From 4a9b067a2c08560c3f33e54210e7f3c833838b9d Mon Sep 17 00:00:00 2001 From: Lucas Ritzdorf <42657792+LRitzdorf@users.noreply.github.com> Date: Wed, 17 Jul 2024 10:20:23 -0600 Subject: [PATCH] Generalize OPAAL interface to any OIDC server As long as they follow the standard output format. --- CHANGELOG.md | 2 +- Dockerfile | 4 ++-- cmd/cloud-init-server/main.go | 6 +++--- internal/smdclient/SMDclient.go | 12 ++++++------ internal/smdclient/{opaal.go => oidc.go} | 12 ++++++------ 5 files changed, 18 insertions(+), 18 deletions(-) rename internal/smdclient/{opaal.go => oidc.go} (71%) diff --git a/CHANGELOG.md b/CHANGELOG.md index aa294a2..edd8a90 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -20,7 +20,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Switched from [Gin](https://github.com/gin-gonic/gin) HTTP router to [Chi](https://github.com/go-chi/chi) - When adding entries to the internal datastore, names are no longer "slug-ified" (via the `gosimple/slug` package). This means that when a user requests data for a node, the name they query should be a standard colon-separated MAC address, as opposed to using dashes. -- Rather than requiring a single static JWT on launch, we now accept an OPAAL server name. New JWTs are requested from OPAAL as necessary, allowing us to run for longer than the lifetime of a single token. +- Rather than requiring a single static JWT on launch, we now accept an OIDC token endpoint. New JWTs are requested from the endpoint as necessary, allowing us to run for longer than the lifetime of a single token. ## [0.0.4] - 2024-01-17 diff --git a/Dockerfile b/Dockerfile index 3c46165..16d424c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -35,7 +35,7 @@ RUN set -ex \ # Get the boot-script-service from the builder stage. COPY cloud-init-server /usr/local/bin/ -ENV OPAAL_URL="http://opaal:3333" +ENV TOKEN_URL="http://opaal:3333/token" ENV SMD_URL="http://smd:27779" ENV LISTEN_ADDR="0.0.0.0:27777" ENV JWKS_URL="" @@ -44,7 +44,7 @@ ENV JWKS_URL="" USER 65534:65534 # Set up the command to start the service. -CMD /usr/local/bin/cloud-init-server --listen ${LISTEN_ADDR} --smd-url ${SMD_URL} --opaal-url ${OPAAL_URL} --jwks-url ${JWKS_URL:-""} +CMD /usr/local/bin/cloud-init-server --listen ${LISTEN_ADDR} --smd-url ${SMD_URL} --token-url ${TOKEN_URL} --jwks-url ${JWKS_URL:-""} ENTRYPOINT ["/sbin/tini", "--"] diff --git a/cmd/cloud-init-server/main.go b/cmd/cloud-init-server/main.go index 6ffd374..ec20954 100644 --- a/cmd/cloud-init-server/main.go +++ b/cmd/cloud-init-server/main.go @@ -15,14 +15,14 @@ import ( var ( ciEndpoint = ":27777" - opaalEndpoint = "http://opaal:3333" // jwt for smd access obtained from here + tokenEndpoint = "http://opaal:3333/token" // jwt for smd access obtained from here smdEndpoint = "http://smd:27779" jwksUrl = "" // jwt keyserver URL for secure-route token validation ) func main() { flag.StringVar(&ciEndpoint, "listen", ciEndpoint, "Server IP and port for cloud-init-server to listen on") - flag.StringVar(&opaalEndpoint, "opaal-url", opaalEndpoint, "http IP/url and port for OPAAL (or other JWT) server") + flag.StringVar(&tokenEndpoint, "token-url", tokenEndpoint, "OIDC server URL (endpoint) to fetch new tokens from (for SMD access)") flag.StringVar(&smdEndpoint, "smd-url", smdEndpoint, "http IP/url and port for running SMD") flag.StringVar(&jwksUrl, "jwks-url", jwksUrl, "JWT keyserver URL, required to enable secure route") flag.Parse() @@ -53,7 +53,7 @@ func main() { middleware.StripSlashes, middleware.Timeout(60 * time.Second), ) - sm := smdclient.NewSMDClient(smdEndpoint, opaalEndpoint) + sm := smdclient.NewSMDClient(smdEndpoint, tokenEndpoint) // Unsecured datastore and router store := memstore.NewMemStore() diff --git a/internal/smdclient/SMDclient.go b/internal/smdclient/SMDclient.go index 7e46f5c..63174ea 100644 --- a/internal/smdclient/SMDclient.go +++ b/internal/smdclient/SMDclient.go @@ -24,20 +24,20 @@ var ( // SMDClient is a client for SMD type SMDClient struct { - smdClient *http.Client - smdBaseURL string - tokenServer string - accessToken string + smdClient *http.Client + smdBaseURL string + tokenEndpoint string + accessToken string } // NewSMDClient creates a new SMDClient which connects to the SMD server at baseurl // and uses the provided JWT server for authentication -func NewSMDClient(baseurl string, jwtServer string) *SMDClient { +func NewSMDClient(baseurl string, jwtURL string) *SMDClient { c := &http.Client{Timeout: 2 * time.Second} return &SMDClient{ smdClient: c, smdBaseURL: baseurl, - tokenServer: jwtServer, + tokenEndpoint: jwtURL, accessToken: "", } } diff --git a/internal/smdclient/opaal.go b/internal/smdclient/oidc.go similarity index 71% rename from internal/smdclient/opaal.go rename to internal/smdclient/oidc.go index 9f276d6..b50f98b 100644 --- a/internal/smdclient/opaal.go +++ b/internal/smdclient/oidc.go @@ -6,8 +6,8 @@ import ( "net/http" ) -// Structure of a token reponse from OPAAL -type opaalTokenData struct { +// Structure of a token reponse from OIDC server +type oidcTokenData struct { Access_token string `json:"access_token"` Expires_in int `json:"expires_in"` Scope string `json:"scope"` @@ -16,8 +16,8 @@ type opaalTokenData struct { // Refresh the cached access token, using the provided JWT server func (s *SMDClient) RefreshToken() error { - // Request new token from OPAAL - r, err := http.Get(s.tokenServer + "/token") + // Request new token from OIDC server + r, err := http.Get(s.tokenEndpoint) if err != nil { return err } @@ -25,8 +25,8 @@ func (s *SMDClient) RefreshToken() error { if err != nil { return err } - // Decode OPAAL's response to the expected structure - var tokenResp opaalTokenData + // Decode server's response to the expected structure + var tokenResp oidcTokenData if err = json.Unmarshal(body, &tokenResp); err != nil { return err }