manager.Manager is initialized with secret.Cache
- hard-coded secret.Cache is passed in from pinniped-supervisor/main
This commit is contained in:
aram price
parent
72bc458c8e
commit
e1173eb5eb
|
|
@ -14,6 +14,8 @@ import (
|
||||||
"strings"
|
"strings"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
"go.pinniped.dev/internal/secret"
|
||||||
|
|
||||||
"k8s.io/apimachinery/pkg/util/clock"
|
"k8s.io/apimachinery/pkg/util/clock"
|
||||||
kubeinformers "k8s.io/client-go/informers"
|
kubeinformers "k8s.io/client-go/informers"
|
||||||
"k8s.io/client-go/kubernetes"
|
"k8s.io/client-go/kubernetes"
|
||||||
|
|
@ -194,12 +196,16 @@ func run(serverInstallationNamespace string, cfg *supervisor.Config) error {
|
||||||
dynamicJWKSProvider := jwks.NewDynamicJWKSProvider()
|
dynamicJWKSProvider := jwks.NewDynamicJWKSProvider()
|
||||||
dynamicTLSCertProvider := provider.NewDynamicTLSCertProvider()
|
dynamicTLSCertProvider := provider.NewDynamicTLSCertProvider()
|
||||||
dynamicUpstreamIDPProvider := provider.NewDynamicUpstreamIDPProvider()
|
dynamicUpstreamIDPProvider := provider.NewDynamicUpstreamIDPProvider()
|
||||||
|
cache := secret.Cache{}
|
||||||
|
|
||||||
|
cache.SetCSRFCookieEncoderHashKey([]byte("fake-csrf-hash-secret")) // TODO fetch from `Secret`
|
||||||
|
|
||||||
// OIDC endpoints will be served by the oidProvidersManager, and any non-OIDC paths will fallback to the healthMux.
|
// OIDC endpoints will be served by the oidProvidersManager, and any non-OIDC paths will fallback to the healthMux.
|
||||||
oidProvidersManager := manager.NewManager(
|
oidProvidersManager := manager.NewManager(
|
||||||
healthMux,
|
healthMux,
|
||||||
dynamicJWKSProvider,
|
dynamicJWKSProvider,
|
||||||
dynamicUpstreamIDPProvider,
|
dynamicUpstreamIDPProvider,
|
||||||
|
cache,
|
||||||
kubeClient.CoreV1().Secrets(serverInstallationNamespace),
|
kubeClient.CoreV1().Secrets(serverInstallationNamespace),
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -37,6 +37,7 @@ type Manager struct {
|
||||||
nextHandler http.Handler // the next handler in a chain, called when this manager didn't know how to handle a request
|
nextHandler http.Handler // the next handler in a chain, called when this manager didn't know how to handle a request
|
||||||
dynamicJWKSProvider jwks.DynamicJWKSProvider // in-memory cache of per-issuer JWKS data
|
dynamicJWKSProvider jwks.DynamicJWKSProvider // in-memory cache of per-issuer JWKS data
|
||||||
idpListGetter oidc.IDPListGetter // in-memory cache of upstream IDPs
|
idpListGetter oidc.IDPListGetter // in-memory cache of upstream IDPs
|
||||||
|
cache secret.Cache // in-memory cache of cryptographic material
|
||||||
secretsClient corev1client.SecretInterface
|
secretsClient corev1client.SecretInterface
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -48,6 +49,7 @@ func NewManager(
|
||||||
nextHandler http.Handler,
|
nextHandler http.Handler,
|
||||||
dynamicJWKSProvider jwks.DynamicJWKSProvider,
|
dynamicJWKSProvider jwks.DynamicJWKSProvider,
|
||||||
idpListGetter oidc.IDPListGetter,
|
idpListGetter oidc.IDPListGetter,
|
||||||
|
cache secret.Cache,
|
||||||
secretsClient corev1client.SecretInterface,
|
secretsClient corev1client.SecretInterface,
|
||||||
) *Manager {
|
) *Manager {
|
||||||
return &Manager{
|
return &Manager{
|
||||||
|
|
@ -55,6 +57,7 @@ func NewManager(
|
||||||
nextHandler: nextHandler,
|
nextHandler: nextHandler,
|
||||||
dynamicJWKSProvider: dynamicJWKSProvider,
|
dynamicJWKSProvider: dynamicJWKSProvider,
|
||||||
idpListGetter: idpListGetter,
|
idpListGetter: idpListGetter,
|
||||||
|
cache: cache,
|
||||||
secretsClient: secretsClient,
|
secretsClient: secretsClient,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -74,20 +77,17 @@ func (m *Manager) SetProviders(oidcProviders ...*provider.OIDCProvider) {
|
||||||
m.providers = oidcProviders
|
m.providers = oidcProviders
|
||||||
m.providerHandlers = make(map[string]http.Handler)
|
m.providerHandlers = make(map[string]http.Handler)
|
||||||
|
|
||||||
cache := secret.Cache{}
|
var csrfCookieEncoder = dynamiccodec.New(m.cache.GetCSRFCookieEncoderHashKey, m.cache.GetCSRFCookieEncoderBlockKey)
|
||||||
cache.SetCSRFCookieEncoderHashKey([]byte("fake-csrf-hash-secret")) // TODO fetch from `Secret`
|
|
||||||
|
|
||||||
var csrfCookieEncoder = dynamiccodec.New(cache.GetCSRFCookieEncoderHashKey, cache.GetCSRFCookieEncoderBlockKey)
|
|
||||||
|
|
||||||
for _, incomingProvider := range oidcProviders {
|
for _, incomingProvider := range oidcProviders {
|
||||||
providerCache := cache.GetOIDCProviderCacheFor(incomingProvider.Issuer())
|
providerCache := m.cache.GetOIDCProviderCacheFor(incomingProvider.Issuer())
|
||||||
|
|
||||||
if providerCache == nil {
|
if providerCache == nil { // TODO remove when populated from `Secret` values
|
||||||
providerCache = &secret.OIDCProviderCache{}
|
providerCache = &secret.OIDCProviderCache{}
|
||||||
providerCache.SetTokenHMACKey([]byte("some secret - must have at least 32 bytes")) // TODO fetch from `Secret`
|
providerCache.SetTokenHMACKey([]byte("some secret - must have at least 32 bytes")) // TODO fetch from `Secret`
|
||||||
providerCache.SetStateEncoderHashKey([]byte("fake-state-hash-secret")) // TODO fetch from `Secret`
|
providerCache.SetStateEncoderHashKey([]byte("fake-state-hash-secret")) // TODO fetch from `Secret`
|
||||||
providerCache.SetStateEncoderBlockKey([]byte("16-bytes-STATE01")) // TODO fetch from `Secret`
|
providerCache.SetStateEncoderBlockKey([]byte("16-bytes-STATE01")) // TODO fetch from `Secret`
|
||||||
cache.SetOIDCProviderCacheFor(incomingProvider.Issuer(), providerCache)
|
m.cache.SetOIDCProviderCacheFor(incomingProvider.Issuer(), providerCache)
|
||||||
}
|
}
|
||||||
|
|
||||||
issuer := incomingProvider.Issuer()
|
issuer := incomingProvider.Issuer()
|
||||||
|
|
|
||||||
|
|
@ -14,6 +14,8 @@ import (
|
||||||
"strings"
|
"strings"
|
||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
|
"go.pinniped.dev/internal/secret"
|
||||||
|
|
||||||
"github.com/sclevine/spec"
|
"github.com/sclevine/spec"
|
||||||
"github.com/stretchr/testify/require"
|
"github.com/stretchr/testify/require"
|
||||||
"gopkg.in/square/go-jose.v2"
|
"gopkg.in/square/go-jose.v2"
|
||||||
|
|
@ -241,7 +243,10 @@ func TestManager(t *testing.T) {
|
||||||
kubeClient = fake.NewSimpleClientset()
|
kubeClient = fake.NewSimpleClientset()
|
||||||
secretsClient := kubeClient.CoreV1().Secrets("some-namespace")
|
secretsClient := kubeClient.CoreV1().Secrets("some-namespace")
|
||||||
|
|
||||||
subject = NewManager(nextHandler, dynamicJWKSProvider, idpListGetter, secretsClient)
|
cache := secret.Cache{}
|
||||||
|
cache.SetCSRFCookieEncoderHashKey([]byte("fake-csrf-hash-secret"))
|
||||||
|
|
||||||
|
subject = NewManager(nextHandler, dynamicJWKSProvider, idpListGetter, cache, secretsClient)
|
||||||
})
|
})
|
||||||
|
|
||||||
when("given no providers via SetProviders()", func() {
|
when("given no providers via SetProviders()", func() {
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue