use hash as suffix

Signed-off-by: huabing zhao <zhaohuabing@gmail.com>
envoyproxy · Feb 21, 2024 · b295fb2 · b295fb2
1 parent eeea5c7
commit b295fb2
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 15 deletions.
diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go
@@ -9,6 +9,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"hash/fnv"
 	"net/http"
 	"net/netip"
 	"net/url"
@@ -494,6 +495,17 @@ func (t *Translator) buildOIDC(
 		logoutPath = *oidc.LogoutPath
 	}
 
+	nsName := types.NamespacedName{
+		Namespace: policy.GetNamespace(),
+		Name:      policy.GetName(),
+	}
+	h := fnv.New32a()
+	_, err = h.Write([]byte(nsName.String()))
+	if err != nil {
+		return nil, fmt.Errorf("error generating oauth cookie suffix: %w", err)
+	}
+	suffix := strconv.Itoa(int(h.Sum32()))
+
 	return &ir.OIDC{
 		Provider:     *provider,
 		ClientID:     oidc.ClientID,
@@ -502,7 +514,7 @@ func (t *Translator) buildOIDC(
 		RedirectURL:  redirectURL,
 		RedirectPath: redirectPath,
 		LogoutPath:   logoutPath,
-		CookieSuffix: fmt.Sprintf("%s-%s", policy.Namespace, policy.Name),
+		CookieSuffix: suffix,
 	}, nil
 }
 

diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml
@@ -230,7 +230,7 @@ xdsIR:
         oidc:
           clientID: client2.oauth.foo.com
           clientSecret: Y2xpZW50MTpzZWNyZXQK
-          cookieSuffix: default-policy-for-http-route
+          cookieSuffix: 1667669650
           logoutPath: /foo/logout
           provider:
             authorizationEndpoint: https://oauth.foo.com/oauth2/v2/auth
@@ -262,7 +262,7 @@ xdsIR:
         oidc:
           clientID: client1.apps.googleusercontent.com
           clientSecret: Y2xpZW50MTpzZWNyZXQK
-          cookieSuffix: envoy-gateway-policy-for-gateway-discover-endpoints
+          cookieSuffix: 2003913538
           logoutPath: /bar/logout
           provider:
             authorizationEndpoint: https://accounts.google.com/o/oauth2/v2/auth

diff --git a/internal/xds/translator/testdata/in/xds-ir/oidc.yaml b/internal/xds/translator/testdata/in/xds-ir/oidc.yaml
@@ -31,7 +31,7 @@ http:
       redirectURL: "https://www.example.com/foo/oauth2/callback"
       redirectPath: "/foo/oauth2/callback"
       logoutPath: "/foo/logout"
-      cookieSuffix: "default-security-policy-foo"
+      cookieSuffix: "1667669650"
   - name: "second-route"
     hostname: "*"
     pathMatch:
@@ -55,4 +55,4 @@ http:
       redirectURL: "https://www.example.com/bar/oauth2/callback"
       redirectPath: "/bar/oauth2/callback"
       logoutPath: "/bar/logout"
-      cookieSuffix: "default-security-policy-bar"
+      cookieSuffix: "2003913538"
diff --git a/internal/xds/translator/testdata/out/xds-ir/oidc.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/oidc.listeners.yaml
@@ -27,11 +27,11 @@
               credentials:
                 clientId: client.oauth.foo.com
                 cookieNames:
-                  bearerToken: BearerToken-default-security-policy-foo
-                  idToken: IdToken-default-security-policy-foo
-                  oauthExpires: OauthExpires-default-security-policy-foo
-                  oauthHmac: OauthHMAC-default-security-policy-foo
-                  refreshToken: RefreshToken-default-security-policy-foo
+                  bearerToken: BearerToken-1667669650
+                  idToken: IdToken-1667669650
+                  oauthExpires: OauthExpires-1667669650
+                  oauthHmac: OauthHMAC-1667669650
+                  refreshToken: RefreshToken-1667669650
                 hmacSecret:
                   name: first-route/oauth2/hmac_secret
                   sdsConfig:
@@ -67,11 +67,11 @@
               credentials:
                 clientId: client.oauth.bar.com
                 cookieNames:
-                  bearerToken: BearerToken-default-security-policy-bar
-                  idToken: IdToken-default-security-policy-bar
-                  oauthExpires: OauthExpires-default-security-policy-bar
-                  oauthHmac: OauthHMAC-default-security-policy-bar
-                  refreshToken: RefreshToken-default-security-policy-bar
+                  bearerToken: BearerToken-2003913538
+                  idToken: IdToken-2003913538
+                  oauthExpires: OauthExpires-2003913538
+                  oauthHmac: OauthHMAC-2003913538
+                  refreshToken: RefreshToken-2003913538
                 hmacSecret:
                   name: second-route/oauth2/hmac_secret
                   sdsConfig: