Merge pull request #851 from fmount/pwd_validation

Move to VerifySecretFields to reject invalid passwords

Author: openshift-merge-bot[bot]

internal/cloudkitty/common.go

@@ -91,14 +91,14 @@ func EnsureTopology(
 func VerifyServiceSecret(
 	ctx context.Context,
 	secretName types.NamespacedName,
-	expectedFields []string,
+	expectedFields map[string]secret.Validator,
 	reader client.Reader,
 	conditionUpdater conditionUpdater,
 	requeueTimeout time.Duration,
 	envVars *map[string]env.Setter,
 ) (ctrl.Result, error) {
 
-	hash, res, err := secret.VerifySecret(ctx, secretName, expectedFields, reader, requeueTimeout)
+	hash, res, err := secret.VerifySecretFields(ctx, secretName, expectedFields, reader, requeueTimeout)
 	if err != nil {
 		conditionUpdater.Set(condition.FalseCondition(
 			condition.InputReadyCondition,

internal/controller/autoscaling_controller.go

@@ -370,7 +370,24 @@ func (r *AutoscalingReconciler) reconcileNormal(
 	//
 	// check for required OpenStack secret holding passwords for service/admin user and add hash to the vars map
 	//
-	ctrlResult, err := r.getSecret(ctx, helper, instance, instance.Spec.Aodh.Secret, instance.Spec.Aodh.PasswordSelectors.AodhService, &configMapVars)
+	// Associate to PasswordSelectors.Service field a password validator to
+	// ensure pwd invalid detected patterns are rejected.
+	validateFields := map[string]secret.Validator{
+		instance.Spec.Aodh.PasswordSelectors.AodhService: secret.PasswordValidator{},
+	}
+
+	_, ctrlResult, err := ensureSecret(
+		ctx,
+		types.NamespacedName{
+			Namespace: instance.Namespace,
+			Name:      instance.Spec.Aodh.Secret,
+		},
+		validateFields,
+		helper.GetClient(),
+		&instance.Status.Conditions,
+		&configMapVars,
+		time.Duration(10)*time.Second,
+	)
 	if err != nil {
 		return ctrlResult, err
 	}
@@ -474,10 +491,29 @@ func (r *AutoscalingReconciler) reconcileNormal(
 		return ctrl.Result{RequeueAfter: time.Duration(10) * time.Second}, nil
 	}
 
-	ctrlResult, err = r.getSecret(ctx, helper, instance, *instance.Status.NotificationsURLSecret, "transport_url", &configMapVars)
+	// transportURLFields are not pure password fields. We do not associate a
+	// password validator and we only verify that the entry exists in the
+	// secret
+	transportValidateFields := map[string]secret.Validator{
+		"transport_url": secret.NoOpValidator{},
+	}
+
+	_, ctrlResult, err = ensureSecret(
+		ctx,
+		types.NamespacedName{
+			Namespace: instance.Namespace,
+			Name:      *instance.Status.NotificationsURLSecret,
+		},
+		transportValidateFields,
+		helper.GetClient(),
+		&instance.Status.Conditions,
+		&configMapVars,
+		time.Duration(10)*time.Second,
+	)
 	if err != nil {
 		return ctrlResult, err
 	}
+
 	// run check TransportURL secret - end
 
 	//
@@ -875,29 +911,6 @@ func (r *AutoscalingReconciler) getAutoscalingHeat(
 	return heat, err
 }
 
-// getSecret - get the specified secret, and add its hash to envVars
-func (r *AutoscalingReconciler) getSecret(ctx context.Context, h *helper.Helper, instance *telemetryv1.Autoscaling, secretName string, expectedField string, envVars *map[string]env.Setter) (ctrl.Result, error) {
-	secretHash, result, err := ensureSecret(
-		ctx,
-		types.NamespacedName{Namespace: instance.Namespace, Name: secretName},
-		[]string{
-			expectedField,
-		},
-		h.GetClient(),
-		&instance.Status.Conditions,
-		time.Duration(10)*time.Second,
-	)
-	if err != nil {
-		return result, err
-	}
-
-	// Add a prefix to the var name to avoid accidental collision with other non-secret
-	// vars. The secret names themselves will be unique.
-	(*envVars)["secret-"+secretName] = env.SetValue(secretHash)
-
-	return ctrl.Result{}, nil
-}
-
 func (r *AutoscalingReconciler) transportURLCreateOrUpdate(
 	ctx context.Context,
 	instance *telemetryv1.Autoscaling,

internal/controller/ceilometer_controller.go

@@ -571,10 +571,28 @@ func (r *CeilometerReconciler) reconcileCeilometer(
 	//
 	// check for required OpenStack secret holding passwords for service/admin user and add hash to the vars map
 	//
-	ctrlResult, err := r.getSecret(ctx, helper, instance, instance.Spec.Secret, instance.Spec.PasswordSelectors.CeilometerService, &configMapVars)
+	// Associate to PasswordSelectors.Service field a password validator to
+	// ensure pwd invalid detected patterns are rejected.
+	validateFields := map[string]secret.Validator{
+		instance.Spec.PasswordSelectors.CeilometerService: secret.PasswordValidator{},
+	}
+
+	_, ctrlResult, err := ensureSecret(
+		ctx,
+		types.NamespacedName{
+			Namespace: instance.Namespace,
+			Name:      instance.Spec.Secret,
+		},
+		validateFields,
+		helper.GetClient(),
+		&instance.Status.Conditions,
+		&configMapVars,
+		time.Duration(10)*time.Second,
+	)
 	if err != nil {
 		return ctrlResult, err
 	}
+
 	// run check OpenStack secret - end
 
 	//
@@ -1207,29 +1225,6 @@ func (r *CeilometerReconciler) reconcileKSM(
 	return ctrl.Result{}, nil
 }
 
-// getSecret - get the specified secret, and add its hash to envVars
-func (r *CeilometerReconciler) getSecret(ctx context.Context, h *helper.Helper, instance *telemetryv1.Ceilometer, secretName string, expectedField string, envVars *map[string]env.Setter) (ctrl.Result, error) {
-	secretHash, result, err := ensureSecret(
-		ctx,
-		types.NamespacedName{Namespace: instance.Namespace, Name: secretName},
-		[]string{
-			expectedField,
-		},
-		h.GetClient(),
-		&instance.Status.Conditions,
-		time.Duration(10)*time.Second,
-	)
-	if err != nil {
-		return result, err
-	}
-
-	// Add a prefix to the var name to avoid accidental collision with other non-secret
-	// vars. The secret names themselves will be unique.
-	(*envVars)["secret-"+secretName] = env.SetValue(secretHash)
-
-	return ctrl.Result{}, nil
-}
-
 func (r *CeilometerReconciler) generateServiceConfig(
 	ctx context.Context,
 	h *helper.Helper,

internal/controller/cloudkitty_controller.go

@@ -959,12 +959,15 @@ func (r *CloudKittyReconciler) reconcileNormal(ctx context.Context, instance *te
 	// check for required OpenStack secret holding passwords for service/admin user and add hash to the vars map
 	//
 
+	// Associate to PasswordSelectors.Service field a password validator to
+	// ensure pwd invalid detected patterns are rejected.
+	validateFields := map[string]secret.Validator{
+		instance.Spec.PasswordSelectors.CloudKittyService: secret.PasswordValidator{},
+	}
 	result, err := cloudkitty.VerifyServiceSecret(
 		ctx,
 		types.NamespacedName{Namespace: instance.Namespace, Name: instance.Spec.Secret},
-		[]string{
-			instance.Spec.PasswordSelectors.CloudKittyService,
-		},
+		validateFields,
 		helper.GetClient(),
 		&instance.Status.Conditions,
 		cloudkitty.NormalDuration,

internal/controller/cloudkittyapi_controller.go

@@ -767,12 +767,15 @@ func (r *CloudKittyAPIReconciler) reconcileNormal(ctx context.Context, instance
 	// check for required OpenStack secret holding passwords for service/admin user and add hash to the vars map
 	//
 
+	// Associate to PasswordSelectors.Service field a password validator to
+	// ensure pwd invalid detected patterns are rejected.
+	validateFields := map[string]secret.Validator{
+		instance.Spec.PasswordSelectors.CloudKittyService: secret.PasswordValidator{},
+	}
 	ctrlResult, err := cloudkitty.VerifyServiceSecret(
 		ctx,
 		types.NamespacedName{Namespace: instance.Namespace, Name: instance.Spec.Secret},
-		[]string{
-			instance.Spec.PasswordSelectors.CloudKittyService,
-		},
+		validateFields,
 		helper.GetClient(),
 		&instance.Status.Conditions,
 		cloudkitty.NormalDuration,

internal/controller/cloudkittyproc_controller.go

@@ -454,13 +454,15 @@ func (r *CloudKittyProcReconciler) reconcileNormal(ctx context.Context, instance
 	//
 	// check for required OpenStack secret holding passwords for service/admin user and add hash to the vars map
 	//
-
+	// Associate to PasswordSelectors.Service field a password validator to
+	// ensure pwd invalid detected patterns are rejected.
+	validateFields := map[string]secret.Validator{
+		instance.Spec.PasswordSelectors.CloudKittyService: secret.PasswordValidator{},
+	}
 	ctrlResult, err := cloudkitty.VerifyServiceSecret(
 		ctx,
 		types.NamespacedName{Namespace: instance.Namespace, Name: instance.Spec.Secret},
-		[]string{
-			instance.Spec.PasswordSelectors.CloudKittyService,
-		},
+		validateFields,
 		helper.GetClient(),
 		&instance.Status.Conditions,
 		cloudkitty.NormalDuration,

internal/controller/telemetry_common.go

@@ -24,6 +24,7 @@ import (
 
 	topologyv1 "github.com/openstack-k8s-operators/infra-operator/apis/topology/v1beta1"
 	condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
+	env "github.com/openstack-k8s-operators/lib-common/modules/common/env"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/helper"
 	secret "github.com/openstack-k8s-operators/lib-common/modules/common/secret"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -109,13 +110,14 @@ func ensureTopology(
 func ensureSecret(
 	ctx context.Context,
 	secretName types.NamespacedName,
-	expectedFields []string,
+	expectedFields map[string]secret.Validator,
 	reader client.Reader,
 	conditionUpdater conditionUpdater,
+	envVars *map[string]env.Setter,
 	requeueTimeout time.Duration,
 ) (string, ctrl.Result, error) {
 
-	hash, res, err := secret.VerifySecret(ctx, secretName, expectedFields, reader, requeueTimeout)
+	hash, res, err := secret.VerifySecretFields(ctx, secretName, expectedFields, reader, requeueTimeout)
 	if err != nil {
 		conditionUpdater.Set(condition.FalseCondition(
 			condition.InputReadyCondition,
@@ -137,5 +139,8 @@ func ensureSecret(
 		return "", res, nil
 	}
 
+	// Add a prefix to the var name to avoid accidental collision with other non-secret
+	// vars. The secret names themselves will be unique.
+	(*envVars)["secret-"+secretName.Name] = env.SetValue(hash)
 	return hash, ctrl.Result{}, nil
 }