From 40cece20cb046830ac070f3e50080e3457ee8a1c Mon Sep 17 00:00:00 2001 From: Martin Necas Date: Tue, 9 Apr 2024 10:16:02 +0200 Subject: [PATCH] OCM-7188: GitHub IDP Add hostname validation The openshfit validates the GitHub hostname and it can not match the [*.]github.com If the user would put the hostname 'github.com' the hive idp sync would fail as the admission controller would not allow to update the oauth cr Signed-off-by: Martin Necas --- pkg/interactive/validation.go | 10 +++++++++- pkg/interactive/validation_test.go | 13 ++++++++++--- 2 files changed, 19 insertions(+), 4 deletions(-) diff --git a/pkg/interactive/validation.go b/pkg/interactive/validation.go index 6bd64f888b..fceebdba3e 100644 --- a/pkg/interactive/validation.go +++ b/pkg/interactive/validation.go @@ -25,6 +25,7 @@ import ( "os" "regexp" "strconv" + "strings" "k8s.io/apimachinery/pkg/util/validation" netutils "k8s.io/utils/net" @@ -63,14 +64,21 @@ func IsURL(val interface{}) error { } func IsValidHostname(val interface{}) error { - if !_isValidHostname(val.(string)) { + hostname := val.(string) + if hostname == "github.com" || strings.HasSuffix(hostname, ".github.com") { + return fmt.Errorf(fmt.Sprintf("'%s' hostname cannot be equal [*.]github.com", hostname)) + } + if !_isValidHostname(hostname) { return fmt.Errorf(fmt.Sprintf("'%s' hostname must be a valid DNS subdomain or IP address", val.(string))) } return nil } // _isValidHostname is same validation as in the Open Shift GitHub IDP CRD +// Validates the hostname DNS1123 format // https://github.com/openshift/kubernetes/blob/91607f5d750ba4002f87d34a12ae1cfd45b45b81/openshift-kube-apiserver/admission/customresourcevalidation/oauth/helpers.go#L13 +// and denies the [*.]github.com hostnames +// https://github.com/openshift/kubernetes/blob/258f1d5fb6491ba65fd8201c827e179432430627/openshift-kube-apiserver/admission/customresourcevalidation/oauth/validate_github.go#L49 // //nolint:lll func _isValidHostname(hostname string) bool { diff --git a/pkg/interactive/validation_test.go b/pkg/interactive/validation_test.go index 035fbf8f2c..a9e913f158 100644 --- a/pkg/interactive/validation_test.go +++ b/pkg/interactive/validation_test.go @@ -78,11 +78,18 @@ var _ = Describe("Validation", func() { }) }) Context("GitHub Hostname", func() { - It("Fails validation if hostname is 'https://github.com'", func() { - err := IsValidHostname("https://github.com") + It("Fails validation if hostname is 'https://domain.customer.com'", func() { + err := IsValidHostname("https://domain.customer.com") Expect(err).To(HaveOccurred()) Expect(err.Error()).To(ContainSubstring( - "'https://github.com' hostname must be a valid DNS subdomain or IP address"), + "'https://domain.customer.com' hostname must be a valid DNS subdomain or IP address"), + ) + }) + It("Fails validation if hostname is 'github.com'", func() { + err := IsValidHostname("github.com") + Expect(err).To(HaveOccurred()) + Expect(err.Error()).To(ContainSubstring( + "'github.com' hostname cannot be equal [*.]github.com"), ) }) It("Passes validation if hostname is 'domain.customer.com'", func() {