Skip to content

Commit

Permalink
refactor: allow secret configuration to return errors (#726)
Browse files Browse the repository at this point in the history
BREAKING CHANGE: `GetGlobalSecret` and `GetRotatedGlobalSecrets` signatures changed and it is now possible to add an error.
  • Loading branch information
aeneasr authored Dec 7, 2022
1 parent f52879d commit e570564
Show file tree
Hide file tree
Showing 3 changed files with 27 additions and 12 deletions.
4 changes: 2 additions & 2 deletions config.go
Original file line number Diff line number Diff line change
Expand Up @@ -177,13 +177,13 @@ type TokenEntropyProvider interface {
// GlobalSecretProvider returns the provider for configuring the global secret.
type GlobalSecretProvider interface {
// GetGlobalSecret returns the global secret.
GetGlobalSecret(ctx context.Context) []byte
GetGlobalSecret(ctx context.Context) ([]byte, error)
}

// RotatedGlobalSecretsProvider returns the provider for configuring the rotated global secrets.
type RotatedGlobalSecretsProvider interface {
// GetRotatedGlobalSecrets returns the rotated global secrets.
GetRotatedGlobalSecrets(ctx context.Context) [][]byte
GetRotatedGlobalSecrets(ctx context.Context) ([][]byte, error)
}

// HMACHashingProvider returns the provider for configuring the hash function.
Expand Down
8 changes: 4 additions & 4 deletions config_default.go
Original file line number Diff line number Diff line change
Expand Up @@ -214,16 +214,16 @@ type Config struct {
IsPushedAuthorizeEnforced bool
}

func (c *Config) GetGlobalSecret(ctx context.Context) []byte {
return c.GlobalSecret
func (c *Config) GetGlobalSecret(ctx context.Context) ([]byte, error) {
return c.GlobalSecret, nil
}

func (c *Config) GetUseLegacyErrorFormat(ctx context.Context) bool {
return c.UseLegacyErrorFormat
}

func (c *Config) GetRotatedGlobalSecrets(ctx context.Context) [][]byte {
return c.RotatedGlobalSecrets
func (c *Config) GetRotatedGlobalSecrets(ctx context.Context) ([][]byte, error) {
return c.RotatedGlobalSecrets, nil
}

func (c *Config) GetHMACHasher(ctx context.Context) func() hash.Hash {
Expand Down
27 changes: 21 additions & 6 deletions token/hmac/hmacsha.go
Original file line number Diff line number Diff line change
Expand Up @@ -51,12 +51,17 @@ func (c *HMACStrategy) Generate(ctx context.Context) (string, string, error) {
c.Lock()
defer c.Unlock()

if len(c.Config.GetGlobalSecret(ctx)) < minimumSecretLength {
return "", "", errors.Errorf("secret for signing HMAC-SHA512/256 is expected to be 32 byte long, got %d byte", len(c.Config.GetGlobalSecret(ctx)))
secrets, err := c.Config.GetGlobalSecret(ctx)
if err != nil {
return "", "", err
}

if len(secrets) < minimumSecretLength {
return "", "", errors.Errorf("secret for signing HMAC-SHA512/256 is expected to be 32 byte long, got %d byte", len(secrets))
}

var signingKey [32]byte
copy(signingKey[:], c.Config.GetGlobalSecret(ctx))
copy(signingKey[:], secrets)

entropy := c.Config.GetTokenEntropy(ctx)
if entropy < minimumEntropy {
Expand Down Expand Up @@ -86,11 +91,21 @@ func (c *HMACStrategy) Generate(ctx context.Context) (string, string, error) {
func (c *HMACStrategy) Validate(ctx context.Context, token string) (err error) {
var keys [][]byte

if len(c.Config.GetGlobalSecret(ctx)) > 0 {
keys = append(keys, c.Config.GetGlobalSecret(ctx))
secrets, err := c.Config.GetGlobalSecret(ctx)
if err != nil {
return err
}

rotatedSecrets, err := c.Config.GetRotatedGlobalSecrets(ctx)
if err != nil {
return err
}

if len(secrets) > 0 {
keys = append(keys, secrets)
}

keys = append(keys, c.Config.GetRotatedGlobalSecrets(ctx)...)
keys = append(keys, rotatedSecrets...)
for _, key := range keys {
if err = c.validate(ctx, key, token); err == nil {
return nil
Expand Down

0 comments on commit e570564

Please sign in to comment.