Validate leading and trailing spaces in tokens (#190)

CHANGELOG.md

@@ -9,7 +9,7 @@
 * Operator log entries now use ISO-8601 timestamps (e.g., `"2019-10-30T12:59:43.717+0100"`) ([#159](https://github.com/Dynatrace/dynatrace-oneagent-operator/pull/159))
 * The service account for pods can now be customized ([#182](https://github.com/Dynatrace/dynatrace-oneagent-operator/pull/182), [#187](https://github.com/Dynatrace/dynatrace-oneagent-operator/pull/187))
 * Custom labels can be added to pods ([#183](https://github.com/Dynatrace/dynatrace-oneagent-operator/pull/183))
-* Validate tokens for OneAgent and show results as conditions on OneAgent status section ([#188](https://github.com/Dynatrace/dynatrace-oneagent-operator/pull/188))
+* Validate tokens for OneAgent and show results as conditions on OneAgent status section ([#188](https://github.com/Dynatrace/dynatrace-oneagent-operator/pull/188), [#190](https://github.com/Dynatrace/dynatrace-oneagent-operator/pull/190))
 
 ### Bug fixes
 

pkg/controller/oneagent/oneagent_controller.go

@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"net/http"
 	"reflect"
+	"strings"
 	"time"
 
 	dynatracev1alpha1 "github.com/Dynatrace/dynatrace-oneagent-operator/pkg/apis/dynatrace/v1alpha1"
@@ -556,6 +557,12 @@ func reconcileDynatraceClient(oa *dynatracev1alpha1.OneAgent, c client.Client, d
 	}
 
 	for _, t := range tokens {
+		if strings.TrimSpace(t.Value) != t.Value {
+			updateCR = oa.SetFailureCondition(t.Type, dynatracev1alpha1.ReasonTokenUnauthorized,
+				fmt.Sprintf("Token on secret %s has leading and/or trailing spaces", secretKey)) || updateCR
+			continue
+		}
+
 		// At this point, we can query the Dynatrace API to verify whether our tokens are correct. To avoid excessive requests,
 		// we wait at least 5 mins between proves.
 		if *t.Timestamp != nil && now.Time.Before((*t.Timestamp).Add(5*time.Minute)) {

pkg/controller/oneagent/oneagent_controller_test.go

@@ -144,13 +144,12 @@ func TestReconcileDynatraceClient_TokenValidation(t *testing.T) {
 		mock.AssertExpectationsForObjects(t, dtcMock)
 	})
 
-	t.Run("PaaS token has wrong scope, API token is ready", func(t *testing.T) {
+	t.Run("PaaS token has wrong scope, API token has leading and trailing space characters", func(t *testing.T) {
 		oa := base.DeepCopy()
-		c := fake.NewFakeClient(NewSecret(oaName, namespace, map[string]string{utils.DynatracePaasToken: "42", utils.DynatraceApiToken: "84"}))
+		c := fake.NewFakeClient(NewSecret(oaName, namespace, map[string]string{utils.DynatracePaasToken: "42", utils.DynatraceApiToken: " \t84\n  "}))
 
 		dtcMock := &dtclient.MockDynatraceClient{}
 		dtcMock.On("GetTokenScopes", "42").Return(dtclient.TokenScopes{dtclient.TokenScopeDataExport}, nil)
-		dtcMock.On("GetTokenScopes", "84").Return(dtclient.TokenScopes{dtclient.TokenScopeDataExport}, nil)
 
 		dtc, ucr, err := reconcileDynatraceClient(oa, c, utils.StaticDynatraceClient(dtcMock), metav1.Now())
 		assert.Equal(t, dtcMock, dtc)
@@ -159,6 +158,26 @@ func TestReconcileDynatraceClient_TokenValidation(t *testing.T) {
 
 		AssertCondition(t, oa, dynatracev1alpha1.PaaSTokenConditionType, false, dynatracev1alpha1.ReasonTokenScopeMissing,
 			"Token on secret dynatrace:oneagent missing scope InstallerDownload")
+		AssertCondition(t, oa, dynatracev1alpha1.APITokenConditionType, false, dynatracev1alpha1.ReasonTokenUnauthorized,
+			"Token on secret dynatrace:oneagent has leading and/or trailing spaces")
+
+		mock.AssertExpectationsForObjects(t, dtcMock)
+	})
+
+	t.Run("PaaS and API token are ready", func(t *testing.T) {
+		oa := base.DeepCopy()
+		c := fake.NewFakeClient(NewSecret(oaName, namespace, map[string]string{utils.DynatracePaasToken: "42", utils.DynatraceApiToken: "84"}))
+
+		dtcMock := &dtclient.MockDynatraceClient{}
+		dtcMock.On("GetTokenScopes", "42").Return(dtclient.TokenScopes{dtclient.TokenScopeInstallerDownload}, nil)
+		dtcMock.On("GetTokenScopes", "84").Return(dtclient.TokenScopes{dtclient.TokenScopeDataExport}, nil)
+
+		dtc, ucr, err := reconcileDynatraceClient(oa, c, utils.StaticDynatraceClient(dtcMock), metav1.Now())
+		assert.Equal(t, dtcMock, dtc)
+		assert.True(t, ucr)
+		assert.NoError(t, err)
+
+		AssertCondition(t, oa, dynatracev1alpha1.PaaSTokenConditionType, true, dynatracev1alpha1.ReasonTokenReady, "Ready")
 		AssertCondition(t, oa, dynatracev1alpha1.APITokenConditionType, true, dynatracev1alpha1.ReasonTokenReady, "Ready")
 
 		mock.AssertExpectationsForObjects(t, dtcMock)