Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSS-7081 Add OAuth-specific methods to secrets store #1175

Merged
merged 31 commits into from
Mar 19, 2024
Merged

CSS-7081 Add OAuth-specific methods to secrets store #1175

merged 31 commits into from
Mar 19, 2024

Conversation

babakks
Copy link
Member

@babakks babakks commented Mar 13, 2024
edited
Loading

Description

This PR adds two new methods to the CredentialStore interface; GetOAuthKey and PutOAuthKey. The key is used for symmetric encryption, so no more metadata (like alg or type, as in JWKs) is required to be stored along with the key value, and it suffices to use plain byte slices.

The initial OAuth secret key generation is handled just like JWKS rotation.

Fixes CSS-7081

Engineering checklist

Check only items that apply

  • Documentation updated
  • Covered by unit tests
  • Covered by integration tests

Notes for code reviewers

This is a copy of ale8k/jimm#1, updated with the latest feature-oidc branch.

babakks added 15 commits March 13, 2024 13:18
@babakks
Add Get/Put OAuth key methods to Vault store
e9c4283 
Signed-off-by: Babak K. Shandiz <[email protected]>
@babakks
Add Get/Put OAuth key methods to Postgres store
18aee68 
Signed-off-by: Babak K. Shandiz <[email protected]>
@babakks
Add Get/Put OAuth key methods to in-memory store
909992b 
Signed-off-by: Babak K. Shandiz <[email protected]>
@babakks
Add Get/Put OAuth key methods to mock store
d9bf1d8 
Signed-off-by: Babak K. Shandiz <[email protected]>
@babakks
Add Get/Put OAuth key methods to credential store interface
727971e 
Signed-off-by: Babak K. Shandiz <[email protected]>
@babakks
Expose underlying CredentialStore via a JIMM interface method
bd8c6d6 
Signed-off-by: Babak K. Shandiz <[email protected]>
@babakks
Use New* method to instantiate in-memory credential store
3ec909f 
Signed-off-by: Babak K. Shandiz <[email protected]>
@babakks
Use credential store to retrieve OAuth session JWT secret key
853c193 
Signed-off-by: Babak K. Shandiz <[email protected]>
@babakks
Update CredentialStore godoc
1632b93 
Signed-off-by: Babak K. Shandiz <[email protected]>
@babakks
Add test to verify GetOAuthKey returns not found error
029187f 
Signed-off-by: Babak K. Shandiz <[email protected]>
@babakks
Add test to verify GetOAuthKey returns not found error
efbda2d 
Signed-off-by: Babak K. Shandiz <[email protected]>
@babakks
Add CheckOrGenerateOAuthKey method
e1377b5 
Signed-off-by: Babak K. Shandiz <[email protected]>
@babakks
Generate OAuth key on the leader unit
eeb683b 
Signed-off-by: Babak K. Shandiz <[email protected]>
@babakks
Update suite to generate OAuth key as well
3ff81da 
Signed-off-by: Babak K. Shandiz <[email protected]>
@babakks
Add package godoc
4d83a15 
Signed-off-by: Babak K. Shandiz <[email protected]>
@babakks babakks changed the title CSS-7081 Add caching to secret store CSS-7081 Add OAuth-specific methods to secrets store Mar 13, 2024
@babakks babakks mentioned this pull request Mar 13, 2024
Closed
3 tasks
kian99
kian99 approved these changes Mar 13, 2024
View reviewed changes
internal/jujuapi/admin.go Outdated Show resolved Hide resolved
internal/vault/vault.go Show resolved Hide resolved
service.go Outdated Show resolved Hide resolved
cmd/jimmsrv/main.go Show resolved Hide resolved
internal/jimm/jimm.go Outdated Show resolved Hide resolved
internal/jimmtest/store.go Outdated Show resolved Hide resolved
babakks added 9 commits March 13, 2024 15:47
@babakks
Reuse shared JWTTestSecret in JimmCmdSuite
2c8dde0 
Signed-off-by: Babak K. Shandiz <[email protected]>
@babakks
Fix godoc
d26e977 
Signed-off-by: Babak K. Shandiz <[email protected]>
@babakks
Add CleanupOAuth to Postgres store
ca263af 
Signed-off-by: Babak K. Shandiz <[email protected]>
@babakks
Add CleanupOAuth to Vault store
efbca17 
Signed-off-by: Babak K. Shandiz <[email protected]>
@babakks
Add CleanupOAuth to mock store
fad18b4 
Signed-off-by: Babak K. Shandiz <[email protected]>
@babakks
Add CleanupOAuth to in-memory store
599d23c 
Signed-off-by: Babak K. Shandiz <[email protected]>
@babakks
Add CleanupOAuth to credential store interface
18b43ae 
Signed-off-by: Babak K. Shandiz <[email protected]>
@babakks
Use same const secret for in-memory store
3a47319 
Signed-off-by: Babak K. Shandiz <[email protected]>
@babakks
fix tests with populating OAuth key secrets in store
86cbcbe 
Signed-off-by: Babak K. Shandiz <[email protected]>
kian99
kian99 approved these changes Mar 14, 2024
View reviewed changes
Copy link
Contributor

@kian99 kian99 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

internal/db/secrets.go Outdated Show resolved Hide resolved
@kian99
Copy link
Contributor

kian99 commented Mar 15, 2024

Also, please make sure to squash-and-merge this.

ale8k
ale8k approved these changes Mar 18, 2024
View reviewed changes
Copy link
Contributor

@ale8k ale8k left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, just some language around "pem" is confusing with the oauth keys, they're just strings no and nothing to do with PKI?

@babakks babakks merged commit ef3e14f into canonical:feature-oidc Mar 19, 2024
4 checks passed
@babakks babakks deleted the css-7081/use-secret-store branch March 19, 2024 09:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kian99 kian99 kian99 approved these changes

@ale8k ale8k ale8k approved these changes

@alesstimec alesstimec alesstimec approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@babakks @kian99 @alesstimec @ale8k