Pull symmetricsecrethelper package up to generator
- rename symmetricsecrethelper.New => generator.NewSymmetricSecretHelper
This commit is contained in:
parent
b1ee434ddf
commit
b799515f84
@ -36,7 +36,6 @@ import (
|
|||||||
"go.pinniped.dev/internal/config/supervisor"
|
"go.pinniped.dev/internal/config/supervisor"
|
||||||
"go.pinniped.dev/internal/controller/supervisorconfig"
|
"go.pinniped.dev/internal/controller/supervisorconfig"
|
||||||
"go.pinniped.dev/internal/controller/supervisorconfig/generator"
|
"go.pinniped.dev/internal/controller/supervisorconfig/generator"
|
||||||
"go.pinniped.dev/internal/controller/supervisorconfig/generator/symmetricsecrethelper"
|
|
||||||
"go.pinniped.dev/internal/controller/supervisorconfig/upstreamwatcher"
|
"go.pinniped.dev/internal/controller/supervisorconfig/upstreamwatcher"
|
||||||
"go.pinniped.dev/internal/controller/supervisorstorage"
|
"go.pinniped.dev/internal/controller/supervisorstorage"
|
||||||
"go.pinniped.dev/internal/controllerlib"
|
"go.pinniped.dev/internal/controllerlib"
|
||||||
@ -165,13 +164,13 @@ func startControllers(
|
|||||||
).
|
).
|
||||||
WithController(
|
WithController(
|
||||||
generator.NewOIDCProviderSecretsController(
|
generator.NewOIDCProviderSecretsController(
|
||||||
symmetricsecrethelper.New(
|
generator.NewSymmetricSecretHelper(
|
||||||
"pinniped-oidc-provider-hmac-key-",
|
"pinniped-oidc-provider-hmac-key-",
|
||||||
cfg.Labels,
|
cfg.Labels,
|
||||||
rand.Reader,
|
rand.Reader,
|
||||||
func(parent *configv1alpha1.OIDCProvider, child *corev1.Secret) {
|
func(parent *configv1alpha1.OIDCProvider, child *corev1.Secret) {
|
||||||
plog.Debug("setting hmac secret", "issuer", parent.Spec.Issuer)
|
plog.Debug("setting hmac secret", "issuer", parent.Spec.Issuer)
|
||||||
secretCache.SetTokenHMACKey(parent.Spec.Issuer, child.Data[symmetricsecrethelper.SymmetricSecretDataKey])
|
secretCache.SetTokenHMACKey(parent.Spec.Issuer, child.Data[generator.SymmetricSecretDataKey])
|
||||||
},
|
},
|
||||||
),
|
),
|
||||||
kubeClient,
|
kubeClient,
|
||||||
@ -183,13 +182,13 @@ func startControllers(
|
|||||||
).
|
).
|
||||||
WithController(
|
WithController(
|
||||||
generator.NewOIDCProviderSecretsController(
|
generator.NewOIDCProviderSecretsController(
|
||||||
symmetricsecrethelper.New(
|
generator.NewSymmetricSecretHelper(
|
||||||
"pinniped-oidc-provider-upstream-state-signature-key-",
|
"pinniped-oidc-provider-upstream-state-signature-key-",
|
||||||
cfg.Labels,
|
cfg.Labels,
|
||||||
rand.Reader,
|
rand.Reader,
|
||||||
func(parent *configv1alpha1.OIDCProvider, child *corev1.Secret) {
|
func(parent *configv1alpha1.OIDCProvider, child *corev1.Secret) {
|
||||||
plog.Debug("setting state signature key", "issuer", parent.Spec.Issuer)
|
plog.Debug("setting state signature key", "issuer", parent.Spec.Issuer)
|
||||||
secretCache.SetStateEncoderHashKey(parent.Spec.Issuer, child.Data[symmetricsecrethelper.SymmetricSecretDataKey])
|
secretCache.SetStateEncoderHashKey(parent.Spec.Issuer, child.Data[generator.SymmetricSecretDataKey])
|
||||||
},
|
},
|
||||||
),
|
),
|
||||||
kubeClient,
|
kubeClient,
|
||||||
@ -201,13 +200,13 @@ func startControllers(
|
|||||||
).
|
).
