34509e7430
- Enhance the token exchange to check that the same client is used compared to the client used during the original authorization and token requests, and also check that the client has the token-exchange grant type allowed in its configuration. - Reduce the minimum required bcrypt cost for OIDCClient secrets because 15 is too slow for real-life use, especially considering that every login and every refresh flow will require two client auths. - In unit tests, use bcrypt hashes with a cost of 4, because bcrypt slows down by 13x when run with the race detector, and we run our tests with the race detector enabled, causing the tests to be unacceptably slow. The production code uses a higher minimum cost. - Centralize all pre-computed bcrypt hashes used by unit tests to a single place. Also extract some other useful test helpers for unit tests related to OIDCClients. - Add tons of unit tests for the token endpoint related to dynamic clients for authcode exchanges, token exchanges, and refreshes.
110 lines
3.6 KiB
Go
110 lines
3.6 KiB
Go
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
package oidc
|
|
|
|
import (
|
|
"context"
|
|
"time"
|
|
|
|
"github.com/ory/fosite"
|
|
corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
|
|
|
|
"go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1"
|
|
"go.pinniped.dev/internal/constable"
|
|
"go.pinniped.dev/internal/fositestoragei"
|
|
"go.pinniped.dev/internal/oidc/clientregistry"
|
|
"go.pinniped.dev/internal/oidcclientsecretstorage"
|
|
)
|
|
|
|
const errNullStorageNotImplemented = constable.Error("NullStorage does not implement this method. It should not have been called.")
|
|
|
|
type NullStorage struct {
|
|
// The authorization endpoint uses NullStorage to avoid saving any data, but it still needs to perform client lookups.
|
|
*clientregistry.ClientManager
|
|
}
|
|
|
|
var _ fositestoragei.AllFositeStorage = &NullStorage{}
|
|
|
|
func NewNullStorage(
|
|
secrets corev1client.SecretInterface,
|
|
oidcClientsClient v1alpha1.OIDCClientInterface,
|
|
minBcryptCost int,
|
|
) *NullStorage {
|
|
return &NullStorage{
|
|
ClientManager: clientregistry.NewClientManager(oidcClientsClient, oidcclientsecretstorage.New(secrets, time.Now), minBcryptCost),
|
|
}
|
|
}
|
|
|
|
func (NullStorage) RevokeRefreshToken(_ context.Context, _ string) error {
|
|
return errNullStorageNotImplemented
|
|
}
|
|
|
|
func (NullStorage) RevokeRefreshTokenMaybeGracePeriod(_ context.Context, _ string, _ string) error {
|
|
return errNullStorageNotImplemented
|
|
}
|
|
|
|
func (NullStorage) RevokeAccessToken(_ context.Context, _ string) error {
|
|
return errNullStorageNotImplemented
|
|
}
|
|
|
|
func (NullStorage) CreateRefreshTokenSession(_ context.Context, _ string, _ fosite.Requester) (err error) {
|
|
return nil
|
|
}
|
|
|
|
func (NullStorage) GetRefreshTokenSession(_ context.Context, _ string, _ fosite.Session) (request fosite.Requester, err error) {
|
|
return nil, errNullStorageNotImplemented
|
|
}
|
|
|
|
func (NullStorage) DeleteRefreshTokenSession(_ context.Context, _ string) (err error) {
|
|
return errNullStorageNotImplemented
|
|
}
|
|
|
|
func (NullStorage) CreateAccessTokenSession(_ context.Context, _ string, _ fosite.Requester) (err error) {
|
|
return nil
|
|
}
|
|
|
|
func (NullStorage) GetAccessTokenSession(_ context.Context, _ string, _ fosite.Session) (request fosite.Requester, err error) {
|
|
return nil, errNullStorageNotImplemented
|
|
}
|
|
|
|
func (NullStorage) DeleteAccessTokenSession(_ context.Context, _ string) (err error) {
|
|
return errNullStorageNotImplemented
|
|
}
|
|
|
|
func (NullStorage) CreateOpenIDConnectSession(_ context.Context, _ string, _ fosite.Requester) error {
|
|
return nil
|
|
}
|
|
|
|
func (NullStorage) GetOpenIDConnectSession(_ context.Context, _ string, _ fosite.Requester) (fosite.Requester, error) {
|
|
return nil, errNullStorageNotImplemented
|
|
}
|
|
|
|
func (NullStorage) DeleteOpenIDConnectSession(_ context.Context, _ string) error {
|
|
return errNullStorageNotImplemented
|
|
}
|
|
|
|
func (NullStorage) GetPKCERequestSession(_ context.Context, _ string, _ fosite.Session) (fosite.Requester, error) {
|
|
return nil, errNullStorageNotImplemented
|
|
}
|
|
|
|
func (NullStorage) CreatePKCERequestSession(_ context.Context, _ string, _ fosite.Requester) error {
|
|
return nil
|
|
}
|
|
|
|
func (NullStorage) DeletePKCERequestSession(_ context.Context, _ string) error {
|
|
return errNullStorageNotImplemented
|
|
}
|
|
|
|
func (NullStorage) CreateAuthorizeCodeSession(_ context.Context, _ string, _ fosite.Requester) (err error) {
|
|
return nil
|
|
}
|
|
|
|
func (NullStorage) GetAuthorizeCodeSession(_ context.Context, _ string, _ fosite.Session) (request fosite.Requester, err error) {
|
|
return nil, errNullStorageNotImplemented
|
|
}
|
|
|
|
func (NullStorage) InvalidateAuthorizeCodeSession(_ context.Context, _ string) (err error) {
|
|
return errNullStorageNotImplemented
|
|
}
|