fix: avoid potential race conditions (#220)
* fix potential race condition during signer update * avoid potential race conditions with lazy-initializers in OpenIDProvider * avoid potential race lazy initializers in RelyingParty * review feedback -- additional potential races * add pre-calls to NewRelyingPartyOIDC too
This commit is contained in:
David Sharnoff
GitHub
parent
749c30491b
commit
c4b7ef9160
3 changed files with 20 additions and 0 deletions
|
|
@ -154,6 +154,10 @@ func NewRelyingPartyOAuth(config *oauth2.Config, options ...Option) (RelyingPart
|
|||
}
|
||||
}
|
||||
|
||||
// avoid races by calling these early
|
||||
_ = rp.IDTokenVerifier() // sets idTokenVerifier
|
||||
_ = rp.ErrorHandler() // sets errorHandler
|
||||
|
||||
return rp, nil
|
||||
}
|
||||
|
||||
|
|
@ -186,6 +190,10 @@ func NewRelyingPartyOIDC(issuer, clientID, clientSecret, redirectURI string, sco
|
|||
rp.oauthConfig.Endpoint = endpoints.Endpoint
|
||||
rp.endpoints = endpoints
|
||||
|
||||
// avoid races by calling these early
|
||||
_ = rp.IDTokenVerifier() // sets idTokenVerifier
|
||||
_ = rp.ErrorHandler() // sets errorHandler
|
||||
|
||||
return rp, nil
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -167,6 +167,12 @@ func NewOpenIDProvider(ctx context.Context, config *Config, storage Storage, opO
|
|||
|
||||
o.crypto = NewAESCrypto(config.CryptoKey)
|
||||
|
||||
// Avoid potential race conditions by calling these early
|
||||
_ = o.AccessTokenVerifier() // sets accessTokenVerifier
|
||||
_ = o.IDTokenHintVerifier() // sets idTokenHintVerifier
|
||||
_ = o.JWTProfileVerifier() // sets jwtProfileVerifier
|
||||
_ = o.openIDKeySet() // sets keySet
|
||||
|
||||
return o, nil
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -3,6 +3,7 @@ package op
|
|||
import (
|
||||
"context"
|
||||
"errors"
|
||||
"sync"
|
||||
|
||||
"github.com/zitadel/logging"
|
||||
"gopkg.in/square/go-jose.v2"
|
||||
|
|
@ -18,6 +19,7 @@ type tokenSigner struct {
|
|||
signer jose.Signer
|
||||
storage AuthStorage
|
||||
alg jose.SignatureAlgorithm
|
||||
lock sync.RWMutex
|
||||
}
|
||||
|
||||
func NewSigner(ctx context.Context, storage AuthStorage, keyCh <-chan jose.SigningKey) Signer {
|
||||
|
|
@ -47,6 +49,8 @@ func (s *tokenSigner) Health(_ context.Context) error {
|
|||
}
|
||||
|
||||
func (s *tokenSigner) Signer() jose.Signer {
|
||||
s.lock.RLock()
|
||||
defer s.lock.RUnlock()
|
||||
return s.signer
|
||||
}
|
||||
|
||||
|
|
@ -62,6 +66,8 @@ func (s *tokenSigner) refreshSigningKey(ctx context.Context, keyCh <-chan jose.S
|
|||
}
|
||||
|
||||
func (s *tokenSigner) exchangeSigningKey(key jose.SigningKey) {
|
||||
s.lock.Lock()
|
||||
defer s.lock.Unlock()
|
||||
s.alg = key.Algorithm
|
||||
if key.Algorithm == "" || key.Key == nil {
|
||||
s.signer = nil
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue