Merge pull request #96 from jumpstarter-dev/token-followup

Check token for validity

Author: mangelajo

internal/controller/client_controller.go

@@ -78,6 +78,8 @@ func (r *ClientReconciler) clientSecretExists(
 	ctx context.Context,
 	client *jumpstarterdevv1alpha1.Client,
 ) (bool, error) {
+	logger := log.FromContext(ctx)
+
 	if client.Status.Credential == nil {
 		return false, nil
 	}
@@ -87,8 +89,17 @@ func (r *ClientReconciler) clientSecretExists(
 		Namespace: client.Namespace,
 		Name:      client.Status.Credential.Name,
 	}, secret)
+	if err != nil {
+		return false, kclient.IgnoreNotFound(err)
+	}
+
+	token, ok := secret.Data["token"]
+	if !ok || r.Signer.Verify(string(token)) != nil {
+		logger.Info("reconcileStatusCredential: the client secret is invalid", "client", client.Name)
+		return false, r.Delete(ctx, secret)
+	}
 
-	return err == nil, kclient.IgnoreNotFound(err)
+	return true, nil
 }
 
 func (r *ClientReconciler) reconcileStatusCredential(
@@ -158,7 +169,7 @@ func (r *ClientReconciler) secretForClient(client *jumpstarterdevv1alpha1.Client
 		},
 	}
 	// enable garbage collection on the created resource
-	if err := controllerutil.SetOwnerReference(client, secret, r.Scheme); err != nil {
+	if err := controllerutil.SetControllerReference(client, secret, r.Scheme); err != nil {
 		return nil, fmt.Errorf("secretForClient, error setting owner reference: %w", err)
 	}
 	return secret, nil
@@ -168,5 +179,6 @@ func (r *ClientReconciler) secretForClient(client *jumpstarterdevv1alpha1.Client
 func (r *ClientReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		For(&jumpstarterdevv1alpha1.Client{}).
+		Owns(&corev1.Secret{}).
 		Complete(r)
 }

internal/controller/exporter_controller.go

@@ -90,6 +90,8 @@ func (r *ExporterReconciler) exporterSecretExists(
 	ctx context.Context,
 	exporter *jumpstarterdevv1alpha1.Exporter,
 ) (bool, error) {
+	logger := log.FromContext(ctx)
+
 	if exporter.Status.Credential == nil {
 		return false, nil
 	}
@@ -99,8 +101,18 @@ func (r *ExporterReconciler) exporterSecretExists(
 		Namespace: exporter.Namespace,
 		Name:      exporter.Status.Credential.Name,
 	}, secret)
+	if err != nil {
+		return false, client.IgnoreNotFound(err)
+	}
+
+	token, ok := secret.Data["token"]
+
+	if !ok || r.Signer.Verify(string(token)) != nil {
+		logger.Info("reconcileStatusCredential: the exporter secret is invalid", "exporter", exporter.Name)
+		return false, r.Delete(ctx, secret)
+	}
 
-	return err == nil, client.IgnoreNotFound(err)
+	return true, nil
 }
 
 func (r *ExporterReconciler) reconcileStatusCredential(
@@ -118,7 +130,7 @@ func (r *ExporterReconciler) reconcileStatusCredential(
 	if !exists {
 		if exporter.Status.Credential != nil {
 			// TODO: Send an alert notification to cluster
-			logger.Info("the exporter secret has ceased to exist, will be recreated", "exporter", exporter.Name)
+			logger.Info("reconcileStatusCredential: the exporter secret has ceased to exist, will be recreated", "exporter", exporter.Name)
 		} else {
 			logger.Info("reconcileStatusCredential: creating credential for exporter")
 		}
@@ -197,7 +209,7 @@ func (r *ExporterReconciler) secretForExporter(exporter *jumpstarterdevv1alpha1.
 		},
 	}
 	// enable garbage collection on the created resource
-	if err := controllerutil.SetOwnerReference(exporter, secret, r.Scheme); err != nil {
+	if err := controllerutil.SetControllerReference(exporter, secret, r.Scheme); err != nil {
 		return nil, fmt.Errorf("secretForExporter, error setting owner reference: %w", err)
 	}
 	return secret, nil
@@ -208,5 +220,6 @@ func (r *ExporterReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		For(&jumpstarterdevv1alpha1.Exporter{}).
 		Owns(&jumpstarterdevv1alpha1.Lease{}).
+		Owns(&corev1.Secret{}).
 		Complete(r)
 }

internal/oidc/op.go

@@ -90,6 +90,19 @@ func (k *Signer) Register(group gin.IRoutes) {
 	})
 }
 
+func (k *Signer) Verify(token string) error {
+	_, err := jwt.Parse(token, func(t *jwt.Token) (interface{}, error) {
+		return &k.privatekey.PublicKey, nil
+	},
+		jwt.WithValidMethods([]string{
+			jwt.SigningMethodES256.Alg(),
+		}),
+		jwt.WithIssuer(k.issuer),
+		jwt.WithAudience(k.audience),
+	)
+	return err
+}
+
 func (k *Signer) Token(
 	subject string,
 ) (string, error) {