GO-2022-0981: Pinniped Supervisor Insufficient Session Expiration vulnerability in go.pinniped.dev

generator

package

v0.11.0 Latest Latest Go to latest Published: Aug 31, 2021 License: Apache-2.0 Imports: 20 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/vmware-tanzu/pinniped

Links

Open Source Insights

Documentation ¶

Overview ¶

Package secretgenerator provides a supervisorSecretsController that can ensure existence of a generated secret.

Index ¶

Constants
func IsFederationDomainSecretOfType(obj metav1.Object, secretType corev1.SecretType) bool
func NewFederationDomainSecretsController(secretHelper SecretHelper, ...) controllerlib.Controller
func NewSupervisorSecretsController(owner *appsv1.Deployment, labels map[string]string, ...) controllerlib.Controller
type SecretHelper
- func NewSymmetricSecretHelper(namePrefix string, labels map[string]string, rand io.Reader, ...) SecretHelper
type SecretUsage

Constants ¶

View Source

const (
	// SupervisorCSRFSigningKeySecretType for the Secret storing the CSRF signing key.
	SupervisorCSRFSigningKeySecretType corev1.SecretType = "secrets.pinniped.dev/supervisor-csrf-signing-key"

	// FederationDomainTokenSigningKeyType for the Secret storing the FederationDomain token signing key.
	FederationDomainTokenSigningKeyType corev1.SecretType = "secrets.pinniped.dev/federation-domain-token-signing-key"

	// FederationDomainStateSigningKeyType for the Secret storing the FederationDomain state signing key.
	FederationDomainStateSigningKeyType corev1.SecretType = "secrets.pinniped.dev/federation-domain-state-signing-key"

	// FederationDomainStateEncryptionKeyType for the Secret storing the FederationDomain state encryption key.
	FederationDomainStateEncryptionKeyType corev1.SecretType = "secrets.pinniped.dev/federation-domain-state-encryption-key"
)

Variables ¶

This section is empty.

Functions ¶

func IsFederationDomainSecretOfType ¶ added in v0.4.0

func IsFederationDomainSecretOfType(obj metav1.Object, secretType corev1.SecretType) bool

func NewFederationDomainSecretsController ¶

func NewFederationDomainSecretsController(
	secretHelper SecretHelper,
	secretRefFunc func(domain *configv1alpha1.FederationDomainStatus) *corev1.LocalObjectReference,
	kubeClient kubernetes.Interface,
	pinnipedClient pinnipedclientset.Interface,
	secretInformer corev1informers.SecretInformer,
	federationDomainInformer configinformers.FederationDomainInformer,
	withInformer pinnipedcontroller.WithInformerOptionFunc,
) controllerlib.Controller

NewFederationDomainSecretsController returns a controllerlib.Controller that ensures a child Secret always exists for a parent FederationDomain. It does this using the provided secretHelper, which provides the parent/child mapping logic.

func NewSupervisorSecretsController ¶

func NewSupervisorSecretsController(
	owner *appsv1.Deployment,
	labels map[string]string,
	kubeClient kubernetes.Interface,
	secretInformer corev1informers.SecretInformer,
	setCacheFunc func(secret []byte),
	withInformer pinnipedcontroller.WithInformerOptionFunc,
	initialEventFunc pinnipedcontroller.WithInitialEventOptionFunc,
) controllerlib.Controller

NewSupervisorSecretsController instantiates a new controllerlib.Controller which will ensure existence of a generated secret.

Types ¶

type SecretHelper ¶

type SecretHelper interface {
	NamePrefix() string
	Generate(*configv1alpha1.FederationDomain) (*corev1.Secret, error)
	IsValid(*configv1alpha1.FederationDomain, *corev1.Secret) bool
	ObserveActiveSecretAndUpdateParentFederationDomain(*configv1alpha1.FederationDomain, *corev1.Secret) *configv1alpha1.FederationDomain
	Handles(metav1.Object) bool
}

SecretHelper describes an object that can Generate() a Secret and determine whether a Secret IsValid(). It can also be Notify()'d about a Secret being persisted.

A SecretHelper has a NamePrefix() that can be used to identify it from other SecretHelper instances.

func NewSymmetricSecretHelper ¶

func NewSymmetricSecretHelper(
	namePrefix string,
	labels map[string]string,
	rand io.Reader,
	secretUsage SecretUsage,
	updateCacheFunc func(cacheKey string, cacheValue []byte),
) SecretHelper

New returns a SecretHelper that has been parameterized with common symmetric secret generation knobs.

type SecretUsage ¶

type SecretUsage int

SecretUsage describes how a cryptographic secret is going to be used. It is currently used to indicate to a SecretHelper which status field to set on the parent FederationDomain for a Secret.

const (
	SecretUsageTokenSigningKey SecretUsage = iota
	SecretUsageStateSigningKey
	SecretUsageStateEncryptionKey
)

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL