Skip to content

Commit b0a51e0

Browse files
fmountfmount
committed
Move to VerifySecretFields to reject invalid passwords
Service passwords are usually defined in the osp-secret and propagated to their config. This patch moves from verifyServiceSecret to the new lib-common VerifySecretFields, that accepts a validator to accept/reject the password field and set the appropriate errorMsg to the InputReady Condition. Signed-off-by: Francesco Pantano <fpantano@redhat.com>
1 parent 150119c commit b0a51e0

7 files changed

Lines changed: 77 additions & 25 deletions

File tree

internal/cloudkitty/common.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -91,14 +91,14 @@ func EnsureTopology(
9191
func VerifyServiceSecret(
9292
ctx context.Context,
9393
secretName types.NamespacedName,
94-
expectedFields []string,
94+
expectedFields map[string]secret.Validator,
9595
reader client.Reader,
9696
conditionUpdater conditionUpdater,
9797
requeueTimeout time.Duration,
9898
envVars *map[string]env.Setter,
9999
) (ctrl.Result, error) {
100100

101-
hash, res, err := secret.VerifySecret(ctx, secretName, expectedFields, reader, requeueTimeout)
101+
hash, res, err := secret.VerifySecretFields(ctx, secretName, expectedFields, reader, requeueTimeout)
102102
if err != nil {
103103
conditionUpdater.Set(condition.FalseCondition(
104104
condition.InputReadyCondition,

internal/controller/autoscaling_controller.go

Lines changed: 34 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -370,7 +370,18 @@ func (r *AutoscalingReconciler) reconcileNormal(
370370
//
371371
// check for required OpenStack secret holding passwords for service/admin user and add hash to the vars map
372372
//
373-
ctrlResult, err := r.getSecret(ctx, helper, instance, instance.Spec.Aodh.Secret, instance.Spec.Aodh.PasswordSelectors.AodhService, &configMapVars)
373+
// Associate to PasswordSelectors.Service field a password validator to
374+
// ensure pwd invalid detected patterns are rejected.
375+
validateFields := map[string]secret.Validator{
376+
instance.Spec.Aodh.PasswordSelectors.AodhService: secret.PasswordValidator{},
377+
}
378+
ctrlResult, err := r.getSecret(
379+
ctx,
380+
helper,
381+
instance,
382+
instance.Spec.Aodh.Secret,
383+
validateFields,
384+
&configMapVars)
374385
if err != nil {
375386
return ctrlResult, err
376387
}
@@ -474,7 +485,19 @@ func (r *AutoscalingReconciler) reconcileNormal(
474485
return ctrl.Result{RequeueAfter: time.Duration(10) * time.Second}, nil
475486
}
476487

477-
ctrlResult, err = r.getSecret(ctx, helper, instance, *instance.Status.NotificationsURLSecret, "transport_url", &configMapVars)
488+
// transportURLFields are not pure password fields. We do not associate a
489+
// password validator and we only verify that the entry exists in the
490+
// secret
491+
transportValidateFields := map[string]secret.Validator{
492+
"transport_url": secret.NoOpValidator{},
493+
}
494+
ctrlResult, err = r.getSecret(
495+
ctx,
496+
helper,
497+
instance,
498+
*instance.Status.NotificationsURLSecret,
499+
transportValidateFields,
500+
&configMapVars)
478501
if err != nil {
479502
return ctrlResult, err
480503
}
@@ -876,13 +899,18 @@ func (r *AutoscalingReconciler) getAutoscalingHeat(
876899
}
877900

878901
// getSecret - get the specified secret, and add its hash to envVars
879-
func (r *AutoscalingReconciler) getSecret(ctx context.Context, h *helper.Helper, instance *telemetryv1.Autoscaling, secretName string, expectedField string, envVars *map[string]env.Setter) (ctrl.Result, error) {
902+
func (r *AutoscalingReconciler) getSecret(
903+
ctx context.Context,
904+
h *helper.Helper,
905+
instance *telemetryv1.Autoscaling,
906+
secretName string,
907+
expectedFields map[string]secret.Validator,
908+
envVars *map[string]env.Setter,
909+
) (ctrl.Result, error) {
880910
secretHash, result, err := ensureSecret(
881911
ctx,
882912
types.NamespacedName{Namespace: instance.Namespace, Name: secretName},
883-
[]string{
884-
expectedField,
885-
},
913+
expectedFields,
886914
h.GetClient(),
887915
&instance.Status.Conditions,
888916
time.Duration(10)*time.Second,

internal/controller/ceilometer_controller.go

Lines changed: 21 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -571,7 +571,18 @@ func (r *CeilometerReconciler) reconcileCeilometer(
571571
//
572572
// check for required OpenStack secret holding passwords for service/admin user and add hash to the vars map
573573
//
574-
ctrlResult, err := r.getSecret(ctx, helper, instance, instance.Spec.Secret, instance.Spec.PasswordSelectors.CeilometerService, &configMapVars)
574+
// Associate to PasswordSelectors.Service field a password validator to
575+
// ensure pwd invalid detected patterns are rejected.
576+
validateFields := map[string]secret.Validator{
577+
instance.Spec.PasswordSelectors.CeilometerService: secret.PasswordValidator{},
578+
}
579+
ctrlResult, err := r.getSecret(
580+
ctx,
581+
helper,
582+
instance,
583+
instance.Spec.Secret,
584+
validateFields,
585+
&configMapVars)
575586
if err != nil {
576587
return ctrlResult, err
577588
}
@@ -1208,13 +1219,18 @@ func (r *CeilometerReconciler) reconcileKSM(
12081219
}
12091220

12101221
// getSecret - get the specified secret, and add its hash to envVars
1211-
func (r *CeilometerReconciler) getSecret(ctx context.Context, h *helper.Helper, instance *telemetryv1.Ceilometer, secretName string, expectedField string, envVars *map[string]env.Setter) (ctrl.Result, error) {
1222+
func (r *CeilometerReconciler) getSecret(
1223+
ctx context.Context,
1224+
h *helper.Helper,
1225+
instance *telemetryv1.Ceilometer,
1226+
secretName string,
1227+
expectedFields map[string]secret.Validator,
1228+
envVars *map[string]env.Setter,
1229+
) (ctrl.Result, error) {
12121230
secretHash, result, err := ensureSecret(
12131231
ctx,
12141232
types.NamespacedName{Namespace: instance.Namespace, Name: secretName},
1215-
[]string{
1216-
expectedField,
1217-
},
1233+
expectedFields,
12181234
h.GetClient(),
12191235
&instance.Status.Conditions,
12201236
time.Duration(10)*time.Second,

internal/controller/cloudkitty_controller.go

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -959,12 +959,15 @@ func (r *CloudKittyReconciler) reconcileNormal(ctx context.Context, instance *te
959959
// check for required OpenStack secret holding passwords for service/admin user and add hash to the vars map
960960
//
961961

962+
// Associate to PasswordSelectors.Service field a password validator to
963+
// ensure pwd invalid detected patterns are rejected.
964+
validateFields := map[string]secret.Validator{
965+
instance.Spec.PasswordSelectors.CloudKittyService: secret.PasswordValidator{},
966+
}
962967
result, err := cloudkitty.VerifyServiceSecret(
963968
ctx,
964969
types.NamespacedName{Namespace: instance.Namespace, Name: instance.Spec.Secret},
965-
[]string{
966-
instance.Spec.PasswordSelectors.CloudKittyService,
967-
},
970+
validateFields,
968971
helper.GetClient(),
969972
&instance.Status.Conditions,
970973
cloudkitty.NormalDuration,

internal/controller/cloudkittyapi_controller.go

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -767,12 +767,15 @@ func (r *CloudKittyAPIReconciler) reconcileNormal(ctx context.Context, instance
767767
// check for required OpenStack secret holding passwords for service/admin user and add hash to the vars map
768768
//
769769

770+
// Associate to PasswordSelectors.Service field a password validator to
771+
// ensure pwd invalid detected patterns are rejected.
772+
validateFields := map[string]secret.Validator{
773+
instance.Spec.PasswordSelectors.CloudKittyService: secret.PasswordValidator{},
774+
}
770775
ctrlResult, err := cloudkitty.VerifyServiceSecret(
771776
ctx,
772777
types.NamespacedName{Namespace: instance.Namespace, Name: instance.Spec.Secret},
773-
[]string{
774-
instance.Spec.PasswordSelectors.CloudKittyService,
775-
},
778+
validateFields,
776779
helper.GetClient(),
777780
&instance.Status.Conditions,
778781
cloudkitty.NormalDuration,

internal/controller/cloudkittyproc_controller.go

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -454,13 +454,15 @@ func (r *CloudKittyProcReconciler) reconcileNormal(ctx context.Context, instance
454454
//
455455
// check for required OpenStack secret holding passwords for service/admin user and add hash to the vars map
456456
//
457-
457+
// Associate to PasswordSelectors.Service field a password validator to
458+
// ensure pwd invalid detected patterns are rejected.
459+
validateFields := map[string]secret.Validator{
460+
instance.Spec.PasswordSelectors.CloudKittyService: secret.PasswordValidator{},
461+
}
458462
ctrlResult, err := cloudkitty.VerifyServiceSecret(
459463
ctx,
460464
types.NamespacedName{Namespace: instance.Namespace, Name: instance.Spec.Secret},
461-
[]string{
462-
instance.Spec.PasswordSelectors.CloudKittyService,
463-
},
465+
validateFields,
464466
helper.GetClient(),
465467
&instance.Status.Conditions,
466468
cloudkitty.NormalDuration,

internal/controller/telemetry_common.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -109,13 +109,13 @@ func ensureTopology(
109109
func ensureSecret(
110110
ctx context.Context,
111111
secretName types.NamespacedName,
112-
expectedFields []string,
112+
expectedFields map[string]secret.Validator,
113113
reader client.Reader,
114114
conditionUpdater conditionUpdater,
115115
requeueTimeout time.Duration,
116116
) (string, ctrl.Result, error) {
117117

118-
hash, res, err := secret.VerifySecret(ctx, secretName, expectedFields, reader, requeueTimeout)
118+
hash, res, err := secret.VerifySecretFields(ctx, secretName, expectedFields, reader, requeueTimeout)
119119
if err != nil {
120120
conditionUpdater.Set(condition.FalseCondition(
121121
condition.InputReadyCondition,

0 commit comments

Comments
 (0)