-
Notifications
You must be signed in to change notification settings - Fork 4.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
systemview: adds method for plugins to generate identity tokens (#24929)
* systemview: adds method for plugins to generate identity tokens * change test name and godoc * adds changelog * make proto to include comment
- Loading branch information
1 parent
ee1e7e1
commit d90c7e8
Showing
9 changed files
with
563 additions
and
236 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
```release-note:improvement | ||
sdk: adds new method to system view to allow plugins to request identity tokens | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
// Copyright (c) HashiCorp, Inc. | ||
// SPDX-License-Identifier: MPL-2.0 | ||
|
||
package pluginutil | ||
|
||
import ( | ||
"time" | ||
) | ||
|
||
const redactedTokenString = "ey***" | ||
|
||
type IdentityTokenRequest struct { | ||
// Audience identifies the recipient of the token. The requested | ||
// value will be in the "aud" claim. Required. | ||
Audience string | ||
// TTL is the requested duration that the token will be valid for. | ||
// Optional with a default of 1hr. | ||
TTL time.Duration | ||
} | ||
|
||
type IdentityTokenResponse struct { | ||
// Token is the plugin identity token. | ||
Token IdentityToken | ||
// TTL is the duration that the token is valid for after truncation is applied. | ||
// The TTL may be truncated depending on the lifecycle of its signing key. | ||
TTL time.Duration | ||
} | ||
|
||
type IdentityToken string | ||
|
||
// String returns a redacted token string. Use the Token() method | ||
// to obtain the non-redacted token contents. | ||
func (t IdentityToken) String() string { | ||
return redactedTokenString | ||
} | ||
|
||
// Token returns the non-redacted token contents. | ||
func (t IdentityToken) Token() string { | ||
return string(t) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
// Copyright (c) HashiCorp, Inc. | ||
// SPDX-License-Identifier: MPL-2.0 | ||
|
||
package pluginutil | ||
|
||
import ( | ||
"fmt" | ||
"testing" | ||
|
||
"github.com/stretchr/testify/assert" | ||
) | ||
|
||
// TestIdentityToken_Stringer ensures that plugin identity tokens that | ||
// are printed in formatted strings or errors are redacted and getters | ||
// return expected values. | ||
func TestIdentityToken_Stringer(t *testing.T) { | ||
contents := "header.payload.signature" | ||
tk := IdentityToken(contents) | ||
|
||
// token getters | ||
assert.Equal(t, contents, tk.Token()) | ||
assert.Equal(t, redactedTokenString, tk.String()) | ||
|
||
// formatted strings and errors | ||
assert.NotContains(t, fmt.Sprintf("%v", tk), tk.Token()) | ||
assert.NotContains(t, fmt.Sprintf("%s", tk), tk.Token()) | ||
assert.NotContains(t, fmt.Errorf("%v", tk).Error(), tk.Token()) | ||
assert.NotContains(t, fmt.Errorf("%s", tk).Error(), tk.Token()) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.