e0ecdc004b
This is only a first commit towards making this feature work. - Hook dynamic clients into fosite by returning them from the storage interface (after finding and validating them) - In the auth endpoint, prevent the use of the username and password headers for dynamic clients to force them to use the browser-based login flows for all the upstream types - Add happy path integration tests in supervisor_login_test.go - Add lots of comments (and some small refactors) in supervisor_login_test.go to make it much easier to understand - Add lots of unit tests for the auth endpoint regarding dynamic clients (more unit tests to be added for other endpoints in follow-up commits) - Enhance crud.go to make lifetime=0 mean never garbage collect, since we want client secret storage Secrets to last forever - Move the OIDCClient validation code to a package where it can be shared between the controller and the fosite storage interface - Make shared test helpers for tests that need to create OIDC client secret storage Secrets - Create a public const for "pinniped-cli" now that we are using that string in several places in the production code
106 lines
3.5 KiB
Go
106 lines
3.5 KiB
Go
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
package oidc
|
|
|
|
import (
|
|
"context"
|
|
"time"
|
|
|
|
"github.com/ory/fosite"
|
|
corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
|
|
|
|
"go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1"
|
|
"go.pinniped.dev/internal/constable"
|
|
"go.pinniped.dev/internal/fositestoragei"
|
|
"go.pinniped.dev/internal/oidc/clientregistry"
|
|
"go.pinniped.dev/internal/oidcclientsecretstorage"
|
|
)
|
|
|
|
const errNullStorageNotImplemented = constable.Error("NullStorage does not implement this method. It should not have been called.")
|
|
|
|
type NullStorage struct {
|
|
// The authorization endpoint uses NullStorage to avoid saving any data, but it still needs to perform client lookups.
|
|
*clientregistry.ClientManager
|
|
}
|
|
|
|
var _ fositestoragei.AllFositeStorage = &NullStorage{}
|
|
|
|
func NewNullStorage(secrets corev1client.SecretInterface, oidcClientsClient v1alpha1.OIDCClientInterface) *NullStorage {
|
|
return &NullStorage{
|
|
ClientManager: clientregistry.NewClientManager(oidcClientsClient, oidcclientsecretstorage.New(secrets, time.Now)),
|
|
}
|
|
}
|
|
|
|
func (NullStorage) RevokeRefreshToken(_ context.Context, _ string) error {
|
|
return errNullStorageNotImplemented
|
|
}
|
|
|
|
func (NullStorage) RevokeRefreshTokenMaybeGracePeriod(_ context.Context, _ string, _ string) error {
|
|
return errNullStorageNotImplemented
|
|
}
|
|
|
|
func (NullStorage) RevokeAccessToken(_ context.Context, _ string) error {
|
|
return errNullStorageNotImplemented
|
|
}
|
|
|
|
func (NullStorage) CreateRefreshTokenSession(_ context.Context, _ string, _ fosite.Requester) (err error) {
|
|
return nil
|
|
}
|
|
|
|
func (NullStorage) GetRefreshTokenSession(_ context.Context, _ string, _ fosite.Session) (request fosite.Requester, err error) {
|
|
return nil, errNullStorageNotImplemented
|
|
}
|
|
|
|
func (NullStorage) DeleteRefreshTokenSession(_ context.Context, _ string) (err error) {
|
|
return errNullStorageNotImplemented
|
|
}
|
|
|
|
func (NullStorage) CreateAccessTokenSession(_ context.Context, _ string, _ fosite.Requester) (err error) {
|
|
return nil
|
|
}
|
|
|
|
func (NullStorage) GetAccessTokenSession(_ context.Context, _ string, _ fosite.Session) (request fosite.Requester, err error) {
|
|
return nil, errNullStorageNotImplemented
|
|
}
|
|
|
|
func (NullStorage) DeleteAccessTokenSession(_ context.Context, _ string) (err error) {
|
|
return errNullStorageNotImplemented
|
|
}
|
|
|
|
func (NullStorage) CreateOpenIDConnectSession(_ context.Context, _ string, _ fosite.Requester) error {
|
|
return nil
|
|
}
|
|
|
|
func (NullStorage) GetOpenIDConnectSession(_ context.Context, _ string, _ fosite.Requester) (fosite.Requester, error) {
|
|
return nil, errNullStorageNotImplemented
|
|
}
|
|
|
|
func (NullStorage) DeleteOpenIDConnectSession(_ context.Context, _ string) error {
|
|
return errNullStorageNotImplemented
|
|
}
|
|
|
|
func (NullStorage) GetPKCERequestSession(_ context.Context, _ string, _ fosite.Session) (fosite.Requester, error) {
|
|
return nil, errNullStorageNotImplemented
|
|
}
|
|
|
|
func (NullStorage) CreatePKCERequestSession(_ context.Context, _ string, _ fosite.Requester) error {
|
|
return nil
|
|
}
|
|
|
|
func (NullStorage) DeletePKCERequestSession(_ context.Context, _ string) error {
|
|
return errNullStorageNotImplemented
|
|
}
|
|
|
|
func (NullStorage) CreateAuthorizeCodeSession(_ context.Context, _ string, _ fosite.Requester) (err error) {
|
|
return nil
|
|
}
|
|
|
|
func (NullStorage) GetAuthorizeCodeSession(_ context.Context, _ string, _ fosite.Session) (request fosite.Requester, err error) {
|
|
return nil, errNullStorageNotImplemented
|
|
}
|
|
|
|
func (NullStorage) InvalidateAuthorizeCodeSession(_ context.Context, _ string) (err error) {
|
|
return errNullStorageNotImplemented
|
|
}
|