fix(secrets): key/cert generation check req
This commit is contained in:
parent
d0148fd26f
commit
6c20c29106
19
hash.go
Normal file
19
hash.go
Normal file
@ -0,0 +1,19 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"crypto/sha1"
|
||||
"encoding/base64"
|
||||
"encoding/json"
|
||||
)
|
||||
|
||||
func hash(values ...interface{}) string {
|
||||
ba, err := json.Marshal(values)
|
||||
if err != nil {
|
||||
panic(err) // should not happen
|
||||
}
|
||||
|
||||
h := sha1.Sum(ba)
|
||||
|
||||
enc := base64.StdEncoding.WithPadding(base64.NoPadding)
|
||||
return enc.EncodeToString(h[:])
|
||||
}
|
@ -38,6 +38,7 @@ type CA struct {
|
||||
type KeyCert struct {
|
||||
Key []byte
|
||||
Cert []byte
|
||||
ReqHash string
|
||||
}
|
||||
|
||||
func loadSecretData(config *config.Config) (*SecretData, error) {
|
||||
@ -161,8 +162,9 @@ func (sd *SecretData) KeyCert(cluster, caName, name, profile, label string, req
|
||||
return
|
||||
}
|
||||
|
||||
rh := hash(req)
|
||||
kc, ok := ca.Signed[name]
|
||||
if ok {
|
||||
if ok && rh == kc.ReqHash {
|
||||
return
|
||||
}
|
||||
|
||||
@ -192,6 +194,7 @@ func (sd *SecretData) KeyCert(cluster, caName, name, profile, label string, req
|
||||
kc = &KeyCert{
|
||||
Key: key,
|
||||
Cert: cert,
|
||||
ReqHash: rh,
|
||||
}
|
||||
|
||||
ca.Signed[name] = kc
|
||||
|
Loading…
Reference in New Issue
Block a user