wip005
Signed-off-by: Monis Khan <mok@vmware.com>
This commit is contained in:
Monis Khan
parent
a4fb53e131
commit
8c387f977c
@ -98,10 +98,10 @@ spec:
|
|||||||
readOnlyRootFilesystem: true
|
readOnlyRootFilesystem: true
|
||||||
resources:
|
resources:
|
||||||
requests:
|
requests:
|
||||||
cpu: "100m"
|
cpu: "2048m"
|
||||||
memory: "128Mi"
|
memory: "128Mi"
|
||||||
limits:
|
limits:
|
||||||
cpu: "100m"
|
cpu: "2048m"
|
||||||
memory: "128Mi"
|
memory: "128Mi"
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: config-volume
|
- name: config-volume
|
||||||
|
|||||||
@ -32,7 +32,7 @@ import (
|
|||||||
// on a cost that changes without some form client secret storage migration
|
// on a cost that changes without some form client secret storage migration
|
||||||
// TODO write a unit test that fails when this changes so that we know if/when it happens
|
// TODO write a unit test that fails when this changes so that we know if/when it happens
|
||||||
// also write a unit test that fails in 2023 to ask this to be updated to latest recommendation
|
// also write a unit test that fails in 2023 to ask this to be updated to latest recommendation
|
||||||
const cost = bcrypt.DefaultCost + 5
|
const cost = 12
|
||||||
|
|
||||||
func NewREST(resource schema.GroupResource, secrets corev1client.SecretInterface, clients configv1alpha1clientset.OIDCClientInterface, namespace string) *REST {
|
func NewREST(resource schema.GroupResource, secrets corev1client.SecretInterface, clients configv1alpha1clientset.OIDCClientInterface, namespace string) *REST {
|
||||||
return &REST{
|
return &REST{
|
||||||
@ -106,16 +106,19 @@ func (r *REST) Create(ctx context.Context, obj runtime.Object, createValidation
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
t.Step("validateRequest")
|
||||||
|
|
||||||
oidcClient, err := r.clients.Get(ctx, req.Name, metav1.GetOptions{})
|
oidcClient, err := r.clients.Get(ctx, req.Name, metav1.GetOptions{})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err // TODO obfuscate
|
return nil, err // TODO obfuscate
|
||||||
}
|
}
|
||||||
|
t.Step("clients.Get")
|
||||||
|
|
||||||
hashes, err := r.secretStorage.Get(ctx, oidcClient.UID)
|
hashes, err := r.secretStorage.Get(ctx, oidcClient.UID)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err // TODO obfuscate
|
return nil, err // TODO obfuscate
|
||||||
}
|
}
|
||||||
|
t.Step("secretStorage.Get")
|
||||||
|
|
||||||
var secret string
|
var secret string
|
||||||
if req.Spec.GenerateNewSecret {
|
if req.Spec.GenerateNewSecret {
|
||||||
@ -123,11 +126,13 @@ func (r *REST) Create(ctx context.Context, obj runtime.Object, createValidation
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err // TODO obfuscate
|
return nil, err // TODO obfuscate
|
||||||
}
|
}
|
||||||
|
t.Step("generateSecret")
|
||||||
|
|
||||||
hash, err := bcrypt.GenerateFromPassword([]byte(secret), cost)
|
hash, err := bcrypt.GenerateFromPassword([]byte(secret), cost)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err // TODO obfuscate
|
return nil, err // TODO obfuscate
|
||||||
}
|
}
|
||||||
|
t.Step("bcrypt.GenerateFromPassword")
|
||||||
|
|
||||||
hashes = append([]string{string(hash)}, hashes...)
|
hashes = append([]string{string(hash)}, hashes...)
|
||||||
}
|
}
|
||||||
@ -143,6 +148,7 @@ func (r *REST) Create(ctx context.Context, obj runtime.Object, createValidation
|
|||||||
if err := r.secretStorage.Set(ctx, oidcClient.Name, oidcClient.UID, hashes); err != nil {
|
if err := r.secretStorage.Set(ctx, oidcClient.Name, oidcClient.UID, hashes); err != nil {
|
||||||
return nil, err // TODO obfuscate
|
return nil, err // TODO obfuscate
|
||||||
}
|
}
|
||||||
|
t.Step("secretStorage.Set")
|
||||||
}
|
}
|
||||||
|
|
||||||
return &clientsecretapi.OIDCClientSecretRequest{
|
return &clientsecretapi.OIDCClientSecretRequest{
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user