Merge pull request #998 from rithujohn191/fix-key-rotation

server/rotation.go: Fix key rotation with multiple dex instances.
This commit is contained in:
rithu leena john 2017-07-19 11:07:48 -07:00 committed by GitHub
commit 0e0b4c53ef

View file

@ -5,6 +5,7 @@ import (
"crypto/rand" "crypto/rand"
"crypto/rsa" "crypto/rsa"
"encoding/hex" "encoding/hex"
"errors"
"fmt" "fmt"
"io" "io"
"time" "time"
@ -15,6 +16,8 @@ import (
"github.com/coreos/dex/storage" "github.com/coreos/dex/storage"
) )
var errAlreadyRotated = errors.New("keys already rotated by another server instance")
// rotationStrategy describes a strategy for generating cryptographic keys, how // rotationStrategy describes a strategy for generating cryptographic keys, how
// often to rotate them, and how long they can validate signatures after rotation. // often to rotate them, and how long they can validate signatures after rotation.
type rotationStrategy struct { type rotationStrategy struct {
@ -70,7 +73,11 @@ func (s *Server) startKeyRotation(ctx context.Context, strategy rotationStrategy
// Try to rotate immediately so properly configured storages will have keys. // Try to rotate immediately so properly configured storages will have keys.
if err := rotater.rotate(); err != nil { if err := rotater.rotate(); err != nil {
s.logger.Errorf("failed to rotate keys: %v", err) if err == errAlreadyRotated {
s.logger.Infof("Key rotation not needed: %v", err)
} else {
s.logger.Errorf("failed to rotate keys: %v", err)
}
} }
go func() { go func() {
@ -128,7 +135,7 @@ func (k keyRotater) rotate() error {
// if you are running multiple instances of dex, another instance // if you are running multiple instances of dex, another instance
// could have already rotated the keys. // could have already rotated the keys.
if tNow.Before(keys.NextRotation) { if tNow.Before(keys.NextRotation) {
return storage.Keys{}, nil return storage.Keys{}, errAlreadyRotated
} }
expired := func(key storage.VerificationKey) bool { expired := func(key storage.VerificationKey) bool {