Note that this fixes a bug in the existing `toBytes` implementation
which does not correctly set the capacity on the returned slice.
Signed-off-by: Monis Khan <mok@microsoft.com>
Kubernetes-commit: aa80f8fb856bb2b645c90457f9b1dd75e4e57c73
It is possible to configure the token cache to cache failures. We
allow 1 MB of headers per request, meaning a malicious actor could
cause the cache to use a large amount of memory by filling it with
large invalid tokens. This change hashes the token before using it
as a key. Measures have been taken to prevent precomputation
attacks. SHA 256 is used as the hash to prevent collisions.
Signed-off-by: Monis Khan <mkhan@redhat.com>
Kubernetes-commit: 9a547bca8e6e15273bfafd3496aa6524fd7d35bd
The striped cache used by the token cache is slightly more sophisticated
however the simple cache provides about the same exact behavior. I used
the striped cache rather than the simple cache because:
* It has been used without issue as the primary token cache.
* It preforms better under load.
* It is already exposed in the public API of the token cache package.
Kubernetes-commit: 0ec4d6d396f237ccb3ae0e96922a90600befb83d
Monis Khan
Tim Allclair
Shihang Zhang
Abu Kashem
wojtekt
yoyinzyc
Davanum Srinivas
Mike Danese
Monis Khan
Daniel Smith
Jordan Liggitt