logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198
							/*
Copyright © The ESO Authors

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    https://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package mysterybox

import (
	"errors"
	"fmt"
	"net"
	"regexp"
	"strings"

	"golang.org/x/net/idna"
	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"

	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
	"github.com/external-secrets/external-secrets/runtime/esutils"
)

const (
	errNilStore                                = "found nil store"
	errMissingStoreSpec                        = "store is missing spec"
	errMissingProvider                         = "storeSpec is missing provider"
	errInvalidProvider                         = "invalid provider spec. Missing nebiusmysterybox field in store %s"
	errMissingAuthOptions                      = "invalid auth configuration: none provided"
	errInvalidAuthConfig                       = "invalid auth configuration: exactly one must be specified"
	errInvalidTokenAuthConfig                  = "invalid token auth configuration: no secret key specified"
	errInvalidSACredsAuthConfig                = "invalid ServiceAccount creds auth configuration: no secret key specified"
	errFailedToRetrieveToken                   = "failed to retrieve iam token by credentials: %w"
	errMissingAPIDomain                        = "API domain must be set"
	errInvalidAPIDomain                        = "API domain is not valid"
	errInvalidAPIDomainWithError               = errInvalidAPIDomain + ": %w"
	errInvalidCertificateConfigNoNameSpecified = "invalid certificate configuration: no name specified"
	errInvalidCertificateConfigNoKeySpecified  = "invalid certificate configuration: no key specified"
)

var labelRe = regexp.MustCompile(`^[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?$`)
var numericRe = regexp.MustCompile(`^\d+$`)

// ValidateStore validates the given Store and its associated properties for correctness and configuration integrity.
func (p *Provider) ValidateStore(store esv1.GenericStore) (admission.Warnings, error) {
	provider, err := getNebiusMysteryboxProvider(store)
	if err != nil {
		return nil, err
	}

	err = p.validateAPIDomain(provider.APIDomain)
	if err != nil {
		return nil, err
	}

	if err := validateProviderAuth(provider); err != nil {
		return nil, err
	}

	var selectors []*esmeta.SecretKeySelector

	if provider.Auth.Token.Name != "" {
		selectors = append(selectors, &provider.Auth.Token)
	}
	if provider.Auth.ServiceAccountCreds.Name != "" {
		selectors = append(selectors, &provider.Auth.ServiceAccountCreds)
	}
	if provider.CAProvider != nil {
		err := validateCertificate(&provider.CAProvider.Certificate)
		if err != nil {
			return nil, err
		}
		selectors = append(selectors, &provider.CAProvider.Certificate)
	}

	for _, selector := range selectors {
		if err := esutils.ValidateSecretSelector(store, *selector); err != nil {
			return nil, err
		}
		if err := esutils.ValidateReferentSecretSelector(store, *selector); err != nil {
			return nil, err
		}
	}

	return nil, nil
}

func getNebiusMysteryboxProvider(store esv1.GenericStore) (*esv1.NebiusMysteryboxProvider, error) {
	if store == nil {
		return nil, errors.New(errNilStore)
	}
	spc := store.GetSpec()
	if spc == nil {
		return nil, errors.New(errMissingStoreSpec)
	}
	if spc.Provider == nil {
		return nil, errors.New(errMissingProvider)
	}
	provider := spc.Provider.NebiusMysterybox
	if provider == nil {
		return nil, fmt.Errorf(errInvalidProvider, store.GetNamespacedName())
	}
	return provider, nil
}

func validateProviderAuth(provider *esv1.NebiusMysteryboxProvider) error {
	if provider.Auth.Token.Name == "" && provider.Auth.ServiceAccountCreds.Name == "" {
		return errors.New(errMissingAuthOptions)
	}
	if provider.Auth.Token.Name != "" && provider.Auth.ServiceAccountCreds.Name != "" {
		return errors.New(errInvalidAuthConfig)
	}
	if provider.Auth.Token.Name != "" && provider.Auth.Token.Key == "" {
		return errors.New(errInvalidTokenAuthConfig)
	}
	if provider.Auth.ServiceAccountCreds.Name != "" && provider.Auth.ServiceAccountCreds.Key == "" {
		return errors.New(errInvalidSACredsAuthConfig)
	}
	return nil
}

func (p *Provider) validateAPIDomain(apiDomain string) error {
	if strings.TrimSpace(apiDomain) == "" {
		return errors.New(errMissingAPIDomain)
	}
	if strings.Contains(apiDomain, "://") {
		return fmt.Errorf(errInvalidAPIDomainWithError, errors.New("scheme is not allowed"))
	}

	var err error
	host := apiDomain
	// API Domain is allowed without port, it will be added in sdk in case it's missed
	if strings.Contains(apiDomain, ":") {
		host, _, err = net.SplitHostPort(apiDomain)
		if err != nil {
			p.Logger.Info("Error parsing apiDomain", "err", err)
			return fmt.Errorf(errInvalidAPIDomainWithError, err)
		}
	}

	err = validateDomainByRFC(host)
	if err != nil {
		p.Logger.Info("Error validating apiDomain", "err", err)
		return fmt.Errorf(errInvalidAPIDomainWithError, err)
	}

	return nil
}

func validateDomainByRFC(domain string) error {
	if strings.HasSuffix(domain, ".") {
		return errors.New("domain must not end with a dot")
	}
	ascii, err := idna.Lookup.ToASCII(domain)
	if err != nil {
		return err
	}
	if ascii == "" || len(ascii) > 253 {
		return errors.New("domain length out of range")
	}
	labels := strings.Split(ascii, ".")
	if len(labels) < 2 {
		return errors.New("domain must contain at least one dot")
	}
	for _, l := range labels {
		if len(l) < 1 || len(l) > 63 {
			return errors.New("label length out of range")
		}
		if !labelRe.MatchString(l) {
			return errors.New("invalid label: " + l)
		}
	}
	tld := labels[len(labels)-1]
	if numericRe.MatchString(tld) {
		return errors.New("numeric TLD is not allowed")
	}
	return nil
}

func validateCertificate(certificate *esmeta.SecretKeySelector) error {
	if certificate.Name == "" {
		return errors.New(errInvalidCertificateConfigNoNameSpecified)
	}
	if certificate.Key == "" {
		return errors.New(errInvalidCertificateConfigNoKeySpecified)
	}
	return nil
}