Use sha256 oauth tokens in tests

2026-02-05 09:45:55 +01:00 · 2021-05-12 12:31:20 +02:00
parent 1b129a6c31
commit e708dfbe87
1 changed files with 23 additions and 10 deletions
--- a/pkg/testframework/client.go
+++ b/pkg/testframework/client.go
@@ -2,10 +2,10 @@ package testframework

 import (
 	"context"
+	"crypto/rand"
+	"crypto/sha256"
 	"encoding/base64"

-	"github.com/pborman/uuid"
-
 	kerrs "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	kclientset "k8s.io/client-go/kubernetes"
@@ -17,6 +17,22 @@ import (
 	userclient "github.com/openshift/client-go/user/clientset/versioned"
 )

+func GenerateRandomBytes(n int) []byte {
+	b := make([]byte, n)
+	_, err := rand.Read(b)
+	if err != nil {
+		panic(err)
+	}
+	return b
+}
+
+func GenerateOAuthTokenPair() (privToken, pubToken string) {
+	randomBytes := GenerateRandomBytes(8)
+	randomToken := base64.URLEncoding.EncodeToString(randomBytes)
+	hashed := sha256.Sum256([]byte(randomToken))
+	return "sha256~" + randomToken, "sha256~" + base64.RawURLEncoding.EncodeToString(hashed[:])
+}
+
 func GetClientForUser(clusterAdminConfig *restclient.Config, username string) (kclientset.Interface, *restclient.Config, error) {
 	userClient, err := userclient.NewForConfig(clusterAdminConfig)
 	if err != nil {
@@ -47,14 +63,11 @@ func GetClientForUser(clusterAdminConfig *restclient.Config, username string) (k
 		return nil, nil, err
 	}

-	randomToken := uuid.NewRandom()
-	accesstoken := base64.RawURLEncoding.EncodeToString([]byte(randomToken))
-	// make sure the token is long enough to pass validation
-	for i := len(accesstoken); i < 32; i++ {
-		accesstoken += "A"
-	}
+	privToken, pubToken := GenerateOAuthTokenPair()
 	token := &oauthapi.OAuthAccessToken{
-		ObjectMeta:  metav1.ObjectMeta{Name: accesstoken},
+		ObjectMeta: metav1.ObjectMeta{
+			Name: pubToken,
+		},
 		ClientName:  oauthClientObj.Name,
 		UserName:    username,
 		UserUID:     string(user.UID),
@@ -66,7 +79,7 @@ func GetClientForUser(clusterAdminConfig *restclient.Config, username string) (k
 	}

 	userClientConfig := restclient.AnonymousClientConfig(clusterAdminConfig)
-	userClientConfig.BearerToken = token.Name
+	userClientConfig.BearerToken = privToken

 	kubeClientset, err := kclientset.NewForConfig(userClientConfig)
 	if err != nil {