Merge branch 'main' into dependabot/go_modules/github.com/caos/logging-0.3.1
# Conflicts: # pkg/op/signer.go
This commit is contained in:
Livio Amstutz
commit
c8d9da150e
6 changed files with 60 additions and 25 deletions
2
.github/workflows/codeql-analysis.yml
vendored
2
.github/workflows/codeql-analysis.yml
vendored
|
|
@ -16,7 +16,7 @@ jobs:
|
|||
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v2
|
||||
uses: actions/checkout@v3
|
||||
with:
|
||||
# We must fetch at least the immediate parents so that if this is
|
||||
# a pull request then we can checkout the head.
|
||||
|
|
|
|||
4
.github/workflows/release.yml
vendored
4
.github/workflows/release.yml
vendored
|
|
@ -18,7 +18,7 @@ jobs:
|
|||
go: ['1.14', '1.15', '1.16', '1.17']
|
||||
name: Go ${{ matrix.go }} test
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
- uses: actions/checkout@v3
|
||||
- name: Setup go
|
||||
uses: actions/setup-go@v2
|
||||
with:
|
||||
|
|
@ -36,7 +36,7 @@ jobs:
|
|||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
steps:
|
||||
- name: Source checkout
|
||||
uses: actions/checkout@v2
|
||||
uses: actions/checkout@v3
|
||||
- name: Semantic Release
|
||||
uses: cycjimmy/semantic-release-action@v2
|
||||
with:
|
||||
|
|
|
|||
|
|
@ -26,8 +26,13 @@ var (
|
|||
)
|
||||
|
||||
//Discover calls the discovery endpoint of the provided issuer and returns its configuration
|
||||
func Discover(issuer string, httpClient *http.Client) (*oidc.DiscoveryConfiguration, error) {
|
||||
//It accepts an optional argument "wellknownUrl" which can be used to overide the dicovery endpoint url
|
||||
func Discover(issuer string, httpClient *http.Client, wellKnownUrl ...string) (*oidc.DiscoveryConfiguration, error) {
|
||||
|
||||
wellKnown := strings.TrimSuffix(issuer, "/") + oidc.DiscoveryEndpoint
|
||||
if len(wellKnownUrl) == 1 && wellKnownUrl[0] != "" {
|
||||
wellKnown = wellKnownUrl[0]
|
||||
}
|
||||
req, err := http.NewRequest("GET", wellKnown, nil)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
|
|
|
|||
|
|
@ -69,11 +69,12 @@ var (
|
|||
)
|
||||
|
||||
type relyingParty struct {
|
||||
issuer string
|
||||
endpoints Endpoints
|
||||
oauthConfig *oauth2.Config
|
||||
oauth2Only bool
|
||||
pkce bool
|
||||
issuer string
|
||||
DiscoveryEndpoint string
|
||||
endpoints Endpoints
|
||||
oauthConfig *oauth2.Config
|
||||
oauth2Only bool
|
||||
pkce bool
|
||||
|
||||
httpClient *http.Client
|
||||
cookieHandler *httphelper.CookieHandler
|
||||
|
|
@ -170,7 +171,7 @@ func NewRelyingPartyOIDC(issuer, clientID, clientSecret, redirectURI string, sco
|
|||
return nil, err
|
||||
}
|
||||
}
|
||||
discoveryConfiguration, err := client.Discover(rp.issuer, rp.httpClient)
|
||||
discoveryConfiguration, err := client.Discover(rp.issuer, rp.httpClient, rp.DiscoveryEndpoint)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
|
@ -184,6 +185,13 @@ func NewRelyingPartyOIDC(issuer, clientID, clientSecret, redirectURI string, sco
|
|||
//Option is the type for providing dynamic options to the relyingParty
|
||||
type Option func(*relyingParty) error
|
||||
|
||||
func WithCustomDiscoveryUrl(url string) Option {
|
||||
return func(rp *relyingParty) error {
|
||||
rp.DiscoveryEndpoint = url
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
//WithCookieHandler set a `CookieHandler` for securing the various redirects
|
||||
func WithCookieHandler(cookieHandler *httphelper.CookieHandler) Option {
|
||||
return func(rp *relyingParty) error {
|
||||
|
|
|
|||
16
pkg/op/op.go
16
pkg/op/op.go
|
|
@ -19,6 +19,7 @@ import (
|
|||
const (
|
||||
healthEndpoint = "/healthz"
|
||||
readinessEndpoint = "/ready"
|
||||
authCallbackPathSuffix = "/callback"
|
||||
defaultAuthorizationEndpoint = "authorize"
|
||||
defaultTokenEndpoint = "oauth/token"
|
||||
defaultIntrospectEndpoint = "oauth/introspect"
|
||||
|
|
@ -72,7 +73,7 @@ func CreateRouter(o OpenIDProvider, interceptors ...HttpInterceptor) *mux.Router
|
|||
router.HandleFunc(readinessEndpoint, readyHandler(o.Probes()))
|
||||
router.HandleFunc(oidc.DiscoveryEndpoint, discoveryHandler(o, o.Signer()))
|
||||
router.Handle(o.AuthorizationEndpoint().Relative(), intercept(authorizeHandler(o)))
|
||||
router.NewRoute().Path(o.AuthorizationEndpoint().Relative()+"/callback").Queries("id", "{id}").Handler(intercept(authorizeCallbackHandler(o)))
|
||||
router.NewRoute().Path(authCallbackPath(o)).Queries("id", "{id}").Handler(intercept(authorizeCallbackHandler(o)))
|
||||
router.Handle(o.TokenEndpoint().Relative(), intercept(tokenHandler(o)))
|
||||
router.HandleFunc(o.IntrospectionEndpoint().Relative(), introspectionHandler(o))
|
||||
router.HandleFunc(o.UserinfoEndpoint().Relative(), userinfoHandler(o))
|
||||
|
|
@ -82,6 +83,17 @@ func CreateRouter(o OpenIDProvider, interceptors ...HttpInterceptor) *mux.Router
|
|||
return router
|
||||
}
|
||||
|
||||
//AuthCallbackURL builds the url for the redirect (with the requestID) after a successful login
|
||||
func AuthCallbackURL(o OpenIDProvider) func(string) string {
|
||||
return func(requestID string) string {
|
||||
return o.AuthorizationEndpoint().Absolute(o.Issuer()) + authCallbackPathSuffix + "?id=" + requestID
|
||||
}
|
||||
}
|
||||
|
||||
func authCallbackPath(o OpenIDProvider) string {
|
||||
return o.AuthorizationEndpoint().Relative() + authCallbackPathSuffix
|
||||
}
|
||||
|
||||
type Config struct {
|
||||
Issuer string
|
||||
CryptoKey [32]byte
|
||||
|
|
@ -125,8 +137,8 @@ func NewOpenIDProvider(ctx context.Context, config *Config, storage Storage, opO
|
|||
}
|
||||
|
||||
keyCh := make(chan jose.SigningKey)
|
||||
o.signer = NewSigner(ctx, storage, keyCh)
|
||||
go storage.GetSigningKey(ctx, keyCh)
|
||||
o.signer = NewSigner(ctx, storage, keyCh)
|
||||
|
||||
o.httpHandler = CreateRouter(o, o.interceptors...)
|
||||
|
||||
|
|
|
|||
|
|
@ -25,6 +25,12 @@ func NewSigner(ctx context.Context, storage AuthStorage, keyCh <-chan jose.Signi
|
|||
storage: storage,
|
||||
}
|
||||
|
||||
select {
|
||||
case <-ctx.Done():
|
||||
return nil
|
||||
case key := <-keyCh:
|
||||
s.exchangeSigningKey(key)
|
||||
}
|
||||
go s.refreshSigningKey(ctx, keyCh)
|
||||
|
||||
return s
|
||||
|
|
@ -50,23 +56,27 @@ func (s *tokenSigner) refreshSigningKey(ctx context.Context, keyCh <-chan jose.S
|
|||
case <-ctx.Done():
|
||||
return
|
||||
case key := <-keyCh:
|
||||
s.alg = key.Algorithm
|
||||
if key.Algorithm == "" || key.Key == nil {
|
||||
s.signer = nil
|
||||
logging.Warn("signer has no key")
|
||||
continue
|
||||
}
|
||||
var err error
|
||||
s.signer, err = jose.NewSigner(key, &jose.SignerOptions{})
|
||||
if err != nil {
|
||||
logging.New().WithError(err).Error("error creating signer")
|
||||
continue
|
||||
}
|
||||
logging.Info("signer exchanged signing key")
|
||||
s.exchangeSigningKey(key)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func (s *tokenSigner) exchangeSigningKey(key jose.SigningKey) {
|
||||
s.alg = key.Algorithm
|
||||
if key.Algorithm == "" || key.Key == nil {
|
||||
s.signer = nil
|
||||
logging.Warn("signer has no key")
|
||||
return
|
||||
}
|
||||
var err error
|
||||
s.signer, err = jose.NewSigner(key, &jose.SignerOptions{})
|
||||
if err != nil {
|
||||
logging.New().WithError(err).Error("error creating signer")
|
||||
return
|
||||
}
|
||||
logging.Info("signer exchanged signing key")
|
||||
}
|
||||
|
||||
func (s *tokenSigner) SignatureAlgorithm() jose.SignatureAlgorithm {
|
||||
return s.alg
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue