From e1173eb5ebc43853f58556414c0b47341f925dd3 Mon Sep 17 00:00:00 2001
From: aram price <pricear@vmware.com>
Date: Thu, 10 Dec 2020 17:27:02 -0800
Subject: [PATCH] manager.Manager is initialized with secret.Cache

- hard-coded secret.Cache is passed in from pinniped-supervisor/main
---
 cmd/pinniped-supervisor/main.go                |  6 ++++++
 internal/oidc/provider/manager/manager.go      | 14 +++++++-------
 internal/oidc/provider/manager/manager_test.go |  7 ++++++-
 3 files changed, 19 insertions(+), 8 deletions(-)

diff --git a/cmd/pinniped-supervisor/main.go b/cmd/pinniped-supervisor/main.go
index 31f5dff8..8e61cc38 100644
--- a/cmd/pinniped-supervisor/main.go
+++ b/cmd/pinniped-supervisor/main.go
@@ -14,6 +14,8 @@ import (
 	"strings"
 	"time"
 
+	"go.pinniped.dev/internal/secret"
+
 	"k8s.io/apimachinery/pkg/util/clock"
 	kubeinformers "k8s.io/client-go/informers"
 	"k8s.io/client-go/kubernetes"
@@ -194,12 +196,16 @@ func run(serverInstallationNamespace string, cfg *supervisor.Config) error {
 	dynamicJWKSProvider := jwks.NewDynamicJWKSProvider()
 	dynamicTLSCertProvider := provider.NewDynamicTLSCertProvider()
 	dynamicUpstreamIDPProvider := provider.NewDynamicUpstreamIDPProvider()
+	cache := secret.Cache{}
+
+	cache.SetCSRFCookieEncoderHashKey([]byte("fake-csrf-hash-secret")) // TODO fetch from `Secret`
 
 	// OIDC endpoints will be served by the oidProvidersManager, and any non-OIDC paths will fallback to the healthMux.
 	oidProvidersManager := manager.NewManager(
 		healthMux,
 		dynamicJWKSProvider,
 		dynamicUpstreamIDPProvider,
+		cache,
 		kubeClient.CoreV1().Secrets(serverInstallationNamespace),
 	)
 
diff --git a/internal/oidc/provider/manager/manager.go b/internal/oidc/provider/manager/manager.go
index 973870b3..5846449a 100644
--- a/internal/oidc/provider/manager/manager.go
+++ b/internal/oidc/provider/manager/manager.go
@@ -37,6 +37,7 @@ type Manager struct {
 	nextHandler         http.Handler             // the next handler in a chain, called when this manager didn't know how to handle a request
 	dynamicJWKSProvider jwks.DynamicJWKSProvider // in-memory cache of per-issuer JWKS data
 	idpListGetter       oidc.IDPListGetter       // in-memory cache of upstream IDPs
+	cache               secret.Cache             // in-memory cache of cryptographic material
 	secretsClient       corev1client.SecretInterface
 }
 
@@ -48,6 +49,7 @@ func NewManager(
 	nextHandler http.Handler,
 	dynamicJWKSProvider jwks.DynamicJWKSProvider,
 	idpListGetter oidc.IDPListGetter,
+	cache secret.Cache,
 	secretsClient corev1client.SecretInterface,
 ) *Manager {
 	return &Manager{
@@ -55,6 +57,7 @@ func NewManager(
 		nextHandler:         nextHandler,
 		dynamicJWKSProvider: dynamicJWKSProvider,
 		idpListGetter:       idpListGetter,
+		cache:               cache,
 		secretsClient:       secretsClient,
 	}
 }
@@ -74,20 +77,17 @@ func (m *Manager) SetProviders(oidcProviders ...*provider.OIDCProvider) {
 	m.providers = oidcProviders
 	m.providerHandlers = make(map[string]http.Handler)
 
-	cache := secret.Cache{}
-	cache.SetCSRFCookieEncoderHashKey([]byte("fake-csrf-hash-secret")) // TODO fetch from `Secret`
-
-	var csrfCookieEncoder = dynamiccodec.New(cache.GetCSRFCookieEncoderHashKey, cache.GetCSRFCookieEncoderBlockKey)
+	var csrfCookieEncoder = dynamiccodec.New(m.cache.GetCSRFCookieEncoderHashKey, m.cache.GetCSRFCookieEncoderBlockKey)
 
 	for _, incomingProvider := range oidcProviders {
-		providerCache := cache.GetOIDCProviderCacheFor(incomingProvider.Issuer())
+		providerCache := m.cache.GetOIDCProviderCacheFor(incomingProvider.Issuer())
 
-		if providerCache == nil {
+		if providerCache == nil { // TODO remove when populated from `Secret` values
 			providerCache = &secret.OIDCProviderCache{}
 			providerCache.SetTokenHMACKey([]byte("some secret - must have at least 32 bytes")) // TODO fetch from `Secret`
 			providerCache.SetStateEncoderHashKey([]byte("fake-state-hash-secret"))             // TODO fetch from `Secret`
 			providerCache.SetStateEncoderBlockKey([]byte("16-bytes-STATE01"))                  // TODO fetch from `Secret`
-			cache.SetOIDCProviderCacheFor(incomingProvider.Issuer(), providerCache)
+			m.cache.SetOIDCProviderCacheFor(incomingProvider.Issuer(), providerCache)
 		}
 
 		issuer := incomingProvider.Issuer()
diff --git a/internal/oidc/provider/manager/manager_test.go b/internal/oidc/provider/manager/manager_test.go
index 0720b719..a3d6d3d4 100644
--- a/internal/oidc/provider/manager/manager_test.go
+++ b/internal/oidc/provider/manager/manager_test.go
@@ -14,6 +14,8 @@ import (
 	"strings"
 	"testing"
 
+	"go.pinniped.dev/internal/secret"
+
 	"github.com/sclevine/spec"
 	"github.com/stretchr/testify/require"
 	"gopkg.in/square/go-jose.v2"
@@ -241,7 +243,10 @@ func TestManager(t *testing.T) {
 			kubeClient = fake.NewSimpleClientset()
 			secretsClient := kubeClient.CoreV1().Secrets("some-namespace")
 
-			subject = NewManager(nextHandler, dynamicJWKSProvider, idpListGetter, secretsClient)
+			cache := secret.Cache{}
+			cache.SetCSRFCookieEncoderHashKey([]byte("fake-csrf-hash-secret"))
+
+			subject = NewManager(nextHandler, dynamicJWKSProvider, idpListGetter, cache, secretsClient)
 		})
 
 		when("given no providers via SetProviders()", func() {