Generalize OPAAL interface to any OIDC server

As long as they follow the standard output format.
OpenCHAMI · Jul 17, 2024 · 4a9b067 · 4a9b067
1 parent f2edfe2
commit 4a9b067
Show file tree

Hide file tree

Showing 5 changed files with 18 additions and 18 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -20,7 +20,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Switched from [Gin](https://github.com/gin-gonic/gin) HTTP router to [Chi](https://github.com/go-chi/chi)
 - When adding entries to the internal datastore, names are no longer "slug-ified" (via the `gosimple/slug` package).
   This means that when a user requests data for a node, the name they query should be a standard colon-separated MAC address, as opposed to using dashes.
-- Rather than requiring a single static JWT on launch, we now accept an OPAAL server name. New JWTs are requested from OPAAL as necessary, allowing us to run for longer than the lifetime of a single token.
+- Rather than requiring a single static JWT on launch, we now accept an OIDC token endpoint. New JWTs are requested from the endpoint as necessary, allowing us to run for longer than the lifetime of a single token.
 
 ## [0.0.4] - 2024-01-17
 

diff --git a/Dockerfile b/Dockerfile
@@ -35,7 +35,7 @@ RUN set -ex \
 # Get the boot-script-service from the builder stage.
 COPY cloud-init-server /usr/local/bin/
 
-ENV OPAAL_URL="http://opaal:3333"
+ENV TOKEN_URL="http://opaal:3333/token"
 ENV SMD_URL="http://smd:27779"
 ENV LISTEN_ADDR="0.0.0.0:27777"
 ENV JWKS_URL=""
@@ -44,7 +44,7 @@ ENV JWKS_URL=""
 USER 65534:65534
 
 # Set up the command to start the service.
-CMD /usr/local/bin/cloud-init-server --listen ${LISTEN_ADDR} --smd-url ${SMD_URL} --opaal-url ${OPAAL_URL} --jwks-url ${JWKS_URL:-""}
+CMD /usr/local/bin/cloud-init-server --listen ${LISTEN_ADDR} --smd-url ${SMD_URL} --token-url ${TOKEN_URL} --jwks-url ${JWKS_URL:-""}
 
 
 ENTRYPOINT ["/sbin/tini", "--"]
diff --git a/cmd/cloud-init-server/main.go b/cmd/cloud-init-server/main.go
@@ -15,14 +15,14 @@ import (
 
 var (
 	ciEndpoint    = ":27777"
-	opaalEndpoint = "http://opaal:3333" // jwt for smd access obtained from here
+	tokenEndpoint = "http://opaal:3333/token" // jwt for smd access obtained from here
 	smdEndpoint   = "http://smd:27779"
 	jwksUrl       = "" // jwt keyserver URL for secure-route token validation
 )
 
 func main() {
 	flag.StringVar(&ciEndpoint, "listen", ciEndpoint, "Server IP and port for cloud-init-server to listen on")
-	flag.StringVar(&opaalEndpoint, "opaal-url", opaalEndpoint, "http IP/url and port for OPAAL (or other JWT) server")
+	flag.StringVar(&tokenEndpoint, "token-url", tokenEndpoint, "OIDC server URL (endpoint) to fetch new tokens from (for SMD access)")
 	flag.StringVar(&smdEndpoint, "smd-url", smdEndpoint, "http IP/url and port for running SMD")
 	flag.StringVar(&jwksUrl, "jwks-url", jwksUrl, "JWT keyserver URL, required to enable secure route")
 	flag.Parse()
@@ -53,7 +53,7 @@ func main() {
 		middleware.StripSlashes,
 		middleware.Timeout(60 * time.Second),
 	)
-	sm := smdclient.NewSMDClient(smdEndpoint, opaalEndpoint)
+	sm := smdclient.NewSMDClient(smdEndpoint, tokenEndpoint)
 
 	// Unsecured datastore and router
 	store := memstore.NewMemStore()

diff --git a/internal/smdclient/SMDclient.go b/internal/smdclient/SMDclient.go
@@ -24,20 +24,20 @@ var (
 
 // SMDClient is a client for SMD
 type SMDClient struct {
-	smdClient   *http.Client
-	smdBaseURL  string
-	tokenServer string
-	accessToken string
+	smdClient     *http.Client
+	smdBaseURL    string
+	tokenEndpoint string
+	accessToken   string
 }
 
 // NewSMDClient creates a new SMDClient which connects to the SMD server at baseurl
 // and uses the provided JWT server for authentication
-func NewSMDClient(baseurl string, jwtServer string) *SMDClient {
+func NewSMDClient(baseurl string, jwtURL string) *SMDClient {
 	c := &http.Client{Timeout: 2 * time.Second}
 	return &SMDClient{
 		smdClient:   c,
 		smdBaseURL:  baseurl,
-		tokenServer: jwtServer,
+		tokenEndpoint: jwtURL,
 		accessToken: "",
 	}
 }

diff --git a/internal/smdclient/opaal.go → internal/smdclient/oidc.go b/internal/smdclient/opaal.go → internal/smdclient/oidc.go
@@ -6,8 +6,8 @@ import (
 	"net/http"
 )
 
-// Structure of a token reponse from OPAAL
-type opaalTokenData struct {
+// Structure of a token reponse from OIDC server
+type oidcTokenData struct {
 	Access_token string `json:"access_token"`
 	Expires_in   int    `json:"expires_in"`
 	Scope        string `json:"scope"`
@@ -16,17 +16,17 @@ type opaalTokenData struct {
 
 // Refresh the cached access token, using the provided JWT server
 func (s *SMDClient) RefreshToken() error {
-	// Request new token from OPAAL
-	r, err := http.Get(s.tokenServer + "/token")
+	// Request new token from OIDC server
+	r, err := http.Get(s.tokenEndpoint)
 	if err != nil {
 		return err
 	}
 	body, err := io.ReadAll(r.Body)
 	if err != nil {
 		return err
 	}
-	// Decode OPAAL's response to the expected structure
-	var tokenResp opaalTokenData
+	// Decode server's response to the expected structure
+	var tokenResp oidcTokenData
 	if err = json.Unmarshal(body, &tokenResp); err != nil {
 		return err
 	}