Merge pull request #66 from caos/signingkey
fix: remove signing key creation (when key not found)
This commit is contained in:
Fabi
GitHub
commit
53803642d6
7 changed files with 18 additions and 96 deletions
|
|
@ -157,15 +157,12 @@ func (s *AuthStorage) CreateToken(_ context.Context, authReq op.TokenRequest) (s
|
|||
func (s *AuthStorage) TerminateSession(_ context.Context, userID, clientID string) error {
|
||||
return nil
|
||||
}
|
||||
func (s *AuthStorage) GetSigningKey(_ context.Context, keyCh chan<- jose.SigningKey, _ chan<- error, _ <-chan time.Time) {
|
||||
func (s *AuthStorage) GetSigningKey(_ context.Context, keyCh chan<- jose.SigningKey) {
|
||||
keyCh <- jose.SigningKey{Algorithm: jose.RS256, Key: s.key}
|
||||
}
|
||||
func (s *AuthStorage) GetKey(_ context.Context) (*rsa.PrivateKey, error) {
|
||||
return s.key, nil
|
||||
}
|
||||
func (s *AuthStorage) SaveNewKeyPair(ctx context.Context) error {
|
||||
return nil
|
||||
}
|
||||
func (s *AuthStorage) GetKeySet(_ context.Context) (*jose.JSONWebKeySet, error) {
|
||||
pubkey := s.key.Public()
|
||||
return &jose.JSONWebKeySet{
|
||||
|
|
|
|||
|
|
@ -187,15 +187,15 @@ func (mr *MockStorageMockRecorder) GetPrivateClaimsFromScopes(arg0, arg1, arg2,
|
|||
}
|
||||
|
||||
// GetSigningKey mocks base method
|
||||
func (m *MockStorage) GetSigningKey(arg0 context.Context, arg1 chan<- jose.SigningKey, arg2 chan<- error, arg3 <-chan time.Time) {
|
||||
func (m *MockStorage) GetSigningKey(arg0 context.Context, arg1 chan<- jose.SigningKey) {
|
||||
m.ctrl.T.Helper()
|
||||
m.ctrl.Call(m, "GetSigningKey", arg0, arg1, arg2, arg3)
|
||||
m.ctrl.Call(m, "GetSigningKey", arg0, arg1)
|
||||
}
|
||||
|
||||
// GetSigningKey indicates an expected call of GetSigningKey
|
||||
func (mr *MockStorageMockRecorder) GetSigningKey(arg0, arg1, arg2, arg3 interface{}) *gomock.Call {
|
||||
func (mr *MockStorageMockRecorder) GetSigningKey(arg0, arg1 interface{}) *gomock.Call {
|
||||
mr.mock.ctrl.T.Helper()
|
||||
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetSigningKey", reflect.TypeOf((*MockStorage)(nil).GetSigningKey), arg0, arg1, arg2, arg3)
|
||||
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetSigningKey", reflect.TypeOf((*MockStorage)(nil).GetSigningKey), arg0, arg1)
|
||||
}
|
||||
|
||||
// Health mocks base method
|
||||
|
|
@ -226,20 +226,6 @@ func (mr *MockStorageMockRecorder) SaveAuthCode(arg0, arg1, arg2 interface{}) *g
|
|||
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SaveAuthCode", reflect.TypeOf((*MockStorage)(nil).SaveAuthCode), arg0, arg1, arg2)
|
||||
}
|
||||
|
||||
// SaveNewKeyPair mocks base method
|
||||
func (m *MockStorage) SaveNewKeyPair(arg0 context.Context) error {
|
||||
m.ctrl.T.Helper()
|
||||
ret := m.ctrl.Call(m, "SaveNewKeyPair", arg0)
|
||||
ret0, _ := ret[0].(error)
|
||||
return ret0
|
||||
}
|
||||
|
||||
// SaveNewKeyPair indicates an expected call of SaveNewKeyPair
|
||||
func (mr *MockStorageMockRecorder) SaveNewKeyPair(arg0 interface{}) *gomock.Call {
|
||||
mr.mock.ctrl.T.Helper()
|
||||
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SaveNewKeyPair", reflect.TypeOf((*MockStorage)(nil).SaveNewKeyPair), arg0)
|
||||
}
|
||||
|
||||
// SetIntrospectionFromToken mocks base method
|
||||
func (m *MockStorage) SetIntrospectionFromToken(arg0 context.Context, arg1 oidc.IntrospectionResponse, arg2, arg3, arg4 string) error {
|
||||
m.ctrl.T.Helper()
|
||||
|
|
|
|||
|
|
@ -38,12 +38,6 @@ func NewMockStorageAny(t *testing.T) op.Storage {
|
|||
return m
|
||||
}
|
||||
|
||||
func NewMockStorageSigningKeyError(t *testing.T) op.Storage {
|
||||
m := NewStorage(t)
|
||||
ExpectSigningKeyError(m)
|
||||
return m
|
||||
}
|
||||
|
||||
func NewMockStorageSigningKeyInvalid(t *testing.T) op.Storage {
|
||||
m := NewStorage(t)
|
||||
ExpectSigningKeyInvalid(m)
|
||||
|
|
@ -89,19 +83,10 @@ func ExpectValidClientID(s op.Storage) {
|
|||
})
|
||||
}
|
||||
|
||||
func ExpectSigningKeyError(s op.Storage) {
|
||||
mockS := s.(*MockStorage)
|
||||
mockS.EXPECT().GetSigningKey(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).DoAndReturn(
|
||||
func(_ context.Context, keyCh chan<- jose.SigningKey, errCh chan<- error, _ <-chan bool) {
|
||||
errCh <- errors.New("error")
|
||||
},
|
||||
)
|
||||
}
|
||||
|
||||
func ExpectSigningKeyInvalid(s op.Storage) {
|
||||
mockS := s.(*MockStorage)
|
||||
mockS.EXPECT().GetSigningKey(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).DoAndReturn(
|
||||
func(_ context.Context, keyCh chan<- jose.SigningKey, errCh chan<- error, _ <-chan bool) {
|
||||
mockS.EXPECT().GetSigningKey(gomock.Any(), gomock.Any()).DoAndReturn(
|
||||
func(_ context.Context, keyCh chan<- jose.SigningKey) {
|
||||
keyCh <- jose.SigningKey{}
|
||||
},
|
||||
)
|
||||
|
|
@ -109,8 +94,8 @@ func ExpectSigningKeyInvalid(s op.Storage) {
|
|||
|
||||
func ExpectSigningKey(s op.Storage) {
|
||||
mockS := s.(*MockStorage)
|
||||
mockS.EXPECT().GetSigningKey(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).DoAndReturn(
|
||||
func(_ context.Context, keyCh chan<- jose.SigningKey, errCh chan<- error, _ <-chan bool) {
|
||||
mockS.EXPECT().GetSigningKey(gomock.Any(), gomock.Any()).DoAndReturn(
|
||||
func(_ context.Context, keyCh chan<- jose.SigningKey) {
|
||||
keyCh <- jose.SigningKey{Algorithm: jose.HS256, Key: []byte("key")}
|
||||
},
|
||||
)
|
||||
|
|
|
|||
54
pkg/op/op.go
54
pkg/op/op.go
|
|
@ -6,7 +6,6 @@ import (
|
|||
"net/http"
|
||||
"time"
|
||||
|
||||
"github.com/caos/logging"
|
||||
"github.com/gorilla/handlers"
|
||||
"github.com/gorilla/mux"
|
||||
"github.com/gorilla/schema"
|
||||
|
|
@ -118,7 +117,7 @@ func NewOpenIDProvider(ctx context.Context, config *Config, storage Storage, opO
|
|||
|
||||
keyCh := make(chan jose.SigningKey)
|
||||
o.signer = NewSigner(ctx, storage, keyCh)
|
||||
go EnsureKey(ctx, storage, keyCh, o.timer, o.retry)
|
||||
go storage.GetSigningKey(ctx, keyCh)
|
||||
|
||||
o.httpHandler = CreateRouter(o, o.interceptors...)
|
||||
|
||||
|
|
@ -284,36 +283,6 @@ func (o *openIDKeySet) VerifySignature(ctx context.Context, jws *jose.JSONWebSig
|
|||
return payload, err
|
||||
}
|
||||
|
||||
func EnsureKey(ctx context.Context, storage Storage, keyCh chan<- jose.SigningKey, timer <-chan time.Time, retry func(int) (bool, int)) {
|
||||
count := 0
|
||||
timer = time.After(0)
|
||||
errCh := make(chan error)
|
||||
go storage.GetSigningKey(ctx, keyCh, errCh, timer)
|
||||
for {
|
||||
select {
|
||||
case <-ctx.Done():
|
||||
return
|
||||
case err := <-errCh:
|
||||
if err == nil {
|
||||
continue
|
||||
}
|
||||
_, ok := err.(StorageNotFoundError)
|
||||
if ok {
|
||||
err := storage.SaveNewKeyPair(ctx)
|
||||
if err == nil {
|
||||
continue
|
||||
}
|
||||
}
|
||||
ok, count = retry(count)
|
||||
if ok {
|
||||
timer = time.After(0)
|
||||
continue
|
||||
}
|
||||
logging.Log("OP-n6ynVE").WithError(err).Panic("error in key signer")
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
type Option func(o *openidProvider) error
|
||||
|
||||
func WithCustomAuthEndpoint(endpoint Endpoint) Option {
|
||||
|
|
@ -394,27 +363,6 @@ func WithHttpInterceptors(interceptors ...HttpInterceptor) Option {
|
|||
}
|
||||
}
|
||||
|
||||
func WithRetry(max int, sleep time.Duration) Option {
|
||||
return func(o *openidProvider) error {
|
||||
o.retry = func(count int) (bool, int) {
|
||||
count++
|
||||
if count == max {
|
||||
return false, count
|
||||
}
|
||||
time.Sleep(sleep)
|
||||
return true, count
|
||||
}
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
func WithTimer(timer <-chan time.Time) Option {
|
||||
return func(o *openidProvider) error {
|
||||
o.timer = timer
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
func buildInterceptor(interceptors ...HttpInterceptor) func(http.HandlerFunc) http.Handler {
|
||||
return func(handlerFunc http.HandlerFunc) http.Handler {
|
||||
handler := handlerFuncToHandler(handlerFunc)
|
||||
|
|
|
|||
|
|
@ -34,6 +34,9 @@ func (s *tokenSigner) Health(_ context.Context) error {
|
|||
if s.signer == nil {
|
||||
return errors.New("no signer")
|
||||
}
|
||||
if string(s.alg) == "" {
|
||||
return errors.New("no signing algorithm")
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -20,9 +20,8 @@ type AuthStorage interface {
|
|||
|
||||
TerminateSession(context.Context, string, string) error
|
||||
|
||||
GetSigningKey(context.Context, chan<- jose.SigningKey, chan<- error, <-chan time.Time)
|
||||
GetSigningKey(context.Context, chan<- jose.SigningKey)
|
||||
GetKeySet(context.Context) (*jose.JSONWebKeySet, error)
|
||||
SaveNewKeyPair(context.Context) error
|
||||
}
|
||||
|
||||
type OPStorage interface {
|
||||
|
|
|
|||
|
|
@ -2,6 +2,7 @@ package utils
|
|||
|
||||
import (
|
||||
"encoding/json"
|
||||
"errors"
|
||||
|
||||
"gopkg.in/square/go-jose.v2"
|
||||
)
|
||||
|
|
@ -15,6 +16,9 @@ func Sign(object interface{}, signer jose.Signer) (string, error) {
|
|||
}
|
||||
|
||||
func SignPayload(payload []byte, signer jose.Signer) (string, error) {
|
||||
if signer == nil {
|
||||
return "", errors.New("missing signer")
|
||||
}
|
||||
result, err := signer.Sign(payload)
|
||||
if err != nil {
|
||||
return "", err
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue