fix: use sha256 hash as federated identity credential name (#372)

Signed-off-by: GitHub <noreply@github.com> Co-authored-by: Anish Ramasekar <anish.ramasekar@gmail.com>
Azure · Feb 16, 2022 · 96e8756 · 96e8756
1 parent 6149969
commit 96e8756
Show file tree

Hide file tree

Showing 4 changed files with 44 additions and 4 deletions.
diff --git a/pkg/cmd/serviceaccount/phases/create/federatedidentitycredential.go b/pkg/cmd/serviceaccount/phases/create/federatedidentitycredential.go
@@ -3,7 +3,6 @@ package phases
 import (
 	"context"
 	"fmt"
-	"strings"
 
 	"github.com/Azure/azure-workload-identity/pkg/cloud"
 	"github.com/Azure/azure-workload-identity/pkg/cmd/serviceaccount/options"
@@ -67,7 +66,7 @@ func (p *federatedIdentityPhase) run(ctx context.Context, data workflow.RunData)
 
 	serviceAccountNamespace, serviceAccountName := createData.ServiceAccountNamespace(), createData.ServiceAccountName()
 	subject := util.GetFederatedCredentialSubject(serviceAccountNamespace, serviceAccountName)
-	name := strings.Join([]string{createData.ServiceAccountNamespace(), createData.ServiceAccountName(), util.GetIssuerHash(createData.ServiceAccountIssuerURL())}, "-")
+	name := util.GetFederatedCredentialName(serviceAccountNamespace, serviceAccountName, createData.ServiceAccountIssuerURL())
 	description := fmt.Sprintf("Federated Service Account for %s/%s", serviceAccountNamespace, serviceAccountName)
 	audiences := []string{webhook.DefaultAudience}
 

diff --git a/pkg/cmd/serviceaccount/phases/create/federatedidentitycredential_test.go b/pkg/cmd/serviceaccount/phases/create/federatedidentitycredential_test.go
@@ -3,7 +3,6 @@ package phases
 import (
 	"context"
 	"fmt"
-	"strings"
 	"testing"
 
 	"github.com/Azure/azure-workload-identity/pkg/cloud"
@@ -82,7 +81,7 @@ func TestFederatedIdentityRun(t *testing.T) {
 	fic.SetDescription(to.StringPtr(fmt.Sprintf("Federated Service Account for %s/%s", data.serviceAccountNamespace, data.serviceAccountName)))
 	fic.SetIssuer(to.StringPtr(data.serviceAccountIssuerURL))
 	fic.SetSubject(to.StringPtr(util.GetFederatedCredentialSubject(data.serviceAccountNamespace, data.serviceAccountName)))
-	fic.SetName(to.StringPtr(strings.Join([]string{data.ServiceAccountNamespace(), data.ServiceAccountName(), util.GetIssuerHash(data.ServiceAccountIssuerURL())}, "-")))
+	fic.SetName(to.StringPtr(util.GetFederatedCredentialName(data.serviceAccountNamespace, data.serviceAccountName, data.serviceAccountIssuerURL)))
 
 	mockAzureClient := mock_cloud.NewMockInterface(ctrl)
 	mockAzureClient.EXPECT().AddFederatedCredential(gomock.Any(), "aad-application-object-id", fic).Return(nil)

diff --git a/pkg/cmd/serviceaccount/util/util.go b/pkg/cmd/serviceaccount/util/util.go
@@ -13,6 +13,14 @@ func GetIssuerHash(issuerURL string) string {
 	return base64.URLEncoding.EncodeToString(h.Sum(nil))
 }
 
+// GetFederatedCredentialName returns a hash of
+// the service account namespace, name, and issuer URL
+func GetFederatedCredentialName(namespace, name, issuerURL string) string {
+	h := sha256.New()
+	h.Write([]byte(fmt.Sprintf("%s-%s-%s", namespace, name, issuerURL)))
+	return base64.URLEncoding.EncodeToString(h.Sum(nil))
+}
+
 // GetFederatedCredentialSubject returns the subject of the federated credential
 func GetFederatedCredentialSubject(namespace, name string) string {
 	return fmt.Sprintf("system:serviceaccount:%s:%s", namespace, name)

diff --git a/pkg/cmd/serviceaccount/util/util_test.go b/pkg/cmd/serviceaccount/util/util_test.go
@@ -30,6 +30,40 @@ func TestGetIssuerHash(t *testing.T) {
 	}
 }
 
+func TestGetFederatedCredentialName(t *testing.T) {
+	tests := []struct {
+		name                    string
+		serviceAccountNamespace string
+		serviceAccountName      string
+		issuerURL               string
+		want                    string
+	}{
+		{
+			name:                    "empty",
+			serviceAccountNamespace: "",
+			serviceAccountName:      "",
+			issuerURL:               "",
+			want:                    "2BVrrgxCQ9N0L8Tpd02KzqvgQQJJ1yDIVfmK_Ij_hGw=",
+		},
+		{
+			name:                    "valid",
+			serviceAccountNamespace: "oidc",
+			serviceAccountName:      "pod-identity-sa",
+			issuerURL:               "https://test.blob.core.windows.net/oidc-test/",
+			want:                    "5Frx_q5PpeP09cXWfkbDVwCOg5IVRmmKE3BUKT4hP4I=",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := GetFederatedCredentialName(tt.serviceAccountNamespace, tt.serviceAccountName, tt.issuerURL)
+			if got != tt.want {
+				t.Errorf("GetFederatedCredentialName() = %s, want %s", got, tt.want)
+			}
+		})
+	}
+}
+
 func TestGetFederatedCredentialSubject(t *testing.T) {
 	want := "system:serviceaccount:oidc:pod-identity-sa"
 	got := GetFederatedCredentialSubject("oidc", "pod-identity-sa")