generate hash with policy UID

Signed-off-by: huabing zhao <zhaohuabing@gmail.com>
envoyproxy · Feb 22, 2024 · 0496bbd · 0496bbd
1 parent b84c92e
commit 0496bbd
Show file tree

Hide file tree

Showing 7 changed files with 14 additions and 9 deletions.
diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go
@@ -495,16 +495,11 @@ func (t *Translator) buildOIDC(
 		logoutPath = *oidc.LogoutPath
 	}
 
-	nsName := types.NamespacedName{
-		Namespace: policy.GetNamespace(),
-		Name:      policy.GetName(),
-	}
 	h := fnv.New32a()
-	_, err = h.Write([]byte(nsName.String()))
-	if err != nil {
+	if _, err = h.Write([]byte(policy.UID)); err != nil {
 		return nil, fmt.Errorf("error generating oauth cookie suffix: %w", err)
 	}
-	suffix := strconv.Itoa(int(h.Sum32()))
+	suffix := fmt.Sprintf("%X", h.Sum32())
 
 	return &ir.OIDC{
 		Provider:     *provider,

diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-issuer.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-issuer.in.yaml
@@ -27,6 +27,7 @@ securityPolicies:
   metadata:
     namespace: default
     name: policy-non-exist-secretRef
+    uid: b8284d0f-de82-4c65-b204-96a0d3f258a1
   spec:
     targetRef:
       group: gateway.networking.k8s.io

diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-issuer.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-issuer.out.yaml
@@ -62,6 +62,7 @@ securityPolicies:
     creationTimestamp: null
     name: policy-non-exist-secretRef
     namespace: default
+    uid: b8284d0f-de82-4c65-b204-96a0d3f258a1
   spec:
     oidc:
       clientID: client1.apps.foo.bar.com

diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-secretref.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-secretref.in.yaml
@@ -63,6 +63,7 @@ securityPolicies:
   metadata:
     namespace: default
     name: policy-non-exist-secretRef
+    uid: b8284d0f-de82-4c65-b204-96a0d3f258a1
   spec:
     targetRef:
       group: gateway.networking.k8s.io
@@ -81,6 +82,7 @@ securityPolicies:
   metadata:
     namespace: default
     name: policy-no-referenceGrant
+    uid: 08335a80-83ba-4592-888f-6ac0bba44ce4
   spec:
     targetRef:
       group: gateway.networking.k8s.io

diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-secretref.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-secretref.out.yaml
@@ -172,6 +172,7 @@ securityPolicies:
     creationTimestamp: null
     name: policy-non-exist-secretRef
     namespace: default
+    uid: b8284d0f-de82-4c65-b204-96a0d3f258a1
   spec:
     oidc:
       clientID: client1.apps.googleusercontent.com
@@ -200,6 +201,7 @@ securityPolicies:
     creationTimestamp: null
     name: policy-no-referenceGrant
     namespace: default
+    uid: 08335a80-83ba-4592-888f-6ac0bba44ce4
   spec:
     oidc:
       clientID: client1.apps.googleusercontent.com

diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc.in.yaml
@@ -80,6 +80,7 @@ securityPolicies:
   metadata:
     namespace: envoy-gateway
     name: policy-for-gateway-discover-endpoints  # This policy should attach httproute-2
+    uid: b8284d0f-de82-4c65-b204-96a0d3f258a1
   spec:
     targetRef:
       group: gateway.networking.k8s.io
@@ -99,6 +100,7 @@ securityPolicies:
   metadata:
     namespace: default
     name: policy-for-http-route   # This policy should attach httproute-1
+    uid: 08335a80-83ba-4592-888f-6ac0bba44ce4
   spec:
     targetRef:
       group: gateway.networking.k8s.io

diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml
@@ -139,6 +139,7 @@ securityPolicies:
     creationTimestamp: null
     name: policy-for-http-route
     namespace: default
+    uid: 08335a80-83ba-4592-888f-6ac0bba44ce4
   spec:
     oidc:
       clientID: client2.oauth.foo.com
@@ -174,6 +175,7 @@ securityPolicies:
     creationTimestamp: null
     name: policy-for-gateway-discover-endpoints
     namespace: envoy-gateway
+    uid: b8284d0f-de82-4c65-b204-96a0d3f258a1
   spec:
     oidc:
       clientID: client1.apps.googleusercontent.com
@@ -230,7 +232,7 @@ xdsIR:
         oidc:
           clientID: client2.oauth.foo.com
           clientSecret: Y2xpZW50MTpzZWNyZXQK
-          cookieSuffix: "1667669650"
+          cookieSuffix: 5F93C2E4
           logoutPath: /foo/logout
           provider:
             authorizationEndpoint: https://oauth.foo.com/oauth2/v2/auth
@@ -262,7 +264,7 @@ xdsIR:
         oidc:
           clientID: client1.apps.googleusercontent.com
           clientSecret: Y2xpZW50MTpzZWNyZXQK
-          cookieSuffix: "2003913538"
+          cookieSuffix: B0A1B740
           logoutPath: /bar/logout
           provider:
             authorizationEndpoint: https://accounts.google.com/o/oauth2/v2/auth