Fail Credentials validation if it contains extra data

coveooss · Mar 7, 2024 · 54c55fd · 54c55fd
1 parent d0dfc75
commit 54c55fd
Show file tree

Hide file tree

Showing 2 changed files with 62 additions and 2 deletions.
diff --git a/credentials/credentials.go b/credentials/credentials.go
@@ -158,11 +158,20 @@ func ParseSingleCredentials(credentialsMap map[string]interface{}) (Credentials,
 	default:
 		return nil, fmt.Errorf("entry %s: unknown credentials type: %s", id, credentialsType)
 	}
-	err := mapstructure.Decode(credentialsMap, credentials)
+	var validationErrors error
+	delete(credentialsMap, "type")
+	decoder, err := mapstructure.NewDecoder(&mapstructure.DecoderConfig{
+		ErrorUnused: true,
+		Metadata:    nil,
+		Result:      credentials})
 	if err != nil {
+		validationErrors = multierror.Append(validationErrors, fmt.Errorf("entry %s: unable to create a decoder: %v", id, err))
+	}
+	if err := decoder.Decode(credentialsMap); err != nil {
 		return nil, fmt.Errorf("entry %s: invalid credentials data: %v", id, err)
 	}
-	var validationErrors error
+	credentialsMap["type"] = credentialsType
+
 	if err := credentials.BaseValidate(); err != nil {
 		validationErrors = multierror.Append(validationErrors, err)
 	}

diff --git a/credentials/credentials_aws_test.go b/credentials/credentials_aws_test.go
@@ -56,6 +56,11 @@ func TestAwsCredentialsValidationErrors(t *testing.T) {
 	delete(credMap, "access_key")
 	_, err = ParseSingleCredentials(credMap)
 	assert.Error(t, err)
+
+	// Extra data
+	credMap["extra"] = "data"
+	_, err = ParseSingleCredentials(credMap)
+	assert.Error(t, err)
 }
 
 func TestAwsCredentialsToString(t *testing.T) {
@@ -66,3 +71,49 @@ func TestAwsCredentialsToString(t *testing.T) {
 	assert.Equal(t, "test -> Type: Amazon Web Services - key:********", cred.ToString(false))
 	assert.Equal(t, "test -> Type: Amazon Web Services - key:secret", cred.ToString(true))
 }
+
+func TestCredentialWithTargetTags(t *testing.T) {
+	credMap := map[string]interface{}{
+		"id":          "test",
+		"type":        "aws",
+		"description": "test-desc",
+		"access_key":  "key",
+		"secret_key":  "secret_key",
+		"target_tags": map[string]interface{}{
+			"do_match": map[string]interface{}{
+				"tag1": "value1",
+			},
+		},
+	}
+
+	cred, err := ParseSingleCredentials(credMap)
+	assert.Nil(t, err)
+
+	assert.Equal(t, &AmazonWebServicesCredentials{
+		Base: Base{
+			ID:          "test",
+			CredType:    "Amazon Web Services",
+			Description: "test-desc",
+			TargetTags:  targetTagsMatcher{DoMatch: map[string]interface{}{"tag1": "value1"}},
+		},
+		AccessKey: "key",
+		SecretKey: "secret_key",
+	}, cred)
+}
+
+func TestCredentialWithTargetTagsMalformed(t *testing.T) {
+	credMap := map[string]interface{}{
+		"id":         "test",
+		"type":       "aws",
+		"access_key": "key",
+		"secret_key": "secret_key",
+		"target_tags": map[string]interface{}{
+			"match": map[string]interface{}{
+				"tag1": "value1",
+			},
+		},
+	}
+
+	_, err := ParseSingleCredentials(credMap)
+	assert.Error(t, err)
+}