.namePrefix } type symmetricSecretHelper struct {
namePrefix string
labels map[string]string
rand io.Reader
notifyFunc func(parent *configv1alpha1.OIDCProvider, child *corev1.Secret)
}
func (s *symmetricSecretHelper) Name() string { return s.namePrefix }
// Generate implements SecretHelper.Generate(). // Generate implements SecretHelper.Generate().
func (s *secretHelper) Generate(parent *configv1alpha1.OIDCProvider) (*corev1.Secret, error) { func (s *symmetricSecretHelper) Generate(parent *configv1alpha1.OIDCProvider) (*corev1.Secret, error) {
key := make([]byte, symmetricKeySize) key := make([]byte, symmetricKeySize)
if _, err := s.rand.Read(key); err != nil { if _, err := s.rand.Read(key); err != nil {
return nil, err return nil, err
@ -84,7 +90,7 @@ func (s *secretHelper) Generate(parent *configv1alpha1.OIDCProvider) (*corev1.Se
} }
// IsValid implements SecretHelper.IsValid(). // IsValid implements SecretHelper.IsValid().
func (s *secretHelper) IsValid(parent *configv1alpha1.OIDCProvider, child *corev1.Secret) bool { func (s *symmetricSecretHelper) IsValid(parent *configv1alpha1.OIDCProvider, child *corev1.Secret) bool {
if !metav1.IsControlledBy(child, parent) { if !metav1.IsControlledBy(child, parent) {
return false return false
} }
@ -105,6 +111,6 @@ func (s *secretHelper) IsValid(parent *configv1alpha1.OIDCProvider, child *corev
} }
// Notify implements SecretHelper.Notify(). // Notify implements SecretHelper.Notify().
func (s *secretHelper) Notify(parent *configv1alpha1.OIDCProvider, child *corev1.Secret) { func (s *symmetricSecretHelper) Notify(parent *configv1alpha1.OIDCProvider, child *corev1.Secret) {
s.notifyFunc(parent, child) s.notifyFunc(parent, child)
} }

View File

@ -1,7 +1,7 @@
// Copyright 2020 the Pinniped contributors. All Rights Reserved. // Copyright 2020 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0 // SPDX-License-Identifier: Apache-2.0
package symmetricsecrethelper package generator
import ( import (
"strings" "strings"
@ -17,7 +17,7 @@ import (
const keyWith32Bytes = "0123456789abcdef0123456789abcdef" const keyWith32Bytes = "0123456789abcdef0123456789abcdef"
func TestHelper(t *testing.T) { func TestSymmetricSecretHHelper(t *testing.T) {
labels := map[string]string{ labels := map[string]string{
"some-label-key-1": "some-label-value-1", "some-label-key-1": "some-label-value-1",
"some-label-key-2": "some-label-value-2", "some-label-key-2": "some-label-value-2",
@ -25,7 +25,7 @@ func TestHelper(t *testing.T) {
randSource := strings.NewReader(keyWith32Bytes) randSource := strings.NewReader(keyWith32Bytes)
var notifyParent *configv1alpha1.OIDCProvider var notifyParent *configv1alpha1.OIDCProvider
var notifyChild *corev1.Secret var notifyChild *corev1.Secret
h := New("some-name-prefix-", labels, randSource, func(parent *configv1alpha1.OIDCProvider, child *corev1.Secret) { h := NewSymmetricSecretHelper("some-name-prefix-", labels, randSource, func(parent *configv1alpha1.OIDCProvider, child *corev1.Secret) {
require.True(t, notifyParent == nil && notifyChild == nil, "expected notify func not to have been called yet") require.True(t, notifyParent == nil && notifyChild == nil, "expected notify func not to have been called yet")
notifyParent = parent notifyParent = parent
notifyChild = child notifyChild = child
@ -65,7 +65,7 @@ func TestHelper(t *testing.T) {
require.Equal(t, child, notifyChild) require.Equal(t, child, notifyChild)
} }
func TestHelperIsValid(t *testing.T) { func TestSymmetricSecretHHelperIsValid(t *testing.T) {
tests := []struct { tests := []struct {
name string name string
child func(*corev1.Secret) child func(*corev1.Secret)
@ -115,7 +115,7 @@ func TestHelperIsValid(t *testing.T) {
for _, test := range tests { for _, test := range tests {
test := test test := test
t.Run(test.name, func(t *testing.T) { t.Run(test.name, func(t *testing.T) {
h := New("none of these args matter", nil, nil, nil) h := NewSymmetricSecretHelper("none of these args matter", nil, nil, nil)
parent := &configv1alpha1.OIDCProvider{ parent := &configv1alpha1.OIDCProvider{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{

View File

@ -78,7 +78,7 @@ func (c *supervisorSecretsController) Sync(ctx controllerlib.Context) error {
secretNeedsUpdate := isNotFound || !isValid(secret) secretNeedsUpdate := isNotFound || !isValid(secret)
if !secretNeedsUpdate { if !secretNeedsUpdate {
plog.Debug("secret is up to date", "secret", klog.KObj(secret)) plog.Debug("secret is up to date", "secret", klog.KObj(secret))
c.setCacheFunc(secret.Data[symmetricKeySecretDataKey]) c.setCacheFunc(secret.Data[SymmetricSecretDataKey])
return nil return nil
} }
@ -96,7 +96,7 @@ func (c *supervisorSecretsController) Sync(ctx controllerlib.Context) error {
return fmt.Errorf("failed to create/update secret %s/%s: %w", newSecret.Namespace, newSecret.Name, err) return fmt.Errorf("failed to create/update secret %s/%s: %w", newSecret.Namespace, newSecret.Name, err)
} }
c.setCacheFunc(newSecret.Data[symmetricKeySecretDataKey]) c.setCacheFunc(newSecret.Data[SymmetricSecretDataKey])
return nil return nil
} }