Merge pull request #2154 from zhanggbj/secure_session

k8s-ci-robot · web-flow · commit 1013a3aa654e · 2023-08-08T14:19:57.000-07:00
✨ Improve session handling with a secure session key
diff --git a/pkg/session/session.go b/pkg/session/session.go
@@ -18,6 +18,7 @@ package session
 
 import (
 	"context"
+	"crypto/sha256"
 	"fmt"
 	"net/netip"
 	"net/url"
@@ -113,14 +114,22 @@ func (p *Params) WithFeatures(feature Feature) *Params {
 // GetOrCreate gets a cached session or creates a new one if one does not
 // already exist.
 func GetOrCreate(ctx context.Context, params *Params) (*Session, error) {
-	logger := ctrl.LoggerFrom(ctx).WithName("session")
+	logger := ctrl.LoggerFrom(ctx).WithName("session").WithValues(
+		"server", params.server,
+		"datacenter", params.datacenter,
+		"username", params.userinfo.Username())
+
 	sessionMU.Lock()
 	defer sessionMU.Unlock()
 
-	sessionKey := params.server + params.userinfo.Username() + params.datacenter
+	userPassword, _ := params.userinfo.Password()
+	h := sha256.New()
+	h.Write([]byte(userPassword))
+	hashedUserPassword := h.Sum(nil)
+	sessionKey := fmt.Sprintf("%s#%s#%s#%x", params.server, params.datacenter, params.userinfo.Username(),
+		hashedUserPassword)
 	if cachedSession, ok := sessionCache.Load(sessionKey); ok {
 		s := cachedSession.(*Session)
-		logger = logger.WithValues("server", params.server, "datacenter", params.datacenter)
 
 		vimSessionActive, err := s.SessionManager.SessionIsActive(ctx)
 		if err != nil {
@@ -220,7 +229,7 @@ func newClient(ctx context.Context, logger logr.Logger, sessionKey string, url *
 			_, err := methods.GetCurrentTime(ctx, tripper)
 			if err != nil {
 				logger.Error(err, "failed to keep alive govmomi client")
-				logger.Info("clearing the session", "key", sessionKey)
+				logger.Info("clearing the session")
 				sessionCache.Delete(sessionKey)
 			}
 			return err
@@ -247,7 +256,7 @@ func newManager(ctx context.Context, logger logr.Logger, sessionKey string, clie
 				return nil
 			}
 
-			logger.Info("rest client session expired, clearing session", "key", sessionKey)
+			logger.Info("rest client session expired, clearing session")
 			sessionCache.Delete(sessionKey)
 			return errors.New("rest client session expired")
 		})
