From 5589dcd3b316af7d405d71c8f13f1232f3014300 Mon Sep 17 00:00:00 2001
From: Monis Khan <i@monis.app>
Date: Wed, 20 Jul 2022 21:58:47 -0400
Subject: [PATCH] wip008

Signed-off-by: Monis Khan <mok@vmware.com>
---
 internal/registry/clientsecretrequest/rest.go | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/internal/registry/clientsecretrequest/rest.go b/internal/registry/clientsecretrequest/rest.go
index 214edb52..b21ff854 100644
--- a/internal/registry/clientsecretrequest/rest.go
+++ b/internal/registry/clientsecretrequest/rest.go
@@ -144,9 +144,12 @@ func (r *REST) Create(ctx context.Context, obj runtime.Object, createValidation
 		hashes = []string{hashes[0]}
 	}
 
-	// TODO do not let them have more than 100? secrets
-
 	if req.Spec.GenerateNewSecret || needsRevoke {
+		// each bcrypt comparison is expensive and we do not want a large list to cause wasted CPU
+		if len(hashes) > 5 {
+			return nil, apierrors.NewRequestEntityTooLargeError(fmt.Sprintf("OIDCClient %s has too many secrets, spec.revokeOldSecrets must be true", oidcClient.Name))
+		}
+
 		if err := r.secretStorage.Set(ctx, rv, oidcClient.Name, oidcClient.UID, hashes); err != nil {
 			return nil, err // TODO obfuscate, also return good errors for cases like when the secret now exists but previously did not
 		}