fix: avoid potential race conditions (#220)
* fix potential race condition during signer update * avoid potential race conditions with lazy-initializers in OpenIDProvider * avoid potential race lazy initializers in RelyingParty * review feedback -- additional potential races * add pre-calls to NewRelyingPartyOIDC too
This commit is contained in:
David Sharnoff
GitHub
parent
749c30491b
commit
c4b7ef9160
3 changed files with 20 additions and 0 deletions
|
|
@ -154,6 +154,10 @@ func NewRelyingPartyOAuth(config *oauth2.Config, options ...Option) (RelyingPart
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// avoid races by calling these early
|
||||||
|
_ = rp.IDTokenVerifier() // sets idTokenVerifier
|
||||||
|
_ = rp.ErrorHandler() // sets errorHandler
|
||||||
|
|
||||||
return rp, nil
|
return rp, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -186,6 +190,10 @@ func NewRelyingPartyOIDC(issuer, clientID, clientSecret, redirectURI string, sco
|
||||||
rp.oauthConfig.Endpoint = endpoints.Endpoint
|
rp.oauthConfig.Endpoint = endpoints.Endpoint
|
||||||
rp.endpoints = endpoints
|
rp.endpoints = endpoints
|
||||||
|
|
||||||
|
// avoid races by calling these early
|
||||||
|
_ = rp.IDTokenVerifier() // sets idTokenVerifier
|
||||||
|
_ = rp.ErrorHandler() // sets errorHandler
|
||||||
|
|
||||||
return rp, nil
|
return rp, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -167,6 +167,12 @@ func NewOpenIDProvider(ctx context.Context, config *Config, storage Storage, opO
|
||||||
|
|
||||||
o.crypto = NewAESCrypto(config.CryptoKey)
|
o.crypto = NewAESCrypto(config.CryptoKey)
|
||||||
|
|
||||||
|
// Avoid potential race conditions by calling these early
|
||||||
|
_ = o.AccessTokenVerifier() // sets accessTokenVerifier
|
||||||
|
_ = o.IDTokenHintVerifier() // sets idTokenHintVerifier
|
||||||
|
_ = o.JWTProfileVerifier() // sets jwtProfileVerifier
|
||||||
|
_ = o.openIDKeySet() // sets keySet
|
||||||
|
|
||||||
return o, nil
|
return o, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -3,6 +3,7 @@ package op
|
||||||
import (
|
import (
|
||||||
"context"
|
"context"
|
||||||
"errors"
|
"errors"
|
||||||
|
"sync"
|
||||||
|
|
||||||
"github.com/zitadel/logging"
|
"github.com/zitadel/logging"
|
||||||
"gopkg.in/square/go-jose.v2"
|
"gopkg.in/square/go-jose.v2"
|
||||||
|
|
@ -18,6 +19,7 @@ type tokenSigner struct {
|
||||||
signer jose.Signer
|
signer jose.Signer
|
||||||
storage AuthStorage
|
storage AuthStorage
|
||||||
alg jose.SignatureAlgorithm
|
alg jose.SignatureAlgorithm
|
||||||
|
lock sync.RWMutex
|
||||||
}
|
}
|
||||||
|
|
||||||
func NewSigner(ctx context.Context, storage AuthStorage, keyCh <-chan jose.SigningKey) Signer {
|
func NewSigner(ctx context.Context, storage AuthStorage, keyCh <-chan jose.SigningKey) Signer {
|
||||||
|
|
@ -47,6 +49,8 @@ func (s *tokenSigner) Health(_ context.Context) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *tokenSigner) Signer() jose.Signer {
|
func (s *tokenSigner) Signer() jose.Signer {
|
||||||
|
s.lock.RLock()
|
||||||
|
defer s.lock.RUnlock()
|
||||||
return s.signer
|
return s.signer
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -62,6 +66,8 @@ func (s *tokenSigner) refreshSigningKey(ctx context.Context, keyCh <-chan jose.S
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *tokenSigner) exchangeSigningKey(key jose.SigningKey) {
|
func (s *tokenSigner) exchangeSigningKey(key jose.SigningKey) {
|
||||||
|
s.lock.Lock()
|
||||||
|
defer s.lock.Unlock()
|
||||||
s.alg = key.Algorithm
|
s.alg = key.Algorithm
|
||||||
if key.Algorithm == "" || key.Key == nil {
|
if key.Algorithm == "" || key.Key == nil {
|
||||||
s.signer = nil
|
s.signer = nil
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue