ARO-4373 convert BoundServiceAccountSigningKey to *SecureString

Azure · Jun 10, 2024 · 6067a9d · 6067a9d
1 parent 0d6abaf
commit 6067a9d
Show file tree

Hide file tree

Showing 6 changed files with 34 additions and 5 deletions.
diff --git a/pkg/api/openshiftcluster.go b/pkg/api/openshiftcluster.go
@@ -264,7 +264,7 @@ type ClusterProfile struct {
 	ResourceGroupID               string               `json:"resourceGroupId,omitempty"`
 	FipsValidatedModules          FipsValidatedModules `json:"fipsValidatedModules,omitempty"`
 	OIDCIssuer                    OIDCIssuer           `json:"oidcIssuer,omitempty"`
-	BoundServiceAccountSigningKey SecureBytes          `json:"boundServiceAccountSigningKey,omitempty"`
+	BoundServiceAccountSigningKey *SecureString        `json:"boundServiceAccountSigningKey,omitempty"`
 }
 
 // FeatureProfile represents a feature profile.

diff --git a/pkg/cluster/deploybaseresources.go b/pkg/cluster/deploybaseresources.go
@@ -27,6 +27,7 @@ import (
 	"github.com/Azure/ARO-RP/pkg/env"
 	"github.com/Azure/ARO-RP/pkg/util/arm"
 	"github.com/Azure/ARO-RP/pkg/util/oidcbuilder"
+	"github.com/Azure/ARO-RP/pkg/util/pointerutils"
 	"github.com/Azure/ARO-RP/pkg/util/stringutils"
 )
 
@@ -72,7 +73,7 @@ func (m *manager) createOIDC(ctx context.Context) error {
 
 	m.doc, err = m.db.PatchWithLease(ctx, m.doc.Key, func(doc *api.OpenShiftClusterDocument) error {
 		doc.OpenShiftCluster.Properties.ClusterProfile.OIDCIssuer = api.OIDCIssuer(oidcBuilder.GetEndpointUrl())
-		doc.OpenShiftCluster.Properties.ClusterProfile.BoundServiceAccountSigningKey = api.SecureBytes(oidcBuilder.GetPrivateKey())
+		doc.OpenShiftCluster.Properties.ClusterProfile.BoundServiceAccountSigningKey = pointerutils.ToPtr(api.SecureString(oidcBuilder.GetPrivateKey()))
 		return nil
 	})
 

diff --git a/pkg/util/oidcbuilder/oidcbuilder.go b/pkg/util/oidcbuilder/oidcbuilder.go
@@ -53,8 +53,8 @@ func (b *OIDCBuilder) GetEndpointUrl() string {
 	return b.endpointURL
 }
 
-func (b *OIDCBuilder) GetPrivateKey() []byte {
-	return b.privateKey
+func (b *OIDCBuilder) GetPrivateKey() string {
+	return string(b.privateKey)
 }
 
 func (b *OIDCBuilder) GetBlobContainerURL() string {

diff --git a/pkg/util/oidcbuilder/oidcbuilder_test.go b/pkg/util/oidcbuilder/oidcbuilder_test.go
@@ -156,7 +156,7 @@ func TestEnsureOIDCDocs(t *testing.T) {
 				t.Fatalf("GetEndpointUrl doesn't match the original endpointURL - %s != %s (wanted)", tt.oidcbuilder.GetEndpointUrl(), tt.oidcbuilder.endpointURL)
 			}
 
-			if !reflect.DeepEqual(tt.oidcbuilder.privateKey, tt.oidcbuilder.GetPrivateKey()) {
+			if !reflect.DeepEqual(string(tt.oidcbuilder.privateKey), tt.oidcbuilder.GetPrivateKey()) {
 				t.Fatalf("GetPrivateKey doesn't match the original privateKey")
 			}
 

diff --git a/pkg/util/pointerutils/pointerutils.go b/pkg/util/pointerutils/pointerutils.go
@@ -0,0 +1,6 @@
+package pointerutils
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the Apache License 2.0.
+
+func ToPtr[T any](t T) *T { return &t }
diff --git a/pkg/util/pointerutils/pointerutils_test.go b/pkg/util/pointerutils/pointerutils_test.go
@@ -0,0 +1,22 @@
+package pointerutils
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the Apache License 2.0.
+
+import (
+	"bytes"
+	"testing"
+)
+
+func TestToPtr(t *testing.T) {
+	input := []byte("Test String")
+	output := ToPtr(input)
+
+	if output == &input {
+		t.Errorf("Value returned by ToPtr does not matches the expected pointer value")
+	}
+
+	if !bytes.Equal(input, *output) {
+		t.Errorf("Input bytes doesn't match with the bytes value for the pointer returned by ToPtr")
+	}
+}