Skip to content

Commit 0b26d1c

Browse files
committed
refactor: simplify per-connector expiry helpers
- Reuse the existing server.value() helper in idTokensValidForConn instead of a hand-rolled zero-check. - Drop the duplicate per-connector refresh-token summary log; thread the connector_id into NewRefreshTokenPolicy via logger.With so the existing per-field logs carry it. - Trim WHAT-only docstrings and tighten the rationale on ConnectorRefreshToken and buildConnectorExpiryOverrides. Signed-off-by: Helio Machado <0x2b3bfa0+git@googlemail.com>
1 parent f808275 commit 0b26d1c

5 files changed

Lines changed: 13 additions & 37 deletions

File tree

cmd/dex/config.go

Lines changed: 4 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -566,20 +566,14 @@ type Connector struct {
566566
Expiry *ConnectorExpiry `json:"expiry,omitempty"`
567567
}
568568

569-
// ConnectorExpiry holds per-connector overrides for token lifetimes.
570569
type ConnectorExpiry struct {
571-
// IDTokens overrides expiry.idTokens for tokens issued through this connector.
572-
IDTokens string `json:"idTokens"`
573-
574-
// RefreshTokens overrides expiry.refreshTokens for sessions established
575-
// through this connector. Any field left unset falls back to the global
576-
// refresh token policy.
570+
IDTokens string `json:"idTokens"`
577571
RefreshTokens *ConnectorRefreshToken `json:"refreshTokens"`
578572
}
579573

580-
// ConnectorRefreshToken holds per-connector refresh token policy overrides.
581-
// Fields mirror the top-level RefreshToken struct; a nil pointer on DisableRotation
582-
// signals "inherit the global value", while the other string fields inherit when empty.
574+
// ConnectorRefreshToken mirrors RefreshToken but uses a pointer for
575+
// DisableRotation so that "unset" can be distinguished from "false",
576+
// allowing the field to inherit the global value when nil.
583577
type ConnectorRefreshToken struct {
584578
DisableRotation *bool `json:"disableRotation"`
585579
ReuseInterval string `json:"reuseInterval"`

cmd/dex/serve.go

Lines changed: 5 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -841,11 +841,9 @@ func parseSessionConfig(s *Sessions) (*server.SessionConfig, error) {
841841
}
842842

843843
// buildConnectorExpiryOverrides parses per-connector `expiry` overrides.
844-
// Per-connector `idTokens` must not exceed the global `expiry.idTokens` value,
845-
// since the signer's key retention window is sized from it. Refresh token
846-
// fields have no such constraint: they are validated against storage, not
847-
// against signing keys. Connectors without an override are omitted from the
848-
// returned map and inherit the global policy at runtime.
844+
// Per-connector `idTokens` must not exceed the global value, since the signer's
845+
// key retention window is sized from it. Refresh-token fields have no such
846+
// constraint: they are validated against storage, not against signing keys.
849847
func buildConnectorExpiryOverrides(
850848
logger *slog.Logger,
851849
connectors []Connector,
@@ -910,18 +908,12 @@ func parseConnectorExpiry(
910908
reuseInterval = globalRefresh.ReuseInterval
911909
}
912910

913-
policy, err := server.NewRefreshTokenPolicy(logger, disableRotation, validIfNotUsedFor, absoluteLifetime, reuseInterval)
911+
connLogger := logger.With("connector_id", conn.ID)
912+
policy, err := server.NewRefreshTokenPolicy(connLogger, disableRotation, validIfNotUsedFor, absoluteLifetime, reuseInterval)
914913
if err != nil {
915914
return override, fmt.Errorf("refresh token policy: %v", err)
916915
}
917916
override.RefreshTokenPolicy = policy
918-
logger.Info("config connector refresh tokens",
919-
"connector_id", conn.ID,
920-
"valid_if_not_used_for", validIfNotUsedFor,
921-
"absolute_lifetime", absoluteLifetime,
922-
"reuse_interval", reuseInterval,
923-
"rotation_enabled", !disableRotation,
924-
)
925917
return override, nil
926918
}
927919

server/oauth2.go

Lines changed: 3 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -343,20 +343,13 @@ func genSubject(userID string, connID string) (string, error) {
343343
return internal.Marshal(sub)
344344
}
345345

346-
// idTokensValidForConn returns the ID token lifetime for the given connector,
347-
// falling back to the server-wide value when no per-connector override is set.
348346
func (s *Server) idTokensValidForConn(connID string) time.Duration {
349-
if o, ok := s.connectorExpiryOverrides[connID]; ok && o.IDTokensValidFor > 0 {
350-
return o.IDTokensValidFor
351-
}
352-
return s.idTokensValidFor
347+
return value(s.connectorExpiryOverrides[connID].IDTokensValidFor, s.idTokensValidFor)
353348
}
354349

355-
// refreshTokenPolicyForConn returns the refresh token policy for the given
356-
// connector, falling back to the server-wide policy when no override is set.
357350
func (s *Server) refreshTokenPolicyForConn(connID string) *RefreshTokenPolicy {
358-
if o, ok := s.connectorExpiryOverrides[connID]; ok && o.RefreshTokenPolicy != nil {
359-
return o.RefreshTokenPolicy
351+
if p := s.connectorExpiryOverrides[connID].RefreshTokenPolicy; p != nil {
352+
return p
360353
}
361354
return s.refreshTokenPolicy
362355
}

server/oauth2_test.go

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1311,8 +1311,6 @@ func TestRefreshTokenPolicyForConn(t *testing.T) {
13111311
"missing entry should fall back to global")
13121312
}
13131313

1314-
// TestNewIDTokenUsesConnectorOverride verifies that newIDToken applies the
1315-
// per-connector idTokensValidFor override at issuance time, not the global.
13161314
func TestNewIDTokenUsesConnectorOverride(t *testing.T) {
13171315
ctx, cancel := context.WithCancel(context.Background())
13181316
defer cancel()

server/server.go

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -213,7 +213,7 @@ func value(val, defaultValue time.Duration) time.Duration {
213213
}
214214

215215
// ConnectorExpiryOverride carries per-connector token lifetime overrides.
216-
// A zero IDTokensValidFor or nil RefreshTokenPolicy inherits the global value.
216+
// A zero or nil field inherits the global value.
217217
type ConnectorExpiryOverride struct {
218218
IDTokensValidFor time.Duration
219219
RefreshTokenPolicy *RefreshTokenPolicy
@@ -257,7 +257,6 @@ type Server struct {
257257

258258
refreshTokenPolicy *RefreshTokenPolicy
259259

260-
// connectorExpiryOverrides holds per-connector overrides for token lifetimes.
261260
connectorExpiryOverrides map[string]ConnectorExpiryOverride
262261

263262
logger *slog.Logger

0 commit comments

Comments
 (0)