Update github.com/coreos/go-oidc

2016-05-04 09:47:11 -07:00
parent a6812d18a5
commit 82bdf9051c
9 changed files with 65 additions and 14 deletions
--- a/vendor/github.com/coreos/go-oidc/oidc/key.go
+++ b/vendor/github.com/coreos/go-oidc/oidc/key.go
@@ -11,6 +11,11 @@ import (
 	"github.com/coreos/go-oidc/key"
 )

+// DefaultPublicKeySetTTL is the default TTL set on the PublicKeySet if no
+// Cache-Control header is provided by the JWK Set document endpoint.
+const DefaultPublicKeySetTTL = 24 * time.Hour
+
+// NewRemotePublicKeyRepo is responsible for fetching the JWK Set document.
 func NewRemotePublicKeyRepo(hc phttp.Client, ep string) *remotePublicKeyRepo {
 	return &remotePublicKeyRepo{hc: hc, ep: ep}
 }
@@ -20,6 +25,11 @@ type remotePublicKeyRepo struct {
 	ep string
 }

+// Get returns a PublicKeySet fetched from the JWK Set document endpoint. A TTL
+// is set on the Key Set to avoid it having to be re-retrieved for every
+// encryption event. This TTL is typically controlled by the endpoint returning
+// a Cache-Control header, but defaults to 24 hours if no Cache-Control header
+// is found.
 func (r *remotePublicKeyRepo) Get() (key.KeySet, error) {
 	req, err := http.NewRequest("GET", r.ep, nil)
 	if err != nil {
@@ -48,7 +58,7 @@ func (r *remotePublicKeyRepo) Get() (key.KeySet, error) {
 		return nil, err
 	}
 	if !ok {
-		return nil, errors.New("HTTP cache headers not set")
+		ttl = DefaultPublicKeySetTTL
 	}

 	exp := time.Now().UTC().Add(ttl)
--- a/vendor/github.com/coreos/go-oidc/oidc/provider.go
+++ b/vendor/github.com/coreos/go-oidc/oidc/provider.go
@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"net/http"
 	"net/url"
+	"strings"
 	"sync"
 	"time"

@@ -618,7 +619,11 @@ func NewHTTPProviderConfigGetter(hc phttp.Client, issuerURL string) *httpProvide
 }

 func (r *httpProviderConfigGetter) Get() (cfg ProviderConfig, err error) {
-	req, err := http.NewRequest("GET", r.issuerURL+discoveryConfigPath, nil)
+	// If the Issuer value contains a path component, any terminating / MUST be removed before
+	// appending /.well-known/openid-configuration.
+	// https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationRequest
+	discoveryURL := strings.TrimSuffix(r.issuerURL, "/") + discoveryConfigPath
+	req, err := http.NewRequest("GET", discoveryURL, nil)
 	if err != nil {
 		return
 	}
--- a/vendor/github.com/coreos/go-oidc/oidc/transport.go
+++ b/vendor/github.com/coreos/go-oidc/oidc/transport.go
@@ -67,6 +67,15 @@ func (t *AuthenticatedTransport) verifiedJWT() (jose.JWT, error) {
 	return t.jwt, nil
 }

+// SetJWT sets the JWT held by the Transport.
+// This is useful for cases in which you want to set an initial JWT.
+func (t *AuthenticatedTransport) SetJWT(jwt jose.JWT) {
+	t.mu.Lock()
+	defer t.mu.Unlock()
+
+	t.jwt = jwt
+}
+
 func (t *AuthenticatedTransport) RoundTrip(r *http.Request) (*http.Response, error) {
 	jwt, err := t.verifiedJWT()
 	if err != nil {