diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go index e2121cdfcab1..abb274e6b088 100644 --- a/internal/gatewayapi/securitypolicy.go +++ b/internal/gatewayapi/securitypolicy.go @@ -493,7 +493,7 @@ func (t *Translator) buildOIDC( } // Generate a unique cookie suffix for oauth filters - suffix := utils.Digest(string(policy.UID)) + suffix := utils.Digest32(string(policy.UID)) return &ir.OIDC{ Provider: *provider, diff --git a/internal/infrastructure/kubernetes/proxy_serviceaccount_test.go b/internal/infrastructure/kubernetes/proxy_serviceaccount_test.go index 49f7c7983721..0cde399a2dff 100644 --- a/internal/infrastructure/kubernetes/proxy_serviceaccount_test.go +++ b/internal/infrastructure/kubernetes/proxy_serviceaccount_test.go @@ -54,7 +54,7 @@ func TestCreateOrUpdateProxyServiceAccount(t *testing.T) { }, ObjectMeta: metav1.ObjectMeta{ Namespace: "test", - Name: "envoy-test-afd071e5", + Name: "envoy-test-9f86d081", Labels: map[string]string{ "app.kubernetes.io/name": "envoy", "app.kubernetes.io/component": "proxy", @@ -103,7 +103,7 @@ func TestCreateOrUpdateProxyServiceAccount(t *testing.T) { }, ObjectMeta: metav1.ObjectMeta{ Namespace: "test", - Name: "envoy-test-afd071e5", + Name: "envoy-test-9f86d081", Labels: map[string]string{ "app.kubernetes.io/name": "envoy", "app.kubernetes.io/component": "proxy", diff --git a/internal/utils/misc.go b/internal/utils/misc.go index 9f975ea7e873..6e434660de64 100644 --- a/internal/utils/misc.go +++ b/internal/utils/misc.go @@ -6,6 +6,7 @@ package utils import ( + "crypto/sha256" "fmt" "hash/fnv" "strings" @@ -25,20 +26,30 @@ func NamespacedName(obj client.Object) types.NamespacedName { // GetHashedName returns a partially hashed name for the string including up to the given length of the original name characters before the hash. // Input `nsName` should be formatted as `{Namespace}/{ResourceName}`. func GetHashedName(nsName string, length int) string { - hashedName := Digest(nsName) + hashedName := Digest256(nsName) // replace `/` with `-` to create a valid K8s resource name resourceName := strings.ReplaceAll(nsName, "/", "-") if length > 0 && len(resourceName) > length { // resource name needs to be trimmed, as container port name must not contain consecutive hyphens trimmedName := strings.TrimSuffix(resourceName[0:length], "-") - return fmt.Sprintf("%s-%s", trimmedName, hashedName) + return fmt.Sprintf("%s-%s", trimmedName, hashedName[0:8]) } - return fmt.Sprintf("%s-%s", resourceName, hashedName) + // Ideally we should use 32-bit hash instead of 64-bit hash and return the first 8 characters of the hash. + // However, we are using 64-bit hash to maintain backward compatibility. + return fmt.Sprintf("%s-%s", resourceName, hashedName[0:8]) } -// Digest returns a 32-bit hashh of the input string. -// The hash is represented as a capitalized hexadecimal string. -func Digest(str string) string { +// Digest256 returns a sha256 hash of the input string. +// The hash is represented as a hexadecimal string of length 64. +func Digest256(str string) string { + h := sha256.New() // Using sha256 instead of sha1 due to Blocklisted import crypto/sha1: weak cryptographic primitive (gosec) + h.Write([]byte(str)) + return strings.ToLower(fmt.Sprintf("%x", h.Sum(nil))) +} + +// Digest32 returns a 32-bit hash of the input string. +// The hash is represented as a hexadecimal string of length 8. +func Digest32(str string) string { h := fnv.New32a() _, _ = h.Write([]byte(str)) return fmt.Sprintf("%x", h.Sum32()) diff --git a/internal/utils/misc_test.go b/internal/utils/misc_test.go index 439678138678..5955f28aecd7 100644 --- a/internal/utils/misc_test.go +++ b/internal/utils/misc_test.go @@ -18,9 +18,9 @@ func TestGetHashedName(t *testing.T) { length int expected string }{ - {"test default name", "http", 6, "http-c96448a5"}, - {"test removing trailing slash", "namespace/name", 10, "namespace-3c4f601e"}, - {"test removing trailing hyphen", "envoy-gateway-system/eg/http", 6, "envoy-128ffda5"}, + {"test default name", "http", 6, "http-e0603c49"}, + {"test removing trailing slash", "namespace/name", 10, "namespace-18a6500f"}, + {"test removing trailing hyphen", "envoy-gateway-system/eg/http", 6, "envoy-2ecf157b"}, } for _, tc := range testCases {