cim/zitadel-oidc
5
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: remove signing key creation (when not found)

Browse source
This commit is contained in:
Livio Amstutz 2020-10-19 15:26:34 +02:00
parent 4390119d1d
commit 06dcac4c2f
6 changed files with 14 additions and 77 deletions
Download patch file Download diff file Expand all files Collapse all files

5
example/internal/mock/storage.go
View file

@ -157,15 +157,12 @@ func (s *AuthStorage) CreateToken(_ context.Context, authReq op.TokenRequest) (s
func (s *AuthStorage) TerminateSession(_ context.Context, userID, clientID string) error { func (s *AuthStorage) TerminateSession(_ context.Context, userID, clientID string) error {
return nil return nil
} }
func (s *AuthStorage) GetSigningKey(_ context.Context, keyCh chan<- jose.SigningKey, _ chan<- error, _ <-chan time.Time) { func (s *AuthStorage) GetSigningKey(_ context.Context, keyCh chan<- jose.SigningKey) {
keyCh <- jose.SigningKey{Algorithm: jose.RS256, Key: s.key} keyCh <- jose.SigningKey{Algorithm: jose.RS256, Key: s.key}
} }
func (s *AuthStorage) GetKey(_ context.Context) (*rsa.PrivateKey, error) { func (s *AuthStorage) GetKey(_ context.Context) (*rsa.PrivateKey, error) {
return s.key, nil return s.key, nil
} }
func (s *AuthStorage) SaveNewKeyPair(ctx context.Context) error {
return nil
}
func (s *AuthStorage) GetKeySet(_ context.Context) (*jose.JSONWebKeySet, error) { func (s *AuthStorage) GetKeySet(_ context.Context) (*jose.JSONWebKeySet, error) {
pubkey := s.key.Public() pubkey := s.key.Public()
return &jose.JSONWebKeySet{ return &jose.JSONWebKeySet{

22
pkg/op/mock/storage.mock.go
View file

@ -187,15 +187,15 @@ func (mr *MockStorageMockRecorder) GetPrivateClaimsFromScopes(arg0, arg1, arg2,
} }
// GetSigningKey mocks base method // GetSigningKey mocks base method
func (m *MockStorage) GetSigningKey(arg0 context.Context, arg1 chan<- jose.SigningKey, arg2 chan<- error, arg3 <-chan time.Time) { func (m *MockStorage) GetSigningKey(arg0 context.Context, arg1 chan<- jose.SigningKey) {
m.ctrl.T.Helper() m.ctrl.T.Helper()
m.ctrl.Call(m, "GetSigningKey", arg0, arg1, arg2, arg3) m.ctrl.Call(m, "GetSigningKey", arg0, arg1)
} }
// GetSigningKey indicates an expected call of GetSigningKey // GetSigningKey indicates an expected call of GetSigningKey
func (mr *MockStorageMockRecorder) GetSigningKey(arg0, arg1, arg2, arg3 interface{}) *gomock.Call { func (mr *MockStorageMockRecorder) GetSigningKey(arg0, arg1 interface{}) *gomock.Call {
mr.mock.ctrl.T.Helper() mr.mock.ctrl.T.Helper()
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetSigningKey", reflect.TypeOf((*MockStorage)(nil).GetSigningKey), arg0, arg1, arg2, arg3) return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetSigningKey", reflect.TypeOf((*MockStorage)(nil).GetSigningKey), arg0, arg1)
} }
// GetUserinfoFromScopes mocks base method // GetUserinfoFromScopes mocks base method
@ -256,20 +256,6 @@ func (mr *MockStorageMockRecorder) SaveAuthCode(arg0, arg1, arg2 interface{}) *g
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SaveAuthCode", reflect.TypeOf((*MockStorage)(nil).SaveAuthCode), arg0, arg1, arg2) return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SaveAuthCode", reflect.TypeOf((*MockStorage)(nil).SaveAuthCode), arg0, arg1, arg2)
} }
// SaveNewKeyPair mocks base method
func (m *MockStorage) SaveNewKeyPair(arg0 context.Context) error {
m.ctrl.T.Helper()
ret := m.ctrl.Call(m, "SaveNewKeyPair", arg0)
ret0, _ := ret[0].(error)
return ret0
}
// SaveNewKeyPair indicates an expected call of SaveNewKeyPair
func (mr *MockStorageMockRecorder) SaveNewKeyPair(arg0 interface{}) *gomock.Call {
mr.mock.ctrl.T.Helper()
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SaveNewKeyPair", reflect.TypeOf((*MockStorage)(nil).SaveNewKeyPair), arg0)
}
// TerminateSession mocks base method // TerminateSession mocks base method
func (m *MockStorage) TerminateSession(arg0 context.Context, arg1, arg2 string) error { func (m *MockStorage) TerminateSession(arg0 context.Context, arg1, arg2 string) error {
m.ctrl.T.Helper() m.ctrl.T.Helper()

54
pkg/op/op.go
View file

@ -6,7 +6,6 @@ import (
"net/http" "net/http"
"time" "time"
"github.com/caos/logging"
"github.com/gorilla/handlers" "github.com/gorilla/handlers"
"github.com/gorilla/mux" "github.com/gorilla/mux"
"github.com/gorilla/schema" "github.com/gorilla/schema"
@ -132,7 +131,7 @@ func NewOpenIDProvider(ctx context.Context, config *Config, storage Storage, opO
keyCh := make(chan jose.SigningKey) keyCh := make(chan jose.SigningKey)
o.signer = NewSigner(ctx, storage, keyCh) o.signer = NewSigner(ctx, storage, keyCh)
go EnsureKey(ctx, storage, keyCh, o.timer, o.retry) go storage.GetSigningKey(ctx, keyCh)
o.httpHandler = CreateRouter(o, o.interceptors...) o.httpHandler = CreateRouter(o, o.interceptors...)
@ -282,36 +281,6 @@ func (o *openIDKeySet) VerifySignature(ctx context.Context, jws *jose.JSONWebSig
return payload, err return payload, err
} }
func EnsureKey(ctx context.Context, storage Storage, keyCh chan<- jose.SigningKey, timer <-chan time.Time, retry func(int) (bool, int)) {
count := 0
timer = time.After(0)
errCh := make(chan error)
go storage.GetSigningKey(ctx, keyCh, errCh, timer)
for {
select {
case <-ctx.Done():
return
case err := <-errCh:
if err == nil {
continue
}
_, ok := err.(StorageNotFoundError)
if ok {
err := storage.SaveNewKeyPair(ctx)
if err == nil {
continue
}
}
ok, count = retry(count)
if ok {
timer = time.After(0)
continue
}
logging.Log("OP-n6ynVE").WithError(err).Panic("error in key signer")
}
}
}
type Option func(o *openidProvider) error type Option func(o *openidProvider) error
func WithCustomAuthEndpoint(endpoint Endpoint) Option { func WithCustomAuthEndpoint(endpoint Endpoint) Option {
@ -382,27 +351,6 @@ func WithHttpInterceptors(interceptors ...HttpInterceptor) Option {
} }
} }
func WithRetry(max int, sleep time.Duration) Option {
return func(o *openidProvider) error {
o.retry = func(count int) (bool, int) {
count++
if count == max {
return false, count
}
time.Sleep(sleep)
return true, count
}
return nil
}
}
func WithTimer(timer <-chan time.Time) Option {
return func(o *openidProvider) error {
o.timer = timer
return nil
}
}
func buildInterceptor(interceptors ...HttpInterceptor) func(http.HandlerFunc) http.Handler { func buildInterceptor(interceptors ...HttpInterceptor) func(http.HandlerFunc) http.Handler {
return func(handlerFunc http.HandlerFunc) http.Handler { return func(handlerFunc http.HandlerFunc) http.Handler {
handler := handlerFuncToHandler(handlerFunc) handler := handlerFuncToHandler(handlerFunc)

3
pkg/op/signer.go
View file

@ -34,6 +34,9 @@ func (s *tokenSigner) Health(_ context.Context) error {
if s.signer == nil { if s.signer == nil {
return errors.New("no signer") return errors.New("no signer")
} }
if string(s.alg) == "" {
return errors.New("no signing algorithm")
}
return nil return nil
} }

3
pkg/op/storage.go
View file

@ -20,9 +20,8 @@ type AuthStorage interface {
TerminateSession(context.Context, string, string) error TerminateSession(context.Context, string, string) error
GetSigningKey(context.Context, chan<- jose.SigningKey, chan<- error, <-chan time.Time) GetSigningKey(context.Context, chan<- jose.SigningKey)
GetKeySet(context.Context) (*jose.JSONWebKeySet, error) GetKeySet(context.Context) (*jose.JSONWebKeySet, error)
SaveNewKeyPair(context.Context) error
} }
type OPStorage interface { type OPStorage interface {

4
pkg/utils/sign.go
View file

@ -2,6 +2,7 @@ package utils
import ( import (
"encoding/json" "encoding/json"
"errors"
"gopkg.in/square/go-jose.v2" "gopkg.in/square/go-jose.v2"
) )
@ -15,6 +16,9 @@ func Sign(object interface{}, signer jose.Signer) (string, error) {
} }
func SignPayload(payload []byte, signer jose.Signer) (string, error) { func SignPayload(payload []byte, signer jose.Signer) (string, error) {
if signer == nil {
return "", errors.New("missing signer")
}
result, err := signer.Sign(payload) result, err := signer.Sign(payload)
if err != nil { if err != nil {
return "", err return "", err