OCM-7188: GitHub IDP Add hostname validation

The openshfit validates the GitHub hostname and it can not match the [*.]github.com If the user would put the hostname 'github.com' the hive idp sync would fail as the admission controller would not allow to update the oauth cr Signed-off-by: Martin Necas <mnecas@redhat.com>
openshift · Apr 9, 2024 · 40cece2 · 40cece2
1 parent b3f87d7
commit 40cece2
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 4 deletions.
diff --git a/pkg/interactive/validation.go b/pkg/interactive/validation.go
@@ -25,6 +25,7 @@ import (
 	"os"
 	"regexp"
 	"strconv"
+	"strings"
 
 	"k8s.io/apimachinery/pkg/util/validation"
 	netutils "k8s.io/utils/net"
@@ -63,14 +64,21 @@ func IsURL(val interface{}) error {
 }
 
 func IsValidHostname(val interface{}) error {
-	if !_isValidHostname(val.(string)) {
+	hostname := val.(string)
+	if hostname == "github.com" || strings.HasSuffix(hostname, ".github.com") {
+		return fmt.Errorf(fmt.Sprintf("'%s' hostname cannot be equal [*.]github.com", hostname))
+	}
+	if !_isValidHostname(hostname) {
 		return fmt.Errorf(fmt.Sprintf("'%s' hostname must be a valid DNS subdomain or IP address", val.(string)))
 	}
 	return nil
 }
 
 // _isValidHostname is same validation as in the Open Shift GitHub IDP CRD
+// Validates the hostname DNS1123 format
 // https://github.com/openshift/kubernetes/blob/91607f5d750ba4002f87d34a12ae1cfd45b45b81/openshift-kube-apiserver/admission/customresourcevalidation/oauth/helpers.go#L13
+// and denies the [*.]github.com hostnames
+// https://github.com/openshift/kubernetes/blob/258f1d5fb6491ba65fd8201c827e179432430627/openshift-kube-apiserver/admission/customresourcevalidation/oauth/validate_github.go#L49
 //
 //nolint:lll
 func _isValidHostname(hostname string) bool {

diff --git a/pkg/interactive/validation_test.go b/pkg/interactive/validation_test.go
@@ -78,11 +78,18 @@ var _ = Describe("Validation", func() {
 		})
 	})
 	Context("GitHub Hostname", func() {
-		It("Fails validation if hostname is 'https://github.com'", func() {
-			err := IsValidHostname("https://github.com")
+		It("Fails validation if hostname is 'https://domain.customer.com'", func() {
+			err := IsValidHostname("https://domain.customer.com")
 			Expect(err).To(HaveOccurred())
 			Expect(err.Error()).To(ContainSubstring(
-				"'https://github.com' hostname must be a valid DNS subdomain or IP address"),
+				"'https://domain.customer.com' hostname must be a valid DNS subdomain or IP address"),
+			)
+		})
+		It("Fails validation if hostname is 'github.com'", func() {
+			err := IsValidHostname("github.com")
+			Expect(err).To(HaveOccurred())
+			Expect(err.Error()).To(ContainSubstring(
+				"'github.com' hostname cannot be equal [*.]github.com"),
 			)
 		})
 		It("Passes validation if hostname is 'domain.customer.com'", func() {