[release-1.6] Improve session handling with a secure session key

Manually cherry-pick #2154 to resovle conflicts Signed-off-by: Gong Zhang <[email protected]>
kubernetes-sigs · Aug 9, 2023 · cbf0a22 · cbf0a22
1 parent 2808927
commit cbf0a22
Showing 1 changed file with 14 additions and 5 deletions.
diff --git a/pkg/session/session.go b/pkg/session/session.go
@@ -18,6 +18,7 @@ package session
 
 import (
 	"context"
+	"crypto/sha256"
 	"fmt"
 	"net/netip"
 	"net/url"
@@ -109,14 +110,22 @@ func (p *Params) WithFeatures(feature Feature) *Params {
 // GetOrCreate gets a cached session or creates a new one if one does not
 // already exist.
 func GetOrCreate(ctx context.Context, params *Params) (*Session, error) {
-	logger := ctrl.LoggerFrom(ctx).WithName("session")
+	logger := ctrl.LoggerFrom(ctx).WithName("session").WithValues(
+		"server", params.server,
+		"datacenter", params.datacenter,
+		"username", params.userinfo.Username())
+
 	sessionMU.Lock()
 	defer sessionMU.Unlock()
 
-	sessionKey := params.server + params.userinfo.Username() + params.datacenter
+	userPassword, _ := params.userinfo.Password()
+	h := sha256.New()
+	h.Write([]byte(userPassword))
+	hashedUserPassword := h.Sum(nil)
+	sessionKey := fmt.Sprintf("%s#%s#%s#%x", params.server, params.datacenter, params.userinfo.Username(),
+		hashedUserPassword)
 	if cachedSession, ok := sessionCache.Load(sessionKey); ok {
 		s := cachedSession.(*Session)
-		logger = logger.WithValues("server", params.server, "datacenter", params.datacenter)
 
 		vimSessionActive, err := s.SessionManager.SessionIsActive(ctx)
 		if err != nil {
@@ -215,7 +224,7 @@ func newClient(ctx context.Context, logger logr.Logger, sessionKey string, url *
 		_, err := methods.GetCurrentTime(ctx, tripper)
 		if err != nil {
 			logger.Error(err, "failed to keep alive govmomi client")
-			logger.Info("clearing the session", "key", sessionKey)
+			logger.Info("clearing the session")
 			sessionCache.Delete(sessionKey)
 		}
 		return err
@@ -240,7 +249,7 @@ func newManager(ctx context.Context, logger logr.Logger, sessionKey string, clie
 			return nil
 		}
 
-		logger.Info("rest client session expired, clearing session", "key", sessionKey)
+		logger.Info("rest client session expired, clearing session")
 		sessionCache.Delete(sessionKey)
 		return errors.New("rest client session expired")
 	})