Skip to content
This repository was archived by the owner on Dec 12, 2025. It is now read-only.

Fix Secret creation with username with rfc-1123 non-allowed-chars. #880

Merged
rodrigovalin merged 2 commits into from
Feb 7, 2022
Merged

Fix Secret creation with username with rfc-1123 non-allowed-chars. #880

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
4f89ca6
Fix Secret creation with username with _.
Feb 4, 2022
3acfc4f
More rigorous conversion.
Feb 7, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 21 additions & 2 deletions pkg/authentication/scram/scram.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@ package scram
import (
"encoding/base64"
"fmt"
"regexp"
"strings"

"github.com/pkg/errors"

Expand Down Expand Up @@ -337,7 +339,24 @@ func convertMongoDBUserToAutomationConfigUser(secretGetUpdateCreateDeleter secre
return acUser, nil
}

// GetConnectionStringSecretName returns the name of the secret where the operator stores the connection string for current user
// GetConnectionStringSecretName returns the name of the secret where the
// operator stores the connection string for current user.
func (u User) GetConnectionStringSecretName(mdb Configurable) string {
return fmt.Sprintf("%s-%s-%s", mdb.NamespacedName().Name, u.Database, u.Username)
return fmt.Sprintf("%s-%s-%s", mdb.NamespacedName().Name, u.Database, normalizeUsername(u.Username))
}

// normalizeUsername returns a string that conforms to RFC-1123, by replacing
// non-allowed characters with `-`.
//
// The MongoDB username can contain the chars in `acceptedChars` variable, as
// documented here: https://docs.mongodb.com/manual/reference/connection-string/.
func normalizeUsername(username string) string {
acceptedChars := `[:\/\?#\[\]@_]`
re := regexp.MustCompile(acceptedChars)
username = re.ReplaceAllString(username, "-")

// Remove duplicate `-` resulting from contiguous non-allowed chars.
re = regexp.MustCompile(`\-+`)
username = re.ReplaceAllString(username, "-")
return strings.Trim(username, "-")
}
13 changes: 11 additions & 2 deletions pkg/authentication/scram/scram_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,10 +48,21 @@ func newMockedSecretGetUpdateCreateDeleter(secrets ...corev1.Secret) secret.GetU
}
return mockSecretGetUpdateCreateDeleter
}

func notFoundError() error {
return &errors.StatusError{ErrStatus: metav1.Status{Reason: metav1.StatusReasonNotFound}}
}

func TestUsernameIsTransformedAndValid(t *testing.T) {
user := buildMongoDBUser("name_with@weird?chars")
mdb := buildConfigurable("mdb")
assert.Equal(t, "mdb-admin-name-with-weird-chars-user", user.GetConnectionStringSecretName(mdb))
}

func TestUsernameCanHaveAn(t *testing.T) {
assert.Equal(t, "normalize-username-with-no-allowed-chars-only", normalizeUsername("?_normalize/_-username/?@with/[]?no]?/:allowed:chars[only?"))
}

func TestReadExistingCredentials(t *testing.T) {
mdbObjectKey := types.NamespacedName{Name: "mdb-0", Namespace: "default"}
user := buildMongoDBUser("mdbuser-0")
Expand All @@ -74,7 +85,6 @@ func TestReadExistingCredentials(t *testing.T) {
_, _, err := readExistingCredentials(newMockedSecretGetUpdateCreateDeleter(scramCredsSecret), mdbObjectKey, "different-username")
assert.Error(t, err)
})

}

func TestComputeScramCredentials_ComputesSameStoredAndServerKey_WithSameSalt(t *testing.T) {
Expand Down Expand Up @@ -136,7 +146,6 @@ func TestEnsureScramCredentials(t *testing.T) {
assert.NotEmpty(t, scram256Creds.ServerKey)
assert.Equal(t, 15000, scram256Creds.IterationCount)
})

}

func TestConvertMongoDBUserToAutomationConfigUser(t *testing.T) {
Expand Down