generate hash with policy UID

Signed-off-by: huabing zhao <zhaohuabing@gmail.com>
envoyproxy · Feb 22, 2024 · 822d5dd · 822d5dd
1 parent b84c92e
commit 822d5dd
Show file tree

Hide file tree

Showing 9 changed files with 26 additions and 21 deletions.
diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go
@@ -495,16 +495,11 @@ func (t *Translator) buildOIDC(
 		logoutPath = *oidc.LogoutPath
 	}
 
-	nsName := types.NamespacedName{
-		Namespace: policy.GetNamespace(),
-		Name:      policy.GetName(),
-	}
 	h := fnv.New32a()
-	_, err = h.Write([]byte(nsName.String()))
-	if err != nil {
+	if _, err = h.Write([]byte(policy.UID)); err != nil {
 		return nil, fmt.Errorf("error generating oauth cookie suffix: %w", err)
 	}
-	suffix := strconv.Itoa(int(h.Sum32()))
+	suffix := fmt.Sprintf("%X", h.Sum32())
 
 	return &ir.OIDC{
 		Provider:     *provider,

diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-issuer.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-issuer.in.yaml
@@ -27,6 +27,7 @@ securityPolicies:
   metadata:
     namespace: default
     name: policy-non-exist-secretRef
+    uid: b8284d0f-de82-4c65-b204-96a0d3f258a1
   spec:
     targetRef:
       group: gateway.networking.k8s.io

diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-issuer.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-issuer.out.yaml
@@ -62,6 +62,7 @@ securityPolicies:
     creationTimestamp: null
     name: policy-non-exist-secretRef
     namespace: default
+    uid: b8284d0f-de82-4c65-b204-96a0d3f258a1
   spec:
     oidc:
       clientID: client1.apps.foo.bar.com

diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-secretref.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-secretref.in.yaml
@@ -63,6 +63,7 @@ securityPolicies:
   metadata:
     namespace: default
     name: policy-non-exist-secretRef
+    uid: b8284d0f-de82-4c65-b204-96a0d3f258a1
   spec:
     targetRef:
       group: gateway.networking.k8s.io
@@ -81,6 +82,7 @@ securityPolicies:
   metadata:
     namespace: default
     name: policy-no-referenceGrant
+    uid: 08335a80-83ba-4592-888f-6ac0bba44ce4
   spec:
     targetRef:
       group: gateway.networking.k8s.io

diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-secretref.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-secretref.out.yaml
@@ -172,6 +172,7 @@ securityPolicies:
     creationTimestamp: null
     name: policy-non-exist-secretRef
     namespace: default
+    uid: b8284d0f-de82-4c65-b204-96a0d3f258a1
   spec:
     oidc:
       clientID: client1.apps.googleusercontent.com
@@ -200,6 +201,7 @@ securityPolicies:
     creationTimestamp: null
     name: policy-no-referenceGrant
     namespace: default
+    uid: 08335a80-83ba-4592-888f-6ac0bba44ce4
   spec:
     oidc:
       clientID: client1.apps.googleusercontent.com

diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc.in.yaml
@@ -80,6 +80,7 @@ securityPolicies:
   metadata:
     namespace: envoy-gateway
     name: policy-for-gateway-discover-endpoints  # This policy should attach httproute-2
+    uid: b8284d0f-de82-4c65-b204-96a0d3f258a1
   spec:
     targetRef:
       group: gateway.networking.k8s.io
@@ -99,6 +100,7 @@ securityPolicies:
   metadata:
     namespace: default
     name: policy-for-http-route   # This policy should attach httproute-1
+    uid: 08335a80-83ba-4592-888f-6ac0bba44ce4
   spec:
     targetRef:
       group: gateway.networking.k8s.io

diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml
@@ -139,6 +139,7 @@ securityPolicies:
     creationTimestamp: null
     name: policy-for-http-route
     namespace: default
+    uid: 08335a80-83ba-4592-888f-6ac0bba44ce4
   spec:
     oidc:
       clientID: client2.oauth.foo.com
@@ -174,6 +175,7 @@ securityPolicies:
     creationTimestamp: null
     name: policy-for-gateway-discover-endpoints
     namespace: envoy-gateway
+    uid: b8284d0f-de82-4c65-b204-96a0d3f258a1
   spec:
     oidc:
       clientID: client1.apps.googleusercontent.com
@@ -230,7 +232,7 @@ xdsIR:
         oidc:
           clientID: client2.oauth.foo.com
           clientSecret: Y2xpZW50MTpzZWNyZXQK
-          cookieSuffix: "1667669650"
+          cookieSuffix: 5F93C2E4
           logoutPath: /foo/logout
           provider:
             authorizationEndpoint: https://oauth.foo.com/oauth2/v2/auth
@@ -262,7 +264,7 @@ xdsIR:
         oidc:
           clientID: client1.apps.googleusercontent.com
           clientSecret: Y2xpZW50MTpzZWNyZXQK
-          cookieSuffix: "2003913538"
+          cookieSuffix: B0A1B740
           logoutPath: /bar/logout
           provider:
             authorizationEndpoint: https://accounts.google.com/o/oauth2/v2/auth

diff --git a/internal/xds/translator/testdata/in/xds-ir/oidc.yaml b/internal/xds/translator/testdata/in/xds-ir/oidc.yaml
@@ -31,7 +31,7 @@ http:
       redirectURL: "https://www.example.com/foo/oauth2/callback"
       redirectPath: "/foo/oauth2/callback"
       logoutPath: "/foo/logout"
-      cookieSuffix: "1667669650"
+      cookieSuffix: 5F93C2E4
   - name: "second-route"
     hostname: "*"
     pathMatch:
@@ -55,4 +55,4 @@ http:
       redirectURL: "https://www.example.com/bar/oauth2/callback"
       redirectPath: "/bar/oauth2/callback"
       logoutPath: "/bar/logout"
-      cookieSuffix: "2003913538"
+      cookieSuffix: B0A1B740
diff --git a/internal/xds/translator/testdata/out/xds-ir/oidc.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/oidc.listeners.yaml
@@ -28,11 +28,11 @@
               credentials:
                 clientId: client.oauth.foo.com
                 cookieNames:
-                  bearerToken: BearerToken-1667669650
-                  idToken: IdToken-1667669650
-                  oauthExpires: OauthExpires-1667669650
-                  oauthHmac: OauthHMAC-1667669650
-                  refreshToken: RefreshToken-1667669650
+                  bearerToken: BearerToken-5F93C2E4
+                  idToken: IdToken-5F93C2E4
+                  oauthExpires: OauthExpires-5F93C2E4
+                  oauthHmac: OauthHMAC-5F93C2E4
+                  refreshToken: RefreshToken-5F93C2E4
                 hmacSecret:
                   name: first-route/oauth2/hmac_secret
                   sdsConfig:
@@ -69,11 +69,11 @@
               credentials:
                 clientId: client.oauth.bar.com
                 cookieNames:
-                  bearerToken: BearerToken-2003913538
-                  idToken: IdToken-2003913538
-                  oauthExpires: OauthExpires-2003913538
-                  oauthHmac: OauthHMAC-2003913538
-                  refreshToken: RefreshToken-2003913538
+                  bearerToken: BearerToken-B0A1B740
+                  idToken: IdToken-B0A1B740
+                  oauthExpires: OauthExpires-B0A1B740
+                  oauthHmac: OauthHMAC-B0A1B740
+                  refreshToken: RefreshToken-B0A1B740
                 hmacSecret:
                   name: second-route/oauth2/hmac_secret
                   sdsConfig: