Merge pull request #21922 from stlaz/o_auth_validate

Add validation for Authentication and OAuth CRs

Author: openshift-merge-robot

hack/import-restrictions.json

@@ -151,6 +151,8 @@
       "github.com/openshift/origin/pkg/apiserver/authentication/oauth",
       "github.com/openshift/origin/pkg/oauth/apis/oauth/validation",
 
+      "github.com/openshift/origin/pkg/admission/customresourcevalidation/oauth",
+
       "github.com/openshift/origin/pkg/cmd/openshift-integrated-oauth-server",
       "github.com/openshift/origin/pkg/cmd/openshift-kube-apiserver/openshiftkubeapiserver",
       "github.com/openshift/origin/pkg/cmd/server/origin",

pkg/admission/customresourcevalidation/oauth/helpers.go

@@ -0,0 +1,33 @@
+package oauth
+
+import (
+	"net"
+
+	kvalidation "k8s.io/apimachinery/pkg/util/validation"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+
+	configv1 "github.com/openshift/api/config/v1"
+	crvalidation "github.com/openshift/origin/pkg/admission/customresourcevalidation"
+	"github.com/openshift/origin/pkg/cmd/server/apis/config/validation/common"
+)
+
+func isValidHostname(hostname string) bool {
+	return len(kvalidation.IsDNS1123Subdomain(hostname)) == 0 || net.ParseIP(hostname) != nil
+}
+
+func ValidateRemoteConnectionInfo(remoteConnectionInfo configv1.OAuthRemoteConnectionInfo, fldPath *field.Path) field.ErrorList {
+	allErrs := field.ErrorList{}
+
+	if len(remoteConnectionInfo.URL) == 0 {
+		allErrs = append(allErrs, field.Required(fldPath.Child("url"), ""))
+	} else {
+		_, urlErrs := common.ValidateSecureURL(remoteConnectionInfo.URL, fldPath.Child("url"))
+		allErrs = append(allErrs, urlErrs...)
+	}
+
+	allErrs = append(allErrs, crvalidation.ValidateConfigMapReference(fldPath.Child("ca"), remoteConnectionInfo.CA, false)...)
+	allErrs = append(allErrs, crvalidation.ValidateSecretReference(fldPath.Child("tlsClientCert"), remoteConnectionInfo.TLSClientCert, false)...)
+	allErrs = append(allErrs, crvalidation.ValidateSecretReference(fldPath.Child("tlsClientKey"), remoteConnectionInfo.TLSClientKey, false)...)
+
+	return allErrs
+}

pkg/admission/customresourcevalidation/oauth/validate_github.go

@@ -0,0 +1,69 @@
+package oauth
+
+import (
+	"strings"
+
+	"k8s.io/apimachinery/pkg/util/validation/field"
+
+	configv1 "github.com/openshift/api/config/v1"
+	crvalidation "github.com/openshift/origin/pkg/admission/customresourcevalidation"
+)
+
+func ValidateGitHubIdentityProvider(provider *configv1.GitHubIdentityProvider, mappingMethod configv1.MappingMethodType, fieldPath *field.Path) field.ErrorList {
+	errs := field.ErrorList{}
+	if provider == nil {
+		errs = append(errs, field.Required(fieldPath, ""))
+		return errs
+	}
+
+	errs = append(errs, ValidateOAuthIdentityProvider(provider.ClientID, provider.ClientSecret, fieldPath.Child("provider"))...)
+
+	if len(provider.Teams) > 0 && len(provider.Organizations) > 0 {
+		errs = append(errs, field.Invalid(fieldPath.Child("organizations"), provider.Organizations, "specify organizations or teams, not both"))
+		errs = append(errs, field.Invalid(fieldPath.Child("teams"), provider.Teams, "specify organizations or teams, not both"))
+	}
+
+	// only check that there are some teams/orgs if not GitHub Enterprise Server
+	if len(provider.Hostname) == 0 && len(provider.Teams) == 0 && len(provider.Organizations) == 0 && mappingMethod != configv1.MappingMethodLookup {
+		errs = append(errs, field.Invