Skip to content

Commit 4091bef

Browse files
intojhanuragintojhanurag
committed
fix issue
1 parent 59b517c commit 4091bef

File tree

1 file changed

+38
-15
lines changed

1 file changed

+38
-15
lines changed

pkg/auth/verifier.go

Lines changed: 38 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -56,6 +56,7 @@ type Verifier struct {
5656
restConfig *rest.Config
5757
eventPolicyLister v1alpha1.EventPolicyLister
5858
trustBundleConfigMapLister corev1listers.ConfigMapNamespaceLister
59+
featureStore *feature.Store
5960
m sync.RWMutex
6061
provider *oidc.Provider
6162
}
@@ -70,24 +71,15 @@ type IDToken struct {
7071
}
7172

7273
func NewVerifier(ctx context.Context, eventPolicyLister listerseventingv1alpha1.EventPolicyLister, trustBundleConfigMapLister corev1listers.ConfigMapNamespaceLister, cmw configmap.Watcher) *Verifier {
74+
featureStore := feature.NewStore(logging.FromContext(ctx).Named("feature-config-store"), func(name string, value interface{}) {})
75+
featureStore.WatchConfigs(cmw)
76+
7377
tokenHandler := &Verifier{
7478
logger: logging.FromContext(ctx).With("component", "oidc-token-handler"),
7579
restConfig: injection.GetConfig(ctx),
7680
eventPolicyLister: eventPolicyLister,
7781
trustBundleConfigMapLister: trustBundleConfigMapLister,
78-
}
79-
80-
featureStore := feature.NewStore(logging.FromContext(ctx).Named("feature-config-store"), func(name string, value interface{}) {
81-
if features, ok := value.(feature.Flags); ok {
82-
if err := tokenHandler.initOIDCProvider(ctx, features); err != nil {
83-
tokenHandler.logger.Error(fmt.Sprintf("could not initialize provider after config update. You can ignore this message, when the %s feature is disabled", feature.OIDCAuthentication), zap.Error(err))
84-
}
85-
}
86-
})
87-
featureStore.WatchConfigs(cmw)
88-
89-
if err := tokenHandler.initOIDCProvider(ctx, featureStore.Load()); err != nil {
90-
tokenHandler.logger.Error(fmt.Sprintf("could not initialize provider. You can ignore this message, when the %s feature is disabled", feature.OIDCAuthentication), zap.Error(err))
82+
featureStore: featureStore,
9183
}
9284

9385
return tokenHandler
@@ -100,6 +92,11 @@ func (v *Verifier) VerifyRequest(ctx context.Context, features feature.Flags, re
10092
return nil
10193
}
10294

95+
if err := v.ensureProvider(ctx, features); err != nil {
96+
resp.WriteHeader(http.StatusInternalServerError)
97+
return fmt.Errorf("failed to initialize OIDC provider: %w", err)
98+
}
99+
103100
idToken, err := v.verifyAuthN(ctx, requiredOIDCAudience, req, resp)
104101
if err != nil {
105102
return fmt.Errorf("authentication of request could not be verified: %w", err)
@@ -123,6 +120,11 @@ func (v *Verifier) VerifyRequestFromSubject(ctx context.Context, features featur
123120
return nil
124121
}
125122

123+
if err := v.ensureProvider(ctx, features); err != nil {
124+
resp.WriteHeader(http.StatusInternalServerError)
125+
return fmt.Errorf("failed to initialize OIDC provider: %w", err)
126+
}
127+
126128
idToken, err := v.verifyAuthN(ctx, requiredOIDCAudience, req, resp)
127129
if err != nil {
128130
return fmt.Errorf("authentication of request could not be verified: %w", err)
@@ -147,6 +149,11 @@ func (v *Verifier) VerifyRequestFromSubjectsWithFilters(ctx context.Context, fea
147149
return nil
148150
}
149151

152+
if err := v.ensureProvider(ctx, features); err != nil {
153+
resp.WriteHeader(http.StatusInternalServerError)
154+
return fmt.Errorf("failed to initialize OIDC provider: %w", err)
155+
}
156+
150157
idToken, err := v.verifyAuthN(ctx, requiredOIDCAudience, req, resp)
151158
if err != nil {
152159
return fmt.Errorf("authentication of request could not be verified: %w", err)
@@ -236,6 +243,24 @@ func (v *Verifier) verifyAuthZBySubjectsWithFilters(ctx context.Context, feature
236243
return nil
237244
}
238245

246+
func (v *Verifier) ensureProvider(ctx context.Context, features feature.Flags) error {
247+
v.m.RLock()
248+
if v.provider != nil {
249+
v.m.RUnlock()
250+
return nil
251+
}
252+
v.m.RUnlock()
253+
254+
v.m.Lock()
255+
defer v.m.Unlock()
256+
257+
if v.provider != nil {
258+
return nil
259+
}
260+
261+
return v.initOIDCProvider(ctx, features)
262+
}
263+
239264
// verifyJWT verifies the given JWT for the expected audience and returns the parsed ID token.
240265
func (v *Verifier) verifyJWT(ctx context.Context, jwt, audience string) (*IDToken, error) {
241266
v.m.RLock()
@@ -289,8 +314,6 @@ func (v *Verifier) initOIDCProvider(ctx context.Context, features feature.Flags)
289314
}
290315

291316
// provider is valid, update it
292-
v.m.Lock()
293-
defer v.m.Unlock()
294317
v.provider = provider
295318

296319
v.logger.Debug("updated OIDC provider config", zap.Any("discovery-config", discovery))

0 commit comments

Comments
 (0)