cmd: Enable to validate by old system secret (#1249)

* enable to validate by old system secret when setting `ROTATED_SYSTEM_SECRET` * don't hash when rotated system secret is empty * add test for rotated system secret getter Signed-off-by: Shota SAWADA <xiootas@gmail.com>
ory · Jan 3, 2019 · e2b88d2 · e2b88d2
1 parent 149573a
commit e2b88d2
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 2 deletions.
diff --git a/cmd/root.go b/cmd/root.go
@@ -138,6 +138,9 @@ func initConfig() {
 	viper.BindEnv("SYSTEM_SECRET")
 	viper.SetDefault("SYSTEM_SECRET", "")
 
+	viper.BindEnv("ROTATED_SYSTEM_SECRET")
+	viper.SetDefault("ROTATED_SYSTEM_SECRET", "")
+
 	viper.BindEnv("CLIENT_SECRET")
 	viper.SetDefault("CLIENT_SECRET", "")
 

diff --git a/cmd/server/handler_oauth2_factory.go b/cmd/server/handler_oauth2_factory.go
@@ -94,7 +94,7 @@ func newOAuth2Provider(c *config.Config) fosite.OAuth2Provider {
 	}
 
 	var coreStrategy foauth2.CoreStrategy
-	hmacStrategy := compose.NewOAuth2HMACStrategy(fc, c.GetSystemSecret(), nil)
+	hmacStrategy := compose.NewOAuth2HMACStrategy(fc, c.GetSystemSecret(), c.GetRotatedSystemSecrets())
 	if c.OAuth2AccessTokenStrategy == "jwt" {
 		kid := uuid.New()
 		if _, err := createOrGetJWK(c, oauth2.OAuth2JWTKeyName, kid, "private"); err != nil {

diff --git a/config/config.go b/config/config.go
@@ -364,7 +364,8 @@ func (c *Config) Context() *Context {
 		Hasher:     hasher,
 		FositeStrategy: &foauth2.HMACSHAStrategy{
 			Enigma: &hmac.HMACStrategy{
-				GlobalSecret: c.GetSystemSecret(),
+				GlobalSecret:         c.GetSystemSecret(),
+				RotatedGlobalSecrets: c.GetRotatedSystemSecrets(),
 			},
 			AccessTokenLifespan:   c.GetAccessTokenLifespan(),
 			AuthorizeCodeLifespan: c.GetAuthCodeLifespan(),
@@ -396,6 +397,10 @@ func (c *Config) GetCookieSecret() []byte {
 }
 
 func (c *Config) GetRotatedSystemSecrets() [][]byte {
+	if len(c.RotatedSystemSecret) == 0 {
+		return nil
+	}
+
 	return [][]byte{
 		pkg.HashStringSecret(c.RotatedSystemSecret),
 	}

diff --git a/config/config_test.go b/config/config_test.go
@@ -105,6 +105,13 @@ func TestSystemSecret(t *testing.T) {
 	assert.EqualValues(t, c.GetSystemSecret(), c2.GetSystemSecret())
 }
 
+func TestRotatedSystemSecrets(t *testing.T) {
+	c := &Config{RotatedSystemSecret: "foobarbazbarasdfasdffoobarbazbarasdfasdf"}
+	assert.EqualValues(t, c.GetRotatedSystemSecrets(), c.GetRotatedSystemSecrets())
+	c2 := &Config{RotatedSystemSecret: ""}
+	assert.Nil(t, c2.GetRotatedSystemSecrets())
+}
+
 func TestResolve(t *testing.T) {
 	c := &Config{EndpointURL: "https://localhost:1234"}
 	assert.Equal(t, c.Resolve("foo", "bar").String(), "https://localhost:1234/foo/bar")