[management] Legacy to embedded IdP migration tool (#5586)

2026-04-18 08:16:39 +00:00 · 2026-04-01 12:53:19 +01:00
parent 4d3e2f8ad3
commit 940f530ac2
24 changed files with 4023 additions and 31 deletions
--- a/management/server/auth/manager.go
+++ b/management/server/auth/manager.go
@@ -33,15 +33,20 @@ type manager struct {
 	extractor *nbjwt.ClaimsExtractor
 }

-func NewManager(store store.Store, issuer, audience, keysLocation, userIdClaim string, allAudiences []string, idpRefreshKeys bool) Manager {
-	// @note if invalid/missing parameters are sent the validator will instantiate
-	// but it will fail when validating and parsing the token
-	jwtValidator := nbjwt.NewValidator(
-		issuer,
-		allAudiences,
-		keysLocation,
-		idpRefreshKeys,
-	)
+func NewManager(store store.Store, issuer, audience, keysLocation, userIdClaim string, allAudiences []string, idpRefreshKeys bool, keyFetcher nbjwt.KeyFetcher) Manager {
+	var jwtValidator *nbjwt.Validator
+	if keyFetcher != nil {
+		jwtValidator = nbjwt.NewValidatorWithKeyFetcher(issuer, allAudiences, keyFetcher)
+	} else {
+		// @note if invalid/missing parameters are sent the validator will instantiate
+		// but it will fail when validating and parsing the token
+		jwtValidator = nbjwt.NewValidator(
+			issuer,
+			allAudiences,
+			keysLocation,
+			idpRefreshKeys,
+		)
+	}

 	claimsExtractor := nbjwt.NewClaimsExtractor(
 		nbjwt.WithAudience(audience),
--- a/management/server/auth/manager_test.go
+++ b/management/server/auth/manager_test.go
@@ -52,7 +52,7 @@ func TestAuthManager_GetAccountInfoFromPAT(t *testing.T) {
 		t.Fatalf("Error when saving account: %s", err)
 	}

-	manager := auth.NewManager(store, "", "", "", "", []string{}, false)
+	manager := auth.NewManager(store, "", "", "", "", []string{}, false, nil)

 	user, pat, _, _, err := manager.GetPATInfo(context.Background(), token)
 	if err != nil {
@@ -92,7 +92,7 @@ func TestAuthManager_MarkPATUsed(t *testing.T) {
 		t.Fatalf("Error when saving account: %s", err)
 	}

-	manager := auth.NewManager(store, "", "", "", "", []string{}, false)
+	manager := auth.NewManager(store, "", "", "", "", []string{}, false, nil)

 	err = manager.MarkPATUsed(context.Background(), "tokenId")
 	if err != nil {
@@ -142,7 +142,7 @@ func TestAuthManager_EnsureUserAccessByJWTGroups(t *testing.T) {
 	// these tests only assert groups are parsed from token as per account settings
 	token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{"idp-groups": []interface{}{"group1", "group2"}})

-	manager := auth.NewManager(store, "", "", "", "", []string{}, false)
+	manager := auth.NewManager(store, "", "", "", "", []string{}, false, nil)

 	t.Run("JWT groups disabled", func(t *testing.T) {
 		userAuth, err := manager.EnsureUserAccessByJWTGroups(context.Background(), userAuth, token)
@@ -225,7 +225,7 @@ func TestAuthManager_ValidateAndParseToken(t *testing.T) {
 	keyId := "test-key"

 	// note, we can use a nil store because ValidateAndParseToken does not use it in it's flow
-	manager := auth.NewManager(nil, issuer, audience, server.URL, userIdClaim, []string{audience}, false)
+	manager := auth.NewManager(nil, issuer, audience, server.URL, userIdClaim, []string{audience}, false, nil)

 	customClaim := func(name string) string {
 		return fmt.Sprintf("%s/%s", audience, name)