manager.Manager is initialized with secret.Cache

- hard-coded secret.Cache is passed in from pinniped-supervisor/main
2020-12-10 17:27:02 -08:00 · 2020-12-10 17:27:02 -08:00 · e1173eb5eb
commit e1173eb5eb
parent 72bc458c8e
3 changed files with 19 additions and 8 deletions
--- a/cmd/pinniped-supervisor/main.go
+++ b/cmd/pinniped-supervisor/main.go
@ -14,6 +14,8 @@ import (
 	"strings"
 	"time"

+	"go.pinniped.dev/internal/secret"
+
 	"k8s.io/apimachinery/pkg/util/clock"
 	kubeinformers "k8s.io/client-go/informers"
 	"k8s.io/client-go/kubernetes"
@ -194,12 +196,16 @@ func run(serverInstallationNamespace string, cfg *supervisor.Config) error {
 	dynamicJWKSProvider := jwks.NewDynamicJWKSProvider()
 	dynamicTLSCertProvider := provider.NewDynamicTLSCertProvider()
 	dynamicUpstreamIDPProvider := provider.NewDynamicUpstreamIDPProvider()
+	cache := secret.Cache{}
+
+	cache.SetCSRFCookieEncoderHashKey([]byte("fake-csrf-hash-secret")) // TODO fetch from `Secret`

 	// OIDC endpoints will be served by the oidProvidersManager, and any non-OIDC paths will fallback to the healthMux.
 	oidProvidersManager := manager.NewManager(
 		healthMux,
 		dynamicJWKSProvider,
 		dynamicUpstreamIDPProvider,
+		cache,
 		kubeClient.CoreV1().Secrets(serverInstallationNamespace),
 	)

--- a/internal/oidc/provider/manager/manager.go
+++ b/internal/oidc/provider/manager/manager.go
@ -37,6 +37,7 @@ type Manager struct {
 	nextHandler         http.Handler             // the next handler in a chain, called when this manager didn't know how to handle a request
 	dynamicJWKSProvider jwks.DynamicJWKSProvider // in-memory cache of per-issuer JWKS data
 	idpListGetter       oidc.IDPListGetter       // in-memory cache of upstream IDPs
+	cache               secret.Cache             // in-memory cache of cryptographic material
 	secretsClient       corev1client.SecretInterface
 }

@ -48,6 +49,7 @@ func NewManager(
 	nextHandler http.Handler,
 	dynamicJWKSProvider jwks.DynamicJWKSProvider,
 	idpListGetter oidc.IDPListGetter,
+	cache secret.Cache,
 	secretsClient corev1client.SecretInterface,
 ) *Manager {
 	return &Manager{
@ -55,6 +57,7 @@ func NewManager(
 		nextHandler:         nextHandler,
 		dynamicJWKSProvider: dynamicJWKSProvider,
 		idpListGetter:       idpListGetter,
+		cache:               cache,
 		secretsClient:       secretsClient,
 	}
 }
@ -74,20 +77,17 @@ func (m *Manager) SetProviders(oidcProviders ...*provider.OIDCProvider) {
 	m.providers = oidcProviders
 	m.providerHandlers = make(map[string]http.Handler)

-	cache := secret.Cache{}
-	cache.SetCSRFCookieEncoderHashKey([]byte("fake-csrf-hash-secret")) // TODO fetch from `Secret`
-
-	var csrfCookieEncoder = dynamiccodec.New(cache.GetCSRFCookieEncoderHashKey, cache.GetCSRFCookieEncoderBlockKey)
+	var csrfCookieEncoder = dynamiccodec.New(m.cache.GetCSRFCookieEncoderHashKey, m.cache.GetCSRFCookieEncoderBlockKey)

 	for _, incomingProvider := range oidcProviders {
-		providerCache := cache.GetOIDCProviderCacheFor(incomingProvider.Issuer())
+		providerCache := m.cache.GetOIDCProviderCacheFor(incomingProvider.Issuer())

-		if providerCache == nil {
+		if providerCache == nil { // TODO remove when populated from `Secret` values
 			providerCache = &secret.OIDCProviderCache{}
 			providerCache.SetTokenHMACKey([]byte("some secret - must have at least 32 bytes")) // TODO fetch from `Secret`
 			providerCache.SetStateEncoderHashKey([]byte("fake-state-hash-secret"))             // TODO fetch from `Secret`
 			providerCache.SetStateEncoderBlockKey([]byte("16-bytes-STATE01"))                  // TODO fetch from `Secret`
-			cache.SetOIDCProviderCacheFor(incomingProvider.Issuer(), providerCache)
+			m.cache.SetOIDCProviderCacheFor(incomingProvider.Issuer(), providerCache)
 		}

 		issuer := incomingProvider.Issuer()
--- a/internal/oidc/provider/manager/manager_test.go
+++ b/internal/oidc/provider/manager/manager_test.go
@ -14,6 +14,8 @@ import (
 	"strings"
 	"testing"

+	"go.pinniped.dev/internal/secret"
+
 	"github.com/sclevine/spec"
 	"github.com/stretchr/testify/require"
 	"gopkg.in/square/go-jose.v2"
@ -241,7 +243,10 @@ func TestManager(t *testing.T) {
 			kubeClient = fake.NewSimpleClientset()
 			secretsClient := kubeClient.CoreV1().Secrets("some-namespace")

-			subject = NewManager(nextHandler, dynamicJWKSProvider, idpListGetter, secretsClient)
+			cache := secret.Cache{}
+			cache.SetCSRFCookieEncoderHashKey([]byte("fake-csrf-hash-secret"))
+
+			subject = NewManager(nextHandler, dynamicJWKSProvider, idpListGetter, cache, secretsClient)
 		})

 		when("given no providers via SetProviders()", func() {