Refactor to move invocation of identity transforms out of IDP interfaces

Each endpoint handler is now responsible for applying the identity transformations and creating most of the session data, rather than each implementation of the upstream IDP interface. This shares code better, and reduces the responsibilities of the implementations of the IDP interface by letting them focus more on the upstream stuff. Also refactor the parameters and return types of the IDP interfaces to make them more clear, and because they can be more focused on upstream identities (pre-identity transformation). This clarifies the responsibilities of the implementations of the IDP interface.
2026-01-07 14:05:50 +00:00 · 2024-02-16 16:37:18 -08:00
parent 1e8e7b948e
commit b341e52214
9 changed files with 533 additions and 321 deletions
--- a/internal/psession/pinniped_session.go
+++ b/internal/psession/pinniped_session.go
@@ -1,9 +1,10 @@
-// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package psession

 import (
+	"maps"
 	"time"

 	"github.com/mohae/deepcopy"
@@ -108,18 +109,37 @@ type OIDCSessionData struct {
 	UpstreamIssuer string `json:"upstreamIssuer"`
 }

+func (s *OIDCSessionData) Clone() *OIDCSessionData {
+	dataCopy := *s // this shortcut works because all fields in this type are currently strings (no pointers)
+	return &dataCopy
+}
+
 // LDAPSessionData is the additional data needed by Pinniped when the upstream IDP is an LDAP provider.
 type LDAPSessionData struct {
 	UserDN                 string            `json:"userDN"`
 	ExtraRefreshAttributes map[string]string `json:"extraRefreshAttributes,omitempty"`
 }

+func (s *LDAPSessionData) Clone() *LDAPSessionData {
+	return &LDAPSessionData{
+		UserDN:                 s.UserDN,
+		ExtraRefreshAttributes: maps.Clone(s.ExtraRefreshAttributes), // shallow copy works because all keys and values are strings
+	}
+}
+
 // ActiveDirectorySessionData is the additional data needed by Pinniped when the upstream IDP is an Active Directory provider.
 type ActiveDirectorySessionData struct {
 	UserDN                 string            `json:"userDN"`
 	ExtraRefreshAttributes map[string]string `json:"extraRefreshAttributes,omitempty"`
 }

+func (s *ActiveDirectorySessionData) Clone() *ActiveDirectorySessionData {
+	return &ActiveDirectorySessionData{
+		UserDN:                 s.UserDN,
+		ExtraRefreshAttributes: maps.Clone(s.ExtraRefreshAttributes), // shallow copy works because all keys and values are strings
+	}
+}
+
 // NewPinnipedSession returns a new empty session.
 func NewPinnipedSession() *PinnipedSession {
 	return &PinnipedSession{