No double base64 on secrets, more visibility

wavesoftware · Mar 7, 2020 · 444d419 · 444d419
1 parent 9857c77
commit 444d419
Show file tree

Hide file tree

Showing 5 changed files with 54 additions and 23 deletions.
diff --git a/pkg/apis/wavesoftware/v1alpha1/passless_logic.go b/pkg/apis/wavesoftware/v1alpha1/passless_logic.go
@@ -1,10 +1,8 @@
 package v1alpha1
 
 import (
-	"encoding/base64"
-
 	corev1 "k8s.io/api/core/v1"
-	"k8s.io/apimachinery/pkg/apis/meta/v1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	"github.com/wavesoftware/passless-operator/pkg/masterpassword"
 )
@@ -28,9 +26,10 @@ func (in *PassLess) CreateSecret(generator masterpassword.Generator) *corev1.Sec
 func (in *PassLess) createData(generator masterpassword.Generator) map[string][]byte {
 	data := make(map[string][]byte, len(in.Spec))
 	for name, entry := range in.Spec {
-		secret := generator.Generate(in.identity(name), entry.Scope, entry.Version, entry.Length)
-		dst := base64.StdEncoding.EncodeToString([]byte(secret))
-		data[name] = []byte(dst)
+		secret := generator.Generate(
+			in.identity(name), entry.Scope, entry.Version, entry.Length,
+		)
+		data[name] = []byte(secret)
 	}
 	return data
 }

diff --git a/pkg/controller/passless/masterkey_resolver.go b/pkg/controller/passless/masterkey_resolver.go
@@ -4,10 +4,10 @@ import (
 	"context"
 	"errors"
 	"math/rand"
-	"sort"
 
 	"github.com/wavesoftware/go-ensure"
 	"github.com/wavesoftware/passless-operator/pkg/masterpassword"
+	"github.com/wavesoftware/passless-operator/pkg/masterpassword/secrets"
 	corev1 "k8s.io/api/core/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
@@ -24,7 +24,7 @@ func (r *resolver) MasterKey() []byte {
 	secret, err := findDefaultToken(list)
 	ensure.NoError(err)
 	result := make([]byte, 0)
-	for _, k := range keys(secret.Data) {
+	for _, k := range secrets.Keys(secret) {
 		bytes := secret.Data[k]
 		result = append(result, bytes...)
 	}
@@ -36,23 +36,14 @@ func (r *resolver) MasterKey() []byte {
 	return result
 }
 
-func keys(m map[string][]byte) []string {
-	keys := make([]string, 0, len(m))
-	for k := range m {
-		keys = append(keys, k)
-	}
-	sort.Strings(keys)
-	return keys
-}
-
-func findDefaultToken(list *corev1.SecretList) (corev1.Secret, error) {
+func findDefaultToken(list *corev1.SecretList) (*corev1.Secret, error) {
 	for _, sec := range list.Items {
 		if sec.Type == "kubernetes.io/service-account-token" &&
 			sec.Annotations["kubernetes.io/service-account.name"] == "default" {
-			return sec, nil
+			return &sec, nil
 		}
 	}
-	return corev1.Secret{}, errors.New("can't find default token")
+	return &corev1.Secret{}, errors.New("can't find default token")
 }
 
 func newResolver(c client.Client) masterpassword.MasterKeyResolver {

diff --git a/pkg/controller/passless/passless_controller.go b/pkg/controller/passless/passless_controller.go
@@ -6,6 +6,7 @@ import (
 
 	wavesoftwarev1alpha1 "github.com/wavesoftware/passless-operator/pkg/apis/wavesoftware/v1alpha1"
 	"github.com/wavesoftware/passless-operator/pkg/masterpassword"
+	"github.com/wavesoftware/passless-operator/pkg/masterpassword/secrets"
 
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
@@ -109,6 +110,7 @@ func (r *ReconcilePassLess) Reconcile(request reconcile.Request) (reconcile.Resu
 
 	// Define a new Secret object
 	secret := passless.CreateSecret(r.generator)
+	hashcode := secrets.Hashcode(secret)
 
 	// Set PassLess instance as the owner and controller
 	if err := controllerutil.SetControllerReference(passless, secret, r.scheme); err != nil {
@@ -122,9 +124,9 @@ func (r *ReconcilePassLess) Reconcile(request reconcile.Request) (reconcile.Resu
 		Namespace: secret.Namespace,
 	}, found)
 	if err != nil && errors.IsNotFound(err) {
-		reqLogger.Info("Creating a new Secret",
-			"Secret.Namespace", secret.Namespace,
-			"Secret.Name", secret.Name)
+		reqLogger.Info("Creating a new secret",
+			"Hash", hashcode,
+		)
 		err = r.client.Create(ctx, secret)
 		if err != nil {
 			return reconcile.Result{}, err
@@ -138,6 +140,9 @@ func (r *ReconcilePassLess) Reconcile(request reconcile.Request) (reconcile.Resu
 
 	// Secret already exists, check if need update
 	if needsUpdate(secret, found) {
+		reqLogger.Info("Updating a secret",
+			"Hash", hashcode,
+		)
 		err := r.client.Update(ctx, secret)
 		if err != nil {
 			return reconcile.Result{}, err

diff --git a/pkg/masterpassword/secrets/hashcode.go b/pkg/masterpassword/secrets/hashcode.go
@@ -0,0 +1,18 @@
+package secrets
+
+import (
+	"hash/crc32"
+
+	corev1 "k8s.io/api/core/v1"
+)
+
+// Hashcode will calculate a secret's hash code
+func Hashcode(secret *corev1.Secret) int {
+	code := 31
+	keys := Keys(secret)
+	for _, k := range keys {
+		next := crc32.ChecksumIEEE(secret.Data[k])
+		code = code*int(next) + 17
+	}
+	return code
+}
diff --git a/pkg/masterpassword/secrets/keys.go b/pkg/masterpassword/secrets/keys.go
@@ -0,0 +1,18 @@
+package secrets
+
+import (
+	"sort"
+
+	corev1 "k8s.io/api/core/v1"
+)
+
+// Keys returns a keys from secret in sorted slice
+func Keys(sec *corev1.Secret) []string {
+	m := sec.Data
+	keys := make([]string, 0, len(m))
+	for k := range m {
+		keys = append(keys, k)
+	}
+	sort.Strings(keys)
+	return keys
+}