diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go index ce25b95c464..227265713c1 100644 --- a/internal/gatewayapi/securitypolicy.go +++ b/internal/gatewayapi/securitypolicy.go @@ -9,6 +9,7 @@ import ( "encoding/json" "errors" "fmt" + "hash/fnv" "net/http" "net/netip" "net/url" @@ -494,6 +495,17 @@ func (t *Translator) buildOIDC( logoutPath = *oidc.LogoutPath } + nsName := types.NamespacedName{ + Namespace: policy.GetNamespace(), + Name: policy.GetName(), + } + h := fnv.New32a() + _, err = h.Write([]byte(nsName.String())) + if err != nil { + return nil, fmt.Errorf("error generating oauth cookie suffix: %w", err) + } + suffix := strconv.Itoa(int(h.Sum32())) + return &ir.OIDC{ Provider: *provider, ClientID: oidc.ClientID, @@ -502,7 +514,7 @@ func (t *Translator) buildOIDC( RedirectURL: redirectURL, RedirectPath: redirectPath, LogoutPath: logoutPath, - CookieSuffix: fmt.Sprintf("%s-%s", policy.Namespace, policy.Name), + CookieSuffix: suffix, }, nil } diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml index 6398376e397..bee04e75a12 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml @@ -230,7 +230,7 @@ xdsIR: oidc: clientID: client2.oauth.foo.com clientSecret: Y2xpZW50MTpzZWNyZXQK - cookieSuffix: default-policy-for-http-route + cookieSuffix: "1667669650" logoutPath: /foo/logout provider: authorizationEndpoint: https://oauth.foo.com/oauth2/v2/auth @@ -262,7 +262,7 @@ xdsIR: oidc: clientID: client1.apps.googleusercontent.com clientSecret: Y2xpZW50MTpzZWNyZXQK - cookieSuffix: envoy-gateway-policy-for-gateway-discover-endpoints + cookieSuffix: "2003913538" logoutPath: /bar/logout provider: authorizationEndpoint: https://accounts.google.com/o/oauth2/v2/auth diff --git a/internal/xds/translator/testdata/in/xds-ir/oidc.yaml b/internal/xds/translator/testdata/in/xds-ir/oidc.yaml index d2d4ac3c046..74b83421c1b 100644 --- a/internal/xds/translator/testdata/in/xds-ir/oidc.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/oidc.yaml @@ -31,7 +31,7 @@ http: redirectURL: "https://www.example.com/foo/oauth2/callback" redirectPath: "/foo/oauth2/callback" logoutPath: "/foo/logout" - cookieSuffix: "default-security-policy-foo" + cookieSuffix: "1667669650" - name: "second-route" hostname: "*" pathMatch: @@ -55,4 +55,4 @@ http: redirectURL: "https://www.example.com/bar/oauth2/callback" redirectPath: "/bar/oauth2/callback" logoutPath: "/bar/logout" - cookieSuffix: "default-security-policy-bar" + cookieSuffix: "2003913538" diff --git a/internal/xds/translator/testdata/out/xds-ir/oidc.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/oidc.listeners.yaml index 00c49c83f08..29b8a73c232 100644 --- a/internal/xds/translator/testdata/out/xds-ir/oidc.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/oidc.listeners.yaml @@ -27,11 +27,11 @@ credentials: clientId: client.oauth.foo.com cookieNames: - bearerToken: BearerToken-default-security-policy-foo - idToken: IdToken-default-security-policy-foo - oauthExpires: OauthExpires-default-security-policy-foo - oauthHmac: OauthHMAC-default-security-policy-foo - refreshToken: RefreshToken-default-security-policy-foo + bearerToken: BearerToken-1667669650 + idToken: IdToken-1667669650 + oauthExpires: OauthExpires-1667669650 + oauthHmac: OauthHMAC-1667669650 + refreshToken: RefreshToken-1667669650 hmacSecret: name: first-route/oauth2/hmac_secret sdsConfig: @@ -67,11 +67,11 @@ credentials: clientId: client.oauth.bar.com cookieNames: - bearerToken: BearerToken-default-security-policy-bar - idToken: IdToken-default-security-policy-bar - oauthExpires: OauthExpires-default-security-policy-bar - oauthHmac: OauthHMAC-default-security-policy-bar - refreshToken: RefreshToken-default-security-policy-bar + bearerToken: BearerToken-2003913538 + idToken: IdToken-2003913538 + oauthExpires: OauthExpires-2003913538 + oauthHmac: OauthHMAC-2003913538 + refreshToken: RefreshToken-2003913538 hmacSecret: name: second-route/oauth2/hmac_secret sdsConfig: