enhance(admin): add oidc key rotation

go.mod

@@ -8,8 +8,8 @@ require (
 	github.com/buildkite/yaml v0.0.0-20230306222819-0e4e032d4835
 	github.com/coreos/go-semver v0.3.1
 	github.com/gin-gonic/gin v1.10.0
-	github.com/go-vela/server v0.24.1
-	github.com/go-vela/types v0.24.0
+	github.com/go-vela/server v0.24.3-0.20240904142119-21dfb446e793
+	github.com/go-vela/types v0.24.1-0.20240826141537-76a66e72d5dc
 	github.com/golang-jwt/jwt/v5 v5.2.1
 	github.com/google/go-cmp v0.6.0
 	github.com/google/go-querystring v1.1.0
@@ -53,9 +53,9 @@ require (
 	github.com/urfave/cli/v2 v2.27.2 // indirect
 	github.com/xrash/smetrics v0.0.0-20240312152122-5f08fbb34913 // indirect
 	golang.org/x/arch v0.8.0 // indirect
-	golang.org/x/crypto v0.24.0 // indirect
-	golang.org/x/net v0.25.0 // indirect
-	golang.org/x/sys v0.21.0 // indirect
+	golang.org/x/crypto v0.25.0 // indirect
+	golang.org/x/net v0.26.0 // indirect
+	golang.org/x/sys v0.22.0 // indirect
 	golang.org/x/text v0.16.0 // indirect
 	google.golang.org/protobuf v1.34.1 // indirect
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect

go.sum

@@ -36,10 +36,10 @@ github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJn
 github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
 github.com/go-playground/validator/v10 v10.20.0 h1:K9ISHbSaI0lyB2eWMPJo+kOS/FBExVwjEviJTixqxL8=
 github.com/go-playground/validator/v10 v10.20.0/go.mod h1:dbuPbCMFw/DrkbEynArYaCwl3amGuJotoKCe95atGMM=
-github.com/go-vela/server v0.24.1 h1:iM5REZBh6oHD0nxEH4O6dkUWNhY3MNrWBLNWGUUwcP8=
-github.com/go-vela/server v0.24.1/go.mod h1:jCnJPiyaRLcdy1u5fKIf7BqsbYAbVMjjI7dlyxZovME=
-github.com/go-vela/types v0.24.0 h1:KkkiXxw3uHckh/foyadmLY1YnLw6vhZbz9XwqONCj6o=
-github.com/go-vela/types v0.24.0/go.mod h1:YWj6BIapl9Kbj4yHq/fp8jltXdGiwD/gTy1ez32Rzag=
+github.com/go-vela/server v0.24.3-0.20240904142119-21dfb446e793 h1:7WnJ3cg3Ev1McemTyAHo1+DPiPe1SMfJaGzoXkZgMx8=
+github.com/go-vela/server v0.24.3-0.20240904142119-21dfb446e793/go.mod h1:3KmEXG+6N0jfwxPKBM8oIOM3iAcxwJvqsOs0RZvGYnI=
+github.com/go-vela/types v0.24.1-0.20240826141537-76a66e72d5dc h1:VyT2tBwPVO9fMmn+22TC4rY4dp+d71To/Qo5Vk4cOSo=
+github.com/go-vela/types v0.24.1-0.20240826141537-76a66e72d5dc/go.mod h1:WcSiFm8cWuErRw4aI08NrfM+SZzidnbUs2fmO5klFKo=
 github.com/goccy/go-json v0.10.3 h1:KZ5WoDbxAIgm2HNbYckL0se1fHD6rz5j4ywS6ebzDqA=
 github.com/goccy/go-json v0.10.3/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
 github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
@@ -123,15 +123,15 @@ github.com/xrash/smetrics v0.0.0-20240312152122-5f08fbb34913/go.mod h1:4aEEwZQut
 golang.org/x/arch v0.0.0-20210923205945-b76863e36670/go.mod h1:5om86z9Hs0C8fWVUuoMHwpExlXzs5Tkyp9hOrfG7pp8=
 golang.org/x/arch v0.8.0 h1:3wRIsP3pM4yUptoR96otTUOXI367OS0+c9eeRi9doIc=
 golang.org/x/arch v0.8.0/go.mod h1:FEVrYAQjsQXMVJ1nsMoVVXPZg6p2JE2mx8psSWTDQys=
-golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI=
-golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM=
-golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac=
-golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
+golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30=
+golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M=
+golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ=
+golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws=
-golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI=
+golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
 golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=

vela/admin.go

@@ -21,6 +21,7 @@ type (
 		Clean      *AdminCleanService
 		Deployment *AdminDeploymentService
 		Hook       *AdminHookService
+		OIDC       *AdminOIDCService
 		Repo       *AdminRepoService
 		Secret     *AdminSecretService
 		Service    *AdminSvcService
@@ -46,6 +47,9 @@ type (
 	// the server methods of the Vela API.
 	AdminHookService service
 
+	// AdminOIDCService handles key rotation for OpenID Connect.
+	AdminOIDCService service
+
 	// AdminRepoService handles retrieving admin repos from
 	// the server methods of the Vela API.
 	AdminRepoService service
@@ -302,3 +306,16 @@ func (svc *AdminWorkerService) RegisterToken(hostname string) (*library.Token, *
 
 	return t, resp, err
 }
+
+// RotateOIDCKeys sends a request to rotate the private keys used for creating ID tokens.
+func (svc *AdminOIDCService) RotateOIDCKeys() (*string, *Response, error) {
+	// set the API endpoint path we send the request to
+	url := "/api/v1/admin/rotate_oidc_keys"
+
+	v := new(string)
+
+	// send request using client
+	resp, err := svc.client.Call("POST", url, nil, v)
+
+	return v, resp, err
+}

vela/admin_test.go

@@ -552,3 +552,47 @@ func TestAdmin_Settings_Restore_200(t *testing.T) {
 		t.Errorf("Settings.Restore returned %v, want %v", got, want)
 	}
 }
+
+func TestAdmin_OIDC_RotateKeys_200(t *testing.T) {
+	// setup context
+	gin.SetMode(gin.TestMode)
+
+	s := httptest.NewServer(server.FakeHandler())
+	c, _ := NewClient(s.URL, "", nil)
+
+	want := "keys rotated successfully"
+
+	// run test
+	got, resp, err := c.Admin.OIDC.RotateOIDCKeys()
+	if err != nil {
+		t.Errorf("RotateOIDCKeys returned err: %v", err)
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		t.Errorf("RotateOIDCKeys returned %v, want %v", resp.StatusCode, http.StatusOK)
+	}
+
+	if diff := cmp.Diff(&want, got); diff != "" {
+		t.Errorf("RotateOIDCKeys() mismatch (-want +got):\n%s", diff)
+	}
+}
+
+func TestAdmin_OIDC_RotateKeys_Unauthorized(t *testing.T) {
+	// setup context
+	gin.SetMode(gin.TestMode)
+
+	s := httptest.NewServer(server.FakeHandler())
+	c, _ := NewClient(s.URL, "", nil)
+
+	c.Authentication.SetTokenAuth("invalid")
+
+	// run test
+	_, resp, err := c.Admin.OIDC.RotateOIDCKeys()
+	if err == nil {
+		t.Error("RotateOIDCKeys should have returned err")
+	}
+
+	if resp.StatusCode != http.StatusUnauthorized {
+		t.Errorf("RotateOIDCKeys returned %v, want %v", resp.StatusCode, http.StatusUnauthorized)
+	}
+}

vela/client.go

@@ -131,6 +131,7 @@
 		&AdminCleanService{client: c},
 		&AdminDeploymentService{client: c},
 		&AdminHookService{client: c},
+		&AdminOIDCService{client: c},
 		&AdminRepoService{client: c},
 		&AdminSecretService{client: c},
 		&AdminSvcService{client: c},
@@ -547,5 +548,5 @@
 		return nil
 	}
 
 	return fmt.Errorf(*resp.Message)
 }

vela/client_test.go

@@ -39,6 +39,7 @@ func TestVela_NewClient(t *testing.T) {
 		&AdminCleanService{client: want},
 		&AdminDeploymentService{client: want},
 		&AdminHookService{client: want},
+		&AdminOIDCService{client: want},
 		&AdminRepoService{client: want},
 		&AdminSecretService{client: want},
 		&AdminSvcService{client: want},