From 5c3dd6d20c21243c40029433606b507b1cc303be Mon Sep 17 00:00:00 2001 From: Easton Crupper <65553218+ecrupper@users.noreply.github.com> Date: Fri, 6 Sep 2024 09:53:25 -0400 Subject: [PATCH] enhance(admin): add oidc key rotation (#326) --- go.mod | 10 +++++----- go.sum | 20 ++++++++++---------- vela/admin.go | 17 +++++++++++++++++ vela/admin_test.go | 44 ++++++++++++++++++++++++++++++++++++++++++++ vela/client.go | 1 + vela/client_test.go | 1 + 6 files changed, 78 insertions(+), 15 deletions(-) diff --git a/go.mod b/go.mod index 97123e0..a0941ee 100644 --- a/go.mod +++ b/go.mod @@ -8,8 +8,8 @@ require ( github.com/buildkite/yaml v0.0.0-20230306222819-0e4e032d4835 github.com/coreos/go-semver v0.3.1 github.com/gin-gonic/gin v1.10.0 - github.com/go-vela/server v0.24.1 - github.com/go-vela/types v0.24.0 + github.com/go-vela/server v0.24.3-0.20240904142119-21dfb446e793 + github.com/go-vela/types v0.24.1-0.20240826141537-76a66e72d5dc github.com/golang-jwt/jwt/v5 v5.2.1 github.com/google/go-cmp v0.6.0 github.com/google/go-querystring v1.1.0 @@ -53,9 +53,9 @@ require ( github.com/urfave/cli/v2 v2.27.2 // indirect github.com/xrash/smetrics v0.0.0-20240312152122-5f08fbb34913 // indirect golang.org/x/arch v0.8.0 // indirect - golang.org/x/crypto v0.24.0 // indirect - golang.org/x/net v0.25.0 // indirect - golang.org/x/sys v0.21.0 // indirect + golang.org/x/crypto v0.25.0 // indirect + golang.org/x/net v0.26.0 // indirect + golang.org/x/sys v0.22.0 // indirect golang.org/x/text v0.16.0 // indirect google.golang.org/protobuf v1.34.1 // indirect gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect diff --git a/go.sum b/go.sum index 4fb9032..50705ab 100644 --- a/go.sum +++ b/go.sum @@ -36,10 +36,10 @@ github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJn github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY= github.com/go-playground/validator/v10 v10.20.0 h1:K9ISHbSaI0lyB2eWMPJo+kOS/FBExVwjEviJTixqxL8= github.com/go-playground/validator/v10 v10.20.0/go.mod h1:dbuPbCMFw/DrkbEynArYaCwl3amGuJotoKCe95atGMM= -github.com/go-vela/server v0.24.1 h1:iM5REZBh6oHD0nxEH4O6dkUWNhY3MNrWBLNWGUUwcP8= -github.com/go-vela/server v0.24.1/go.mod h1:jCnJPiyaRLcdy1u5fKIf7BqsbYAbVMjjI7dlyxZovME= -github.com/go-vela/types v0.24.0 h1:KkkiXxw3uHckh/foyadmLY1YnLw6vhZbz9XwqONCj6o= -github.com/go-vela/types v0.24.0/go.mod h1:YWj6BIapl9Kbj4yHq/fp8jltXdGiwD/gTy1ez32Rzag= +github.com/go-vela/server v0.24.3-0.20240904142119-21dfb446e793 h1:7WnJ3cg3Ev1McemTyAHo1+DPiPe1SMfJaGzoXkZgMx8= +github.com/go-vela/server v0.24.3-0.20240904142119-21dfb446e793/go.mod h1:3KmEXG+6N0jfwxPKBM8oIOM3iAcxwJvqsOs0RZvGYnI= +github.com/go-vela/types v0.24.1-0.20240826141537-76a66e72d5dc h1:VyT2tBwPVO9fMmn+22TC4rY4dp+d71To/Qo5Vk4cOSo= +github.com/go-vela/types v0.24.1-0.20240826141537-76a66e72d5dc/go.mod h1:WcSiFm8cWuErRw4aI08NrfM+SZzidnbUs2fmO5klFKo= github.com/goccy/go-json v0.10.3 h1:KZ5WoDbxAIgm2HNbYckL0se1fHD6rz5j4ywS6ebzDqA= github.com/goccy/go-json v0.10.3/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M= github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk= @@ -123,15 +123,15 @@ github.com/xrash/smetrics v0.0.0-20240312152122-5f08fbb34913/go.mod h1:4aEEwZQut golang.org/x/arch v0.0.0-20210923205945-b76863e36670/go.mod h1:5om86z9Hs0C8fWVUuoMHwpExlXzs5Tkyp9hOrfG7pp8= golang.org/x/arch v0.8.0 h1:3wRIsP3pM4yUptoR96otTUOXI367OS0+c9eeRi9doIc= golang.org/x/arch v0.8.0/go.mod h1:FEVrYAQjsQXMVJ1nsMoVVXPZg6p2JE2mx8psSWTDQys= -golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI= -golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM= -golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac= -golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM= +golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30= +golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M= +golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ= +golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE= golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws= -golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI= +golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4= golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= diff --git a/vela/admin.go b/vela/admin.go index 4b1a29b..c1abc1c 100644 --- a/vela/admin.go +++ b/vela/admin.go @@ -21,6 +21,7 @@ type ( Clean *AdminCleanService Deployment *AdminDeploymentService Hook *AdminHookService + OIDC *AdminOIDCService Repo *AdminRepoService Secret *AdminSecretService Service *AdminSvcService @@ -46,6 +47,9 @@ type ( // the server methods of the Vela API. AdminHookService service + // AdminOIDCService handles key rotation for OpenID Connect. + AdminOIDCService service + // AdminRepoService handles retrieving admin repos from // the server methods of the Vela API. AdminRepoService service @@ -302,3 +306,16 @@ func (svc *AdminWorkerService) RegisterToken(hostname string) (*library.Token, * return t, resp, err } + +// RotateOIDCKeys sends a request to rotate the private keys used for creating ID tokens. +func (svc *AdminOIDCService) RotateOIDCKeys() (*string, *Response, error) { + // set the API endpoint path we send the request to + url := "/api/v1/admin/rotate_oidc_keys" + + v := new(string) + + // send request using client + resp, err := svc.client.Call("POST", url, nil, v) + + return v, resp, err +} diff --git a/vela/admin_test.go b/vela/admin_test.go index 9e90a47..43e7403 100644 --- a/vela/admin_test.go +++ b/vela/admin_test.go @@ -552,3 +552,47 @@ func TestAdmin_Settings_Restore_200(t *testing.T) { t.Errorf("Settings.Restore returned %v, want %v", got, want) } } + +func TestAdmin_OIDC_RotateKeys_200(t *testing.T) { + // setup context + gin.SetMode(gin.TestMode) + + s := httptest.NewServer(server.FakeHandler()) + c, _ := NewClient(s.URL, "", nil) + + want := "keys rotated successfully" + + // run test + got, resp, err := c.Admin.OIDC.RotateOIDCKeys() + if err != nil { + t.Errorf("RotateOIDCKeys returned err: %v", err) + } + + if resp.StatusCode != http.StatusOK { + t.Errorf("RotateOIDCKeys returned %v, want %v", resp.StatusCode, http.StatusOK) + } + + if diff := cmp.Diff(&want, got); diff != "" { + t.Errorf("RotateOIDCKeys() mismatch (-want +got):\n%s", diff) + } +} + +func TestAdmin_OIDC_RotateKeys_Unauthorized(t *testing.T) { + // setup context + gin.SetMode(gin.TestMode) + + s := httptest.NewServer(server.FakeHandler()) + c, _ := NewClient(s.URL, "", nil) + + c.Authentication.SetTokenAuth("invalid") + + // run test + _, resp, err := c.Admin.OIDC.RotateOIDCKeys() + if err == nil { + t.Error("RotateOIDCKeys should have returned err") + } + + if resp.StatusCode != http.StatusUnauthorized { + t.Errorf("RotateOIDCKeys returned %v, want %v", resp.StatusCode, http.StatusUnauthorized) + } +} diff --git a/vela/client.go b/vela/client.go index 700eb41..f1a3d9a 100644 --- a/vela/client.go +++ b/vela/client.go @@ -131,6 +131,7 @@ func NewClient(baseURL, id string, httpClient *http.Client) (*Client, error) { &AdminCleanService{client: c}, &AdminDeploymentService{client: c}, &AdminHookService{client: c}, + &AdminOIDCService{client: c}, &AdminRepoService{client: c}, &AdminSecretService{client: c}, &AdminSvcService{client: c}, diff --git a/vela/client_test.go b/vela/client_test.go index f0af595..eba0c4f 100644 --- a/vela/client_test.go +++ b/vela/client_test.go @@ -39,6 +39,7 @@ func TestVela_NewClient(t *testing.T) { &AdminCleanService{client: want}, &AdminDeploymentService{client: want}, &AdminHookService{client: want}, + &AdminOIDCService{client: want}, &AdminRepoService{client: want}, &AdminSecretService{client: want}, &AdminSvcService{client: want},