Always generate new oauth-proxy password (#2333)

* Always generate new oauth-proxy password Signed-off-by: Pavol Loffay <[email protected]> * Fix Signed-off-by: Pavol Loffay <[email protected]> --------- Signed-off-by: Pavol Loffay <[email protected]>
jaegertracing · Sep 27, 2023 · 22288a9 · 22288a9
1 parent ed877c0
commit 22288a9
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 23 deletions.
diff --git a/pkg/inject/oauth_proxy.go b/pkg/inject/oauth_proxy.go
@@ -18,9 +18,6 @@ import (
 	"github.com/jaegertracing/jaeger-operator/pkg/util"
 )
 
-// #nosec   G101 (CWE-798): Potential hardcoded credentials
-const defaultProxySecret = "ncNDoqLGrayxXzxTn5ANbOXZp3qXd0LA"
-
 // OAuthProxy injects an appropriate proxy into the given deployment
 func OAuthProxy(jaeger *v1.Jaeger, dep *appsv1.Deployment) *appsv1.Deployment {
 	if jaeger.Spec.Ingress.Security != v1.IngressSecurityOAuthProxy {
@@ -41,15 +38,8 @@ func OAuthProxy(jaeger *v1.Jaeger, dep *appsv1.Deployment) *appsv1.Deployment {
 }
 
 func proxyInitArguments(jaeger *v1.Jaeger) []string {
-	secret, err := util.GenerateProxySecret()
-	if err != nil {
-		jaeger.Logger().Error(
-			err,
-			fmt.Sprintf("Error generating secret: %s, fallback to fixed secret", secret),
-		)
-		secret = defaultProxySecret
-	}
-	args := []string{
+	secret := util.GenerateProxySecret()
+	return []string{
 		fmt.Sprintf("--cookie-secret=%s", secret),
 		"--https-address=:8443",
 		fmt.Sprintf("--openshift-service-account=%s", account.OAuthProxyAccountNameFor(jaeger)),
@@ -58,7 +48,6 @@ func proxyInitArguments(jaeger *v1.Jaeger) []string {
 		"--tls-key=/etc/tls/private/tls.key",
 		"--upstream=http://localhost:16686",
 	}
-	return args
 }
 
 func getOAuthProxyContainer(jaeger *v1.Jaeger) corev1.Container {

diff --git a/pkg/util/util.go b/pkg/util/util.go
@@ -1,12 +1,12 @@
 package util
 
 import (
-	"crypto/rand"
-	"encoding/base64"
 	"fmt"
+	"math/rand"
 	"os"
 	"strconv"
 	"strings"
+	"time"
 
 	"github.com/go-logr/logr"
 	"github.com/spf13/viper"
@@ -312,17 +312,19 @@ func CreateEnvsFromSecret(secretName string) []corev1.EnvFromSource {
 	return envs
 }
 
+const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
+
+// #nosec   G404: Use of weak random number generator (math/rand instead of crypto/rand) (gosec)
+var seededRand = rand.New(rand.NewSource(time.Now().UnixNano()))
+
 // GenerateProxySecret generate random secret key for oauth proxy cookie.
-func GenerateProxySecret() (string, error) {
+func GenerateProxySecret() string {
 	const secretLength = 16
-	randString := make([]byte, secretLength)
-	_, err := rand.Read(randString)
-	if err != nil {
-		// If we cannot generate random, return fixed.
-		return "", err
+	b := make([]byte, secretLength)
+	for i := range b {
+		b[i] = charset[seededRand.Intn(len(charset))]
 	}
-	base64Secret := base64.StdEncoding.EncodeToString(randString)
-	return base64Secret, nil
+	return string(b)
 }
 
 // FindEnvVar return the EnvVar with given name or nil if not found