Skip to content

Commit

Permalink
feat(controller): make sso timeout configurable via cm (#4494)
Browse files Browse the repository at this point in the history
Signed-off-by: Arghya Sadhu <arghya88@gmail.com>
  • Loading branch information
arghya88 authored Nov 15, 2020
1 parent 02e1f0e commit 4bacbc1
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 5 deletions.
18 changes: 13 additions & 5 deletions server/auth/sso/sso.go
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,6 @@ import (
const (
Prefix = "Bearer v2:"
issuer = "argo-server" // the JWT issuer
expiry = 10 * time.Hour // how long JWT are valid for
secretName = "sso" // where we store SSO secret
cookieEncryptionPrivateKeySecretKey = "cookieEncryptionPrivateKey" // the key name for the private key in the secret
)
Expand All @@ -52,6 +51,7 @@ type sso struct {
privateKey crypto.PrivateKey
encrypter jose.Encrypter
rbacConfig *rbac.Config
expiry time.Duration
}

func (s *sso) IsRBACEnabled() bool {
Expand All @@ -65,7 +65,15 @@ type Config struct {
RedirectURL string `json:"redirectUrl"`
RBAC *rbac.Config `json:"rbac,omitempty"`
// additional scopes (on top of "openid")
Scopes []string `json:"scopes,omitempty"`
Scopes []string `json:"scopes,omitempty"`
SessionExpiry metav1.Duration `json:"sessionExpiry,omitempty"`
}

func (c Config) GetSessionExpiry() time.Duration {
if c.SessionExpiry.Duration > 0 {
return c.SessionExpiry.Duration
}
return 10 * time.Hour
}

// Abstract methods of oidc.Provider that our code uses into an interface. That
Expand Down Expand Up @@ -114,7 +122,6 @@ func newSso(
if err != nil {
return nil, err
}

var clientIDObj *apiv1.Secret
if c.ClientID.Name == c.ClientSecret.Name {
clientIDObj = clientSecretObj
Expand Down Expand Up @@ -174,6 +181,7 @@ func newSso(
privateKey: privateKey,
encrypter: encrypter,
rbacConfig: c.RBAC,
expiry: c.GetSessionExpiry(),
}, nil
}

Expand Down Expand Up @@ -225,7 +233,7 @@ func (s *sso) HandleCallback(w http.ResponseWriter, r *http.Request) {
_, _ = w.Write([]byte(fmt.Sprintf("failed to get claims: %v", err)))
return
}
argoClaims := &types.Claims{Claims: jwt.Claims{Issuer: issuer, Subject: c.Subject, Expiry: jwt.NewNumericDate(time.Now().Add(expiry))}, Groups: c.Groups}
argoClaims := &types.Claims{Claims: jwt.Claims{Issuer: issuer, Subject: c.Subject, Expiry: jwt.NewNumericDate(time.Now().Add(s.expiry))}, Groups: c.Groups}
raw, err := jwt.Encrypted(s.encrypter).Claims(argoClaims).CompactSerialize()
if err != nil {
panic(err)
Expand All @@ -236,7 +244,7 @@ func (s *sso) HandleCallback(w http.ResponseWriter, r *http.Request) {
Value: value,
Name: "authorization",
Path: s.baseHRef,
Expires: time.Now().Add(expiry),
Expires: time.Now().Add(s.expiry),
SameSite: http.SameSiteStrictMode,
Secure: s.secure,
})
Expand Down
9 changes: 9 additions & 0 deletions server/auth/sso/sso_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ package sso
import (
"context"
"testing"
"time"

"github.com/coreos/go-oidc"
"github.com/stretchr/testify/assert"
Expand Down Expand Up @@ -62,6 +63,7 @@ func TestLoadSsoClientIdFromSecret(t *testing.T) {
ssoObject := ssoInterface.(*sso)
assert.Equal(t, "sso-client-id-value", ssoObject.config.ClientID)
assert.Equal(t, "sso-client-secret-value", ssoObject.config.ClientSecret)
assert.Equal(t, 10*time.Hour, ssoObject.expiry)
}

func TestLoadSsoClientIdFromDifferentSecret(t *testing.T) {
Expand Down Expand Up @@ -101,3 +103,10 @@ func TestLoadSsoClientIdFromSecretNoKeyFails(t *testing.T) {
assert.Error(t, err)
assert.Regexp(t, "key nonexistent missing in secret argo-sso-secret", err.Error())
}

func TestGetSessionExpiry(t *testing.T) {
config := Config{
SessionExpiry: metav1.Duration{Duration: 5 * time.Hour},
}
assert.Equal(t, config.GetSessionExpiry(), 5*time.Hour)
}

0 comments on commit 4bacbc1

Please sign in to comment.