From 2a62beeb5fb0bd680638950075058fba4b6f31d6 Mon Sep 17 00:00:00 2001 From: Ashish Amarnath Date: Thu, 25 Jul 2024 13:06:52 -0700 Subject: [PATCH] store ca bundle hash in validated settings cache Signed-off-by: Ashish Amarnath --- .../active_directory_upstream_watcher_test.go | 28 +++++++++++++++++++ .../ldap_upstream_watcher_test.go | 18 ++++++++++++ .../upstreamwatchers/upstream_watchers.go | 13 ++++++--- 3 files changed, 55 insertions(+), 4 deletions(-) diff --git a/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher_test.go b/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher_test.go index c956a9635..1b2d5b242 100644 --- a/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher_test.go +++ b/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher_test.go @@ -5,6 +5,7 @@ package activedirectoryupstreamwatcher import ( "context" + "crypto/sha256" "encoding/base64" "errors" "fmt" @@ -469,6 +470,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInConfigCondition(0))), @@ -669,6 +671,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(nil), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInConfigCondition(0))), @@ -739,6 +742,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(nil), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInConfigCondition(0))), @@ -815,6 +819,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, IDPSpecGeneration: 1234, + CABundlePEMSHA256: sha256.Sum256(testCABundle), ConnectionValidCondition: &metav1.Condition{ Type: "LDAPConnectionValid", Status: "True", @@ -949,6 +954,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(nil), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInConfigCondition(0))), @@ -1001,6 +1007,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInConfigCondition(0))), @@ -1162,6 +1169,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInConfigCondition(0))), @@ -1182,6 +1190,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInConfigCondition(0))), @@ -1253,6 +1262,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { BindSecretResourceVersion: "4242", LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: exampleDefaultNamingContext, + CABundlePEMSHA256: sha256.Sum256(testCABundle), GroupSearchBase: testGroupSearchBase, IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), @@ -1275,6 +1285,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: exampleDefaultNamingContext, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(testCABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInRootDSECondition(0))), @@ -1327,6 +1338,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: exampleDefaultNamingContext, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(testCABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInRootDSECondition(0))), @@ -1346,6 +1358,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { BindSecretResourceVersion: "4242", LDAPConnectionProtocol: upstreamldap.StartTLS, IDPSpecGeneration: 1234, + CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithStartTLS.CABundle), UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), @@ -1367,6 +1380,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.StartTLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithStartTLS.CABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInConfigCondition(0))), @@ -1386,6 +1400,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle), IDPSpecGeneration: 1233, ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInConfigCondition(0))), @@ -1408,6 +1423,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInConfigCondition(0))), @@ -1428,6 +1444,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { IDPSpecGeneration: 1234, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle), ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), // already previously validated with version 4242 SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInConfigCondition(0))), }}, @@ -1448,6 +1465,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInConfigCondition(0))), @@ -1487,6 +1505,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInConfigCondition(0))), @@ -1506,6 +1525,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4241")), SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInConfigCondition(0))), @@ -1528,6 +1548,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInConfigCondition(0))), @@ -1589,6 +1610,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(testCABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInConfigCondition(0))), @@ -1654,6 +1676,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: exampleDefaultNamingContext, GroupSearchBase: exampleDefaultNamingContext, + CABundlePEMSHA256: sha256.Sum256(testCABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInRootDSECondition(0))), @@ -1718,6 +1741,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: exampleDefaultNamingContext, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(testCABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInRootDSECondition(0))), @@ -1782,6 +1806,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: testUserSearchBase, GroupSearchBase: exampleDefaultNamingContext, + CABundlePEMSHA256: sha256.Sum256(testCABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInRootDSECondition(0))), @@ -1938,6 +1963,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(testCABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4241")), SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInRootDSECondition(0))), @@ -1994,6 +2020,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, GroupSearchBase: exampleDefaultNamingContext, UserSearchBase: testUserSearchBase, + CABundlePEMSHA256: sha256.Sum256(testCABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInRootDSECondition(0))), @@ -2064,6 +2091,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(testCABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInConfigCondition(0))), diff --git a/internal/controller/supervisorconfig/ldapupstreamwatcher/ldap_upstream_watcher_test.go b/internal/controller/supervisorconfig/ldapupstreamwatcher/ldap_upstream_watcher_test.go index 77269be21..30a7d48f0 100644 --- a/internal/controller/supervisorconfig/ldapupstreamwatcher/ldap_upstream_watcher_test.go +++ b/internal/controller/supervisorconfig/ldapupstreamwatcher/ldap_upstream_watcher_test.go @@ -5,6 +5,7 @@ package ldapupstreamwatcher import ( "context" + "crypto/sha256" "encoding/base64" "errors" "fmt" @@ -399,6 +400,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(ldapConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), }}, @@ -591,6 +593,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(nil), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(ldapConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), }}, @@ -658,6 +661,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.StartTLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(testCABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: &metav1.Condition{ Type: "LDAPConnectionValid", @@ -778,6 +782,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(nil), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(ldapConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), }}, @@ -829,6 +834,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(ldapConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), }}, @@ -881,6 +887,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(ldapConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), }}, @@ -900,6 +907,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(ldapConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), }}, @@ -918,6 +926,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.StartTLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithStartTLS.CABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(ldapConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), }}, @@ -937,6 +946,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.StartTLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithStartTLS.CABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(ldapConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), }}, @@ -954,6 +964,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) { BindSecretResourceVersion: "4242", LDAPConnectionProtocol: upstreamldap.TLS, IDPSpecGeneration: 1233, + CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle), UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, }}, @@ -975,6 +986,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(ldapConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), }}, @@ -994,6 +1006,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) { IDPSpecGeneration: 1234, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle), ConnectionValidCondition: condPtr(ldapConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), // already previously validated with version 4242 }}, setupMocks: func(conn *mockldapconn.MockConn) { @@ -1013,6 +1026,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(ldapConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), }}, @@ -1051,6 +1065,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(ldapConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), }}, @@ -1094,6 +1109,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(ldapConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), }}, @@ -1132,6 +1148,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(ldapConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), }}}, @@ -1193,6 +1210,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(testCABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(ldapConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), }}, diff --git a/internal/controller/supervisorconfig/upstreamwatchers/upstream_watchers.go b/internal/controller/supervisorconfig/upstreamwatchers/upstream_watchers.go index 81d791d80..7bb9abff6 100644 --- a/internal/controller/supervisorconfig/upstreamwatchers/upstream_watchers.go +++ b/internal/controller/supervisorconfig/upstreamwatchers/upstream_watchers.go @@ -5,6 +5,7 @@ package upstreamwatchers import ( "context" + "crypto/sha256" "fmt" "time" @@ -40,8 +41,9 @@ const ( // ValidatedSettings is the struct which is cached by the ValidatedSettingsCacheI interface. type ValidatedSettings struct { - IDPSpecGeneration int64 // which IDP spec was used during the validation - BindSecretResourceVersion string // which bind secret was used during the validation + IDPSpecGeneration int64 // which IDP spec was used during the validation + BindSecretResourceVersion string // which bind secret was used during the validation + CABundlePEMSHA256 [32]byte // hash of the CA bundle used during the validation // Cache the setting for TLS vs StartTLS. This is always auto-discovered by probing the server. LDAPConnectionProtocol upstreamldap.LDAPConnectionProtocol @@ -277,11 +279,13 @@ func validateAndSetLDAPServerConnectivityAndSearchBase( config *upstreamldap.ProviderConfig, currentSecretVersion string, ) (*metav1.Condition, *metav1.Condition) { - // TODO: if the CA bundle has changed, then we should redo the below connection probes. So maybe this cache should also include the CA bundle (or the hash of the bundle) as part of the lookup? validatedSettings, hasPreviousValidatedSettings := validatedSettingsCache.Get(upstream.Name(), currentSecretVersion, upstream.Generation()) var ldapConnectionValidCondition, searchBaseFoundCondition *metav1.Condition - if hasPreviousValidatedSettings && validatedSettings.UserSearchBase != "" && validatedSettings.GroupSearchBase != "" { + if hasPreviousValidatedSettings && + validatedSettings.UserSearchBase != "" && + validatedSettings.GroupSearchBase != "" && + validatedSettings.CABundlePEMSHA256 == sha256.Sum256(config.CABundle) { // Found previously validated settings in the cache (which is also not missing search base fields), so use them. config.ConnectionProtocol = validatedSettings.LDAPConnectionProtocol config.UserSearch.Base = validatedSettings.UserSearchBase @@ -309,6 +313,7 @@ func validateAndSetLDAPServerConnectivityAndSearchBase( validatedSettingsCache.Set(upstream.Name(), ValidatedSettings{ IDPSpecGeneration: upstream.Generation(), BindSecretResourceVersion: currentSecretVersion, + CABundlePEMSHA256: sha256.Sum256(config.CABundle), LDAPConnectionProtocol: config.ConnectionProtocol, UserSearchBase: config.UserSearch.Base, GroupSearchBase: config.GroupSearch.Base,