|
||||||
WithController(
|
WithController(
|
||||||
generator.NewOIDCProviderSecretsController(
|
generator.NewOIDCProviderSecretsController(
|
||||||
symmetricsecrethelper.New(
|
generator.NewSymmetricSecretHelper(
|
||||||
"pinniped-oidc-provider-upstream-state-encryption-key-",
|
"pinniped-oidc-provider-upstream-state-encryption-key-",
|
||||||
cfg.Labels,
|
cfg.Labels,
|
||||||
rand.Reader,
|
rand.Reader,
|
||||||
func(parent *configv1alpha1.OIDCProvider, child *corev1.Secret) {
|
func(parent *configv1alpha1.OIDCProvider, child *corev1.Secret) {
|
||||||
plog.Debug("setting state encryption key", "issuer", parent.Spec.Issuer)
|
plog.Debug("setting state encryption key", "issuer", parent.Spec.Issuer)
|
||||||
secretCache.SetStateEncoderBlockKey(parent.Spec.Issuer, child.Data[symmetricsecrethelper.SymmetricSecretDataKey])
|
secretCache.SetStateEncoderBlockKey(parent.Spec.Issuer, child.Data[generator.SymmetricSecretDataKey])
|
||||||
},
|
},
|
||||||
),
|
),
|
||||||
kubeClient,
|
kubeClient,
|
||||||
|
@ -15,11 +15,6 @@ import (
|
|||||||
)
|
)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
symmetricKeySecretType = "secrets.pinniped.dev/symmetric"
|
|
||||||
symmetricKeySecretDataKey = "key"
|
|
||||||
|
|
||||||
symmetricKeySize = 32
|
|
||||||
|
|
||||||
opKind = "OIDCProvider"
|
opKind = "OIDCProvider"
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -32,11 +27,11 @@ func generateSymmetricKey() ([]byte, error) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func isValid(secret *corev1.Secret) bool {
|
func isValid(secret *corev1.Secret) bool {
|
||||||
if secret.Type != symmetricKeySecretType {
|
if secret.Type != SymmetricSecretType {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
data, ok := secret.Data[symmetricKeySecretDataKey]
|
data, ok := secret.Data[SymmetricSecretDataKey]
|
||||||
if !ok {
|
if !ok {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
@ -54,7 +49,7 @@ func secretDataFunc() (map[string][]byte, error) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
return map[string][]byte{
|
return map[string][]byte{
|
||||||
symmetricKeySecretDataKey: symmetricKey,
|
SymmetricSecretDataKey: symmetricKey,
|
||||||
}, nil
|
}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -78,7 +73,7 @@ func generateSecret(namespace, name string, labels map[string]string, secretData
|
|||||||
},
|
},
|
||||||
Labels: labels,
|
Labels: labels,
|
||||||
},
|
},
|
||||||
Type: symmetricKeySecretType,
|
Type: SymmetricSecretType,
|
||||||
Data: secretData,
|
Data: secretData,
|
||||||
}, nil
|
}, nil
|
||||||
}
|
}
|
||||||
|
@ -22,17 +22,6 @@ import (
|
|||||||
"go.pinniped.dev/internal/plog"
|
"go.pinniped.dev/internal/plog"
|
||||||
)
|
)
|
||||||
|
|
||||||
// SecretHelper describes an object that can Generate() a Secret and determine whether a Secret
|
|
||||||
// IsValid(). It can also be Notify()'d about a Secret being persisted.
|
|
||||||
//
|
|
||||||
// A SecretHelper has a Name() that can be used to identify it from other SecretHelper instances.
|
|
||||||
type SecretHelper interface {
|
|
||||||
Name() string
|
|
||||||
Generate(*configv1alpha1.OIDCProvider) (*corev1.Secret, error)
|
|
||||||
IsValid(*configv1alpha1.OIDCProvider, *corev1.Secret) bool
|
|
||||||
Notify(*configv1alpha1.OIDCProvider, *corev1.Secret)
|
|
||||||
}
|
|
||||||
|
|
||||||
type oidcProviderSecretsController struct {
|
type oidcProviderSecretsController struct {
|
||||||
secretHelper SecretHelper
|
secretHelper SecretHelper
|
||||||
kubeClient kubernetes.Interface
|
kubeClient kubernetes.Interface
|
||||||
|
@ -1,9 +1,7 @@
|
|||||||
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
|
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
|
||||||
// SPDX-License-Identifier: Apache-2.0
|
// SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
// Package symmetricsecrethelper provides a type that can generate and validate symmetric keys as
|
package generator
|
||||||
// Secret's.
|
|
||||||
package symmetricsecrethelper
|
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"fmt"
|
"fmt"
|
||||||
@ -14,9 +12,19 @@ import (
|
|||||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||||
|
|
||||||
configv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1"
|
configv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1"
|
||||||
"go.pinniped.dev/internal/controller/supervisorconfig/generator"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
|
// SecretHelper describes an object that can Generate() a Secret and determine whether a Secret
|
||||||
|
// IsValid(). It can also be Notify()'d about a Secret being persisted.
|
||||||
|
//
|
||||||
|
// A SecretHelper has a Name() that can be used to identify it from other SecretHelper instances.
|
||||||
|
type SecretHelper interface {
|
||||||
|
Name() string
|
||||||
|
Generate(*configv1alpha1.OIDCProvider) (*corev1.Secret, error)
|
||||||
|
IsValid(*configv1alpha1.OIDCProvider, *corev1.Secret) bool
|
||||||
|
Notify(*configv1alpha1.OIDCProvider, *corev1.Secret)
|
||||||
|
}
|
||||||
|
|
||||||
const (
|
const (
|
||||||
// SymmetricSecretType is corev1.Secret.Type of all corev1.Secret's generated by this helper.
|
// SymmetricSecretType is corev1.Secret.Type of all corev1.Secret's generated by this helper.
|
||||||
SymmetricSecretType = "secrets.pinniped.dev/symmetric"
|
SymmetricSecretType = "secrets.pinniped.dev/symmetric"
|
||||||
@ -29,24 +37,15 @@ const (
|
|||||||
symmetricKeySize = 32
|
symmetricKeySize = 32
|
||||||
)
|
)
|
||||||
|
|
||||||
type secretHelper struct {
|
|
||||||
namePrefix string
|
|
||||||
labels map[string]string
|
|
||||||
rand io.Reader
|
|
||||||
notifyFunc func(parent *configv1alpha1.OIDCProvider, child *corev1.Secret)
|
|
||||||
}
|
|
||||||
|
|
||||||
var _ generator.SecretHelper = &secretHelper{}
|
|
||||||
|
|
||||||
// New returns a SecretHelper that has been parameterized with common symmetric secret generation
|
// New returns a SecretHelper that has been parameterized with common symmetric secret generation
|
||||||
// knobs.
|
// knobs.
|
||||||
func New(
|
func NewSymmetricSecretHelper(
|
||||||
namePrefix string,
|
namePrefix string,
|
||||||
labels map[string]string,
|
labels map[string]string,
|
||||||
rand io.Reader,
|
rand io.Reader,
|
||||||
notifyFunc func(parent *configv1alpha1.OIDCProvider, child *corev1.Secret),
|
notifyFunc func(parent *configv1alpha1.OIDCProvider, child *corev1.Secret),
|
||||||
) generator.SecretHelper {
|
) SecretHelper {
|
||||||
return &secretHelper{
|
return &symmetricSecretHelper{
|
||||||
namePrefix: namePrefix,
|
namePrefix: namePrefix,
|
||||||
labels: labels,
|
labels: labels,
|
||||||
rand: rand,
|
rand: rand,
|
||||||
@ -54,10 +53,17 @@ func New(
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *secretHelper) Name() string { return s.namePrefix }
|
type symmetricSecretHelper struct {
|
||||||
|
namePrefix string
|
||||||
|
labels map[string]string
|
||||||
|
rand io.Reader
|
||||||
|
notifyFunc func(parent *configv1alpha1.OIDCProvider, child *corev1.Secret)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *symmetricSecretHelper) Name() string { return s.namePrefix }
|
||||||
|
|
||||||
// Generate implements SecretHelper.Generate().
|
// Generate implements SecretHelper.Generate().
|
||||||
func (s *secretHelper) Generate(parent *configv1alpha1.OIDCProvider) (*corev1.Secret, error) {
|
func (s *symmetricSecretHelper) Generate(parent *configv1alpha1.OIDCProvider) (*corev1.Secret, error) {
|
||||||
key := make([]byte, symmetricKeySize)
|
key := make([]byte, symmetricKeySize)
|
||||||
if _, err := s.rand.Read(key); err != nil {
|
if _, err := s.rand.Read(key); err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
@ -84,7 +90,7 @@ func (s *secretHelper) Generate(parent *configv1alpha1.OIDCProvider) (*corev1.Se
|
|||||||
}
|
}
|
||||||
|
|
||||||
// IsValid implements SecretHelper.IsValid().
|
// IsValid implements SecretHelper.IsValid().
|
||||||
func (s *secretHelper) IsValid(parent *configv1alpha1.OIDCProvider, child *corev1.Secret) bool {
|
func (s *symmetricSecretHelper) IsValid(parent *configv1alpha1.OIDCProvider, child *corev1.Secret) bool {
|
||||||
if !metav1.IsControlledBy(child, parent) {
|
if !metav1.IsControlledBy(child, parent) {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
@ -105,6 +111,6 @@ func (s *secretHelper) IsValid(parent *configv1alpha1.OIDCProvider, child *corev
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Notify implements SecretHelper.Notify().
|
// Notify implements SecretHelper.Notify().
|
||||||
func (s *secretHelper) Notify(parent *configv1alpha1.OIDCProvider, child *corev1.Secret) {
|
func (s *symmetricSecretHelper) Notify(parent *configv1alpha1.OIDCProvider, child *corev1.Secret) {
|
||||||
s.notifyFunc(parent, child)
|
s.notifyFunc(parent, child)
|
||||||
}
|
}
|
@ -1,7 +1,7 @@
|
|||||||
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
|
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
|
||||||
// SPDX-License-Identifier: Apache-2.0
|
// SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
package symmetricsecrethelper
|
package generator
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"strings"
|
"strings"
|
||||||
@ -17,7 +17,7 @@ import (
|
|||||||
|
|
||||||
const keyWith32Bytes = "0123456789abcdef0123456789abcdef"
|
const keyWith32Bytes = "0123456789abcdef0123456789abcdef"
|
||||||
|
|
||||||
func TestHelper(t *testing.T) {
|
func TestSymmetricSecretHHelper(t *testing.T) {
|
||||||
labels := map[string]string{
|
labels := map[string]string{
|
||||||
"some-label-key-1": "some-label-value-1",
|
"some-label-key-1": "some-label-value-1",
|
||||||
"some-label-key-2": "some-label-value-2",
|
"some-label-key-2": "some-label-value-2",
|
||||||
@ -25,7 +25,7 @@ func TestHelper(t *testing.T) {
|
|||||||
randSource := strings.NewReader(keyWith32Bytes)
|
randSource := strings.NewReader(keyWith32Bytes)
|
||||||
var notifyParent *configv1alpha1.OIDCProvider
|
var notifyParent *configv1alpha1.OIDCProvider
|
||||||
var notifyChild *corev1.Secret
|
var notifyChild *corev1.Secret
|
||||||
h := New("some-name-prefix-", labels, randSource, func(parent *configv1alpha1.OIDCProvider, child *corev1.Secret) {
|
h := NewSymmetricSecretHelper("some-name-prefix-", labels, randSource, func(parent *configv1alpha1.OIDCProvider, child *corev1.Secret) {
|
||||||
require.True(t, notifyParent == nil && notifyChild == nil, "expected notify func not to have been called yet")
|
require.True(t, notifyParent == nil && notifyChild == nil, "expected notify func not to have been called yet")
|
||||||
notifyParent = parent
|
notifyParent = parent
|
||||||
notifyChild = child
|
notifyChild = child
|
||||||
@ -65,7 +65,7 @@ func TestHelper(t *testing.T) {
|
|||||||
require.Equal(t, child, notifyChild)
|
require.Equal(t, child, notifyChild)
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestHelperIsValid(t *testing.T) {
|
func TestSymmetricSecretHHelperIsValid(t *testing.T) {
|
||||||
tests := []struct {
|
tests := []struct {
|
||||||
name string
|
name string
|
||||||
child func(*corev1.Secret)
|
child func(*corev1.Secret)
|
||||||
@ -115,7 +115,7 @@ func TestHelperIsValid(t *testing.T) {
|
|||||||
for _, test := range tests {
|
for _, test := range tests {
|
||||||
test := test
|
test := test
|
||||||
t.Run(test.name, func(t *testing.T) {
|
t.Run(test.name, func(t *testing.T) {
|
||||||
h := New("none of these args matter", nil, nil, nil)
|
h := NewSymmetricSecretHelper("none of these args matter", nil, nil, nil)
|
||||||
|
|
||||||
parent := &configv1alpha1.OIDCProvider{
|
parent := &configv1alpha1.OIDCProvider{
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
ObjectMeta: metav1.ObjectMeta{
|
@ -78,7 +78,7 @@ func (c *supervisorSecretsController) Sync(ctx controllerlib.Context) error {
|
|||||||
secretNeedsUpdate := isNotFound || !isValid(secret)
|
secretNeedsUpdate := isNotFound || !isValid(secret)
|
||||||
if !secretNeedsUpdate {
|
if !secretNeedsUpdate {
|
||||||
plog.Debug("secret is up to date", "secret", klog.KObj(secret))
|
plog.Debug("secret is up to date", "secret", klog.KObj(secret))
|
||||||
c.setCacheFunc(secret.Data[symmetricKeySecretDataKey])
|
c.setCacheFunc(secret.Data[SymmetricSecretDataKey])
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -96,7 +96,7 @@ func (c *supervisorSecretsController) Sync(ctx controllerlib.Context) error {
|
|||||||
return fmt.Errorf("failed to create/update secret %s/%s: %w", newSecret.Namespace, newSecret.Name, err)
|
return fmt.Errorf("failed to create/update secret %s/%s: %w", newSecret.Namespace, newSecret.Name, err)
|
||||||
}
|
}
|
||||||
|
|
||||||
c.setCacheFunc(newSecret.Data[symmetricKeySecretDataKey])
|
c.setCacheFunc(newSecret.Data[SymmetricSecretDataKey])
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user