Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add various cleanliness changes #114

Open
wants to merge 29 commits into
base: main
Choose a base branch
from
Open

Add various cleanliness changes #114

wants to merge 29 commits into from

Conversation

punmechanic
Copy link
Member

@punmechanic punmechanic commented Nov 13, 2024
edited
Loading

  • Replace custom hand-rolled HTTP calls with the oidc/oauth2 packages
  • Move oauth2 handling code to oauth2/ package.
  • Use newer Go functions like slices.Contains instead of our hand-rolled functions
  • Simplify folder structure by moving commands outside of main package, and move main package to root folder so go run . works.
  • Migrate to Lambda function extension for Vault secret handling, so we don't need to handle it in the application.
  • Remove usage of the custom Riot Vault SDK, using the Hashicorp one instead.
  • Upgrade to v2 of the AWS SDK.
  • Pass HTTP client through context and remove go-rootcerts as it's no longer needed in newer Go versions.
  • Put binaries in bin/ instead of a custom directory.
  • Disable CGO.
  • Hide OIDC flags that no one actually uses.
  • Remove partial Tencent Cloud support. We will add this back, but we don't want regular usage of the application to panic.
  • Refactor environment variable writing so we rely less on string interpolation.

Resolves #111; using the OAuth2 library provides an OAuth2-related error when exchanging an access and id token for a web sso token, whereas previously this was silently ignored and would lead to a cryptic error when retrieving a SAML assertion.

@punmechanic
Use oauth2 package for the token exchange call
6c15e6b 
This should also fix a bug where non-HTTP 200 responses are not caught
and result in a cryptic error later in the exchange process
@punmechanic
Use OAuth2 package more heavily to simplify code
f3ec1be 
* Pass client through context. This would normally be frowned upon but
  we know we will only be using OAuth2's APIs to interact with Okta
  anyway.
* Implement oauth2.TokenSource on TokenSet, which removes the need to
  manually construct *oauth2.Token.
@punmechanic
Parse the ID token in LoginCommand, not in the Config
62d20b6 
The config shouldn't "know" anything about the minutae of the token it
is receiving.
@punmechanic
Move socket creation into LoginCommand
5521578 
Takes the HandlePendingSession function much simpler
@punmechanic
Move port handling out of the oauth2 file
a0d1470
@punmechanic
Use ClientContext() instead of the context key directly
7e86ece
@punmechanic
Use slices.Contains() instead of our own custom function
ff3e035
@punmechanic
Refactor Get to have a struct, like Login
bb55790
@punmechanic
Use a writer pattern for exporting environment variables
c693c4b
@punmechanic
Move things around to reduce symbols in main package
27f8b2a
@punmechanic
Remove unused package go-rootcerts
7cc87bd 
This was necessary due a bug in Go
(golang/go#14514) that was resolved in Go 1.8.
@punmechanic
Move oauth2 things of the command package
b812fcd
@punmechanic
Remove partial Tencent Cloud support
1037f45 
This will be reimplemented at some point in the future, but this has not
been working since 85f224a and attempting to use it results in a
run-time panic.
@punmechanic
Use OIDC library for fetching UserInfo
7c56a6f 
The UserInfo endpoint for Okta is standards-compliant, so we should use
a standards-compliant library to access it
@punmechanic
Use newer versions of Go & aws-lambda-go
b8ebf58
@punmechanic
Use the v2 AWS SDK
edbdddb
@punmechanic
Use official Hashicorp SDK for Vault
d9824f5
@punmechanic
Do not use AWS auth for Vault
64fbd0b 
Instead of using AWS authentication for Vault, users should be
instructed to use the Hashicorp Vault extension for AWS Lambda;
KeyConjurer's Lambda functions are not made aware of any authentication
details.

https://developer.hashicorp.com/vault/docs/platform/aws/lambda-extension
@punmechanic
Rename the environment variables
0a57be4 
VAULT_SECRET_PATH conflicts with the Lambda extension.
@punmechanic
Correct key-value
1277d79
@punmechanic
Put binaries in bin/
bfa112f
@punmechanic
Remove unused packages
21e9853
@punmechanic
Disable CGO
12476b7
@punmechanic
Fix secret decoding
ada05bf
@punmechanic
Remove the Lambdaify handler to simplify code
40b1f72
@punmechanic
Convert Switch command to be struct-based
5abd257
@punmechanic
Update LoginCommand to match SwitchCommand
e4f02d8
@punmechanic
Remove flags and command from GetCommand
bac97ae
@punmechanic
Hide OIDC flags
2bc30fa
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Users with unauthorized sessions receive cryptic error when retrieving keys
1 participant
@punmechanic