djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Changes for Fosite's new RevokeRefreshTokenMaybeGracePeriod() interface

Browse Source 
Fosite v0.42.0 introduced a new RevokeRefreshTokenMaybeGracePeriod()
interface function. Updated our code to support this change. We didn't
support grace periods on refresh tokens before, so implemented it by
making the new RevokeRefreshTokenMaybeGracePeriod() method just call
the old RevokeRefreshToken() method, therefore keeping our old behavior.
This commit is contained in:
Ryan Richard 2022-01-19 13:57:01 -08:00
parent b2bdf01152
commit dff53b8144
4 changed files with 72 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
internal/fositestorage/refreshtoken/refreshtoken.go
View File

@ -1,4 +1,4 @@
// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved. // Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0 // SPDX-License-Identifier: Apache-2.0
package refreshtoken package refreshtoken
@ -35,6 +35,7 @@ const (
type RevocationStorage interface { type RevocationStorage interface {
oauth2.RefreshTokenStorage oauth2.RefreshTokenStorage
RevokeRefreshToken(ctx context.Context, requestID string) error RevokeRefreshToken(ctx context.Context, requestID string) error
RevokeRefreshTokenMaybeGracePeriod(ctx context.Context, requestID string, signature string) error
} }
var _ RevocationStorage = &refreshTokenStorage{} var _ RevocationStorage = &refreshTokenStorage{}
@ -73,6 +74,11 @@ func (a *refreshTokenStorage) RevokeRefreshToken(ctx context.Context, requestID
return a.storage.DeleteByLabel(ctx, fositestorage.StorageRequestIDLabelName, requestID) return a.storage.DeleteByLabel(ctx, fositestorage.StorageRequestIDLabelName, requestID)
} }
func (a *refreshTokenStorage) RevokeRefreshTokenMaybeGracePeriod(ctx context.Context, requestID string, signature string) error {
// We don't support a grace period, so always call the regular RevokeRefreshToken().
return a.RevokeRefreshToken(ctx, requestID)
}
func (a *refreshTokenStorage) CreateRefreshTokenSession(ctx context.Context, signature string, requester fosite.Requester) error { func (a *refreshTokenStorage) CreateRefreshTokenSession(ctx context.Context, signature string, requester fosite.Requester) error {
request, err := fositestorage.ValidateAndExtractAuthorizeRequest(requester) request, err := fositestorage.ValidateAndExtractAuthorizeRequest(requester)
if err != nil { if err != nil {

56
internal/fositestorage/refreshtoken/refreshtoken_test.go
View File

@ -162,6 +162,62 @@ func TestRefreshTokenStorageRevocation(t *testing.T) {
require.Equal(t, wantActions, client.Actions()) require.Equal(t, wantActions, client.Actions())
} }
func TestRefreshTokenStorageRevokeRefreshTokenMaybeGracePeriod(t *testing.T) {
wantActions := []coretesting.Action{
coretesting.NewCreateAction(secretsGVR, namespace, &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: "pinniped-storage-refresh-token-pwu5zs7lekbhnln2w4",
ResourceVersion: "",
Labels: map[string]string{
"storage.pinniped.dev/type": "refresh-token",
"storage.pinniped.dev/request-id": "abcd-1",
},
Annotations: map[string]string{
"storage.pinniped.dev/garbage-collect-after": fakeNowPlusLifetimeAsString,
},
},
Data: map[string][]byte{
"pinniped-storage-data": []byte(`{"request":{"id":"abcd-1","requestedAt":"0001-01-01T00:00:00Z","client":{"id":"pinny","redirect_uris":null,"grant_types":null,"response_types":null,"scopes":null,"audience":null,"public":true,"jwks_uri":"where","jwks":null,"token_endpoint_auth_method":"something","request_uris":null,"request_object_signing_alg":"","token_endpoint_auth_signing_alg":""},"scopes":null,"grantedScopes":null,"form":{"key":["val"]},"session":{"fosite":{"Claims":null,"Headers":null,"ExpiresAt":null,"Username":"snorlax","Subject":"panda"},"custom":{"providerUID":"fake-provider-uid","providerName":"fake-provider-name","providerType":"fake-provider-type","oidc":{"upstreamRefreshToken":"fake-upstream-refresh-token","upstreamAccessToken":"","upstreamSubject":"some-subject","upstreamIssuer":"some-issuer"}}},"requestedAudience":null,"grantedAudience":null},"version":"2"}`),
"pinniped-storage-version": []byte("1"),
},
Type: "storage.pinniped.dev/refresh-token",
}),
coretesting.NewListAction(secretsGVR, schema.GroupVersionKind{Group: "", Version: "v1", Kind: "Secret"}, namespace, metav1.ListOptions{
LabelSelector: "storage.pinniped.dev/type=refresh-token,storage.pinniped.dev/request-id=abcd-1",
}),
coretesting.NewDeleteAction(secretsGVR, namespace, "pinniped-storage-refresh-token-pwu5zs7lekbhnln2w4"),
}
ctx, client, _, storage := makeTestSubject()
request := &fosite.Request{
ID: "abcd-1",
RequestedAt: time.Time{},
Client: &clientregistry.Client{
DefaultOpenIDConnectClient: fosite.DefaultOpenIDConnectClient{
DefaultClient: &fosite.DefaultClient{
ID: "pinny",
Public: true,
},
JSONWebKeysURI: "where",
TokenEndpointAuthMethod: "something",
},
},
Form: url.Values{"key": []string{"val"}},
Session: testutil.NewFakePinnipedSession(),
}
err := storage.CreateRefreshTokenSession(ctx, "fancy-signature", request)
require.NoError(t, err)
// Revoke the request ID of the session that we just created. We don't support grace periods, so this
// should work exactly like the regular RevokeRefreshToken() function.
err = storage.RevokeRefreshTokenMaybeGracePeriod(ctx, "abcd-1", "fancy-signature")
require.NoError(t, err)
testutil.LogActualJSONFromCreateAction(t, client, 0) // makes it easier to update expected values when needed
require.Equal(t, wantActions, client.Actions())
}
func TestGetNotFound(t *testing.T) { func TestGetNotFound(t *testing.T) {
ctx, _, _, storage := makeTestSubject() ctx, _, _, storage := makeTestSubject()

4
internal/oidc/kube_storage.go
View File

@ -180,6 +180,10 @@ func (k KubeStorage) RevokeRefreshToken(ctx context.Context, requestID string) e
return k.refreshTokenStorage.RevokeRefreshToken(ctx, requestID) return k.refreshTokenStorage.RevokeRefreshToken(ctx, requestID)
} }
func (k KubeStorage) RevokeRefreshTokenMaybeGracePeriod(ctx context.Context, requestID string, signature string) error {
return k.refreshTokenStorage.RevokeRefreshTokenMaybeGracePeriod(ctx, requestID, signature)
}
// //
// OAuth client definitions: // OAuth client definitions:
// //

6
internal/oidc/nullstorage.go
View File

@ -1,4 +1,4 @@
// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved. // Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0 // SPDX-License-Identifier: Apache-2.0
package oidc package oidc
@ -25,6 +25,10 @@ func (NullStorage) RevokeRefreshToken(_ context.Context, _ string) error {
return errNullStorageNotImplemented return errNullStorageNotImplemented
} }
func (NullStorage) RevokeRefreshTokenMaybeGracePeriod(_ context.Context, _ string, _ string) error {
return errNullStorageNotImplemented
}
func (NullStorage) RevokeAccessToken(_ context.Context, _ string) error { func (NullStorage) RevokeAccessToken(_ context.Context, _ string) error {
return errNullStorageNotImplemented return errNullStorageNotImplemented
} }