From 511ab82212509caf42ae74b5cd7dc333f36188d7 Mon Sep 17 00:00:00 2001
From: ajanikow <12255597+ajanikow@users.noreply.github.com>
Date: Fri, 3 Jul 2020 09:20:39 +0000
Subject: [PATCH] Ensure token in JWT exists

---
 pkg/deployment/reconcile/action_jwt_set_active.go    | 12 +++++++++++-
 pkg/deployment/reconcile/action_jwt_status_update.go |  2 +-
 pkg/deployment/reconcile/plan_builder_jwt.go         | 11 ++++++++---
 pkg/deployment/resources/secrets.go                  |  1 +
 4 files changed, 21 insertions(+), 5 deletions(-)

diff --git a/pkg/deployment/reconcile/action_jwt_set_active.go b/pkg/deployment/reconcile/action_jwt_set_active.go
index 2737d95c4..ddfe7350f 100644
--- a/pkg/deployment/reconcile/action_jwt_set_active.go
+++ b/pkg/deployment/reconcile/action_jwt_set_active.go
@@ -26,6 +26,8 @@ import (
 	"context"
 	"encoding/base64"
 
+	"github.com/arangodb/kube-arangodb/pkg/util/constants"
+
 	api "github.com/arangodb/kube-arangodb/pkg/apis/deployment/v1"
 	"github.com/arangodb/kube-arangodb/pkg/deployment/patch"
 	"github.com/arangodb/kube-arangodb/pkg/deployment/pod"
@@ -85,8 +87,9 @@ func (a *jwtSetActiveAction) Start(ctx context.Context) (bool, error) {
 	}
 
 	activeKeyData, active := f.Data[pod.ActiveJWTKey]
+	tokenKeyData, token := f.Data[constants.SecretKeyToken]
 
-	if util.SHA256(activeKeyData) == toActiveChecksum {
+	if util.SHA256(activeKeyData) == toActiveChecksum && util.SHA256(activeKeyData) == util.SHA256(tokenKeyData) {
 		a.log.Info().Msgf("Desired JWT is already active")
 		return true, nil
 	}
@@ -99,6 +102,13 @@ func (a *jwtSetActiveAction) Start(ctx context.Context) (bool, error) {
 		p.ItemReplace(path, base64.StdEncoding.EncodeToString(toActiveData))
 	}
 
+	path = patch.NewPath("data", constants.SecretKeyToken)
+	if !token {
+		p.ItemAdd(path, base64.StdEncoding.EncodeToString(toActiveData))
+	} else {
+		p.ItemReplace(path, base64.StdEncoding.EncodeToString(toActiveData))
+	}
+
 	patch, err := p.Marshal()
 	if err != nil {
 		a.log.Error().Err(err).Msgf("Unable to encrypt patch")
diff --git a/pkg/deployment/reconcile/action_jwt_status_update.go b/pkg/deployment/reconcile/action_jwt_status_update.go
index 6a45ab334..11d02918e 100644
--- a/pkg/deployment/reconcile/action_jwt_status_update.go
+++ b/pkg/deployment/reconcile/action_jwt_status_update.go
@@ -152,7 +152,7 @@ func (a *jwtStatusUpdateAction) Start(ctx context.Context) (bool, error) {
 		var keys []string
 
 		for key := range f.Data {
-			if key == pod.ActiveJWTKey || key == activeKeyShort {
+			if key == pod.ActiveJWTKey || key == activeKeyShort || key == constants.SecretKeyToken {
 				continue
 			}
 
diff --git a/pkg/deployment/reconcile/plan_builder_jwt.go b/pkg/deployment/reconcile/plan_builder_jwt.go
index 82490eb6a..24258f74e 100644
--- a/pkg/deployment/reconcile/plan_builder_jwt.go
+++ b/pkg/deployment/reconcile/plan_builder_jwt.go
@@ -78,6 +78,11 @@ func createJWTKeyUpdate(ctx context.Context,
 		return addJWTPropagatedPlanAction(status, api.NewAction(api.ActionTypeJWTSetActive, api.ServerGroupUnknown, "", "Set active key").AddParam(checksum, jwtSha))
 	}
 
+	tokenKey, ok := folder.Data[constants.SecretKeyToken]
+	if !ok || util.SHA256(activeKey) != util.SHA256(tokenKey) {
+		return addJWTPropagatedPlanAction(status, api.NewAction(api.ActionTypeJWTSetActive, api.ServerGroupUnknown, "", "Set active key and add token field").AddParam(checksum, jwtSha))
+	}
+
 	plan, failed := areJWTTokensUpToDate(ctx, log, apiObject, spec, status, cachedStatus, context, folder)
 	if len(plan) > 0 {
 		return plan
@@ -93,7 +98,7 @@ func createJWTKeyUpdate(ctx context.Context,
 	}
 
 	for key := range folder.Data {
-		if key == pod.ActiveJWTKey {
+		if key == pod.ActiveJWTKey || key == constants.SecretKeyToken {
 			continue
 		}
 
@@ -184,7 +189,7 @@ func createJWTStatusUpdateRequired(ctx context.Context,
 	var keys []string
 
 	for key := range f.Data {
-		if key == pod.ActiveJWTKey || key == activeKeyShort {
+		if key == pod.ActiveJWTKey || key == activeKeyShort || key == constants.SecretKeyToken {
 			continue
 		}
 
@@ -309,7 +314,7 @@ func isMemberJWTTokenInvalid(ctx context.Context, c client.Client, data map[stri
 
 func compareJWTKeys(e client.Entries, keys map[string][]byte) bool {
 	for k := range keys {
-		if k == pod.ActiveJWTKey {
+		if k == pod.ActiveJWTKey || k == constants.SecretKeyToken {
 			continue
 		}
 
diff --git a/pkg/deployment/resources/secrets.go b/pkg/deployment/resources/secrets.go
index c4bbf4f98..150440985 100644
--- a/pkg/deployment/resources/secrets.go
+++ b/pkg/deployment/resources/secrets.go
@@ -205,6 +205,7 @@ func (r *Resources) ensureTokenSecretFolder(cachedStatus inspector.Inspector, se
 	if err := r.createSecretWithMod(secrets, folderSecretName, func(s *core.Secret) {
 		s.Data[util.SHA256(token)] = token
 		s.Data[pod.ActiveJWTKey] = token
+		s.Data[constants.SecretKeyToken] = token
 	}); err != nil {
 		return err
 	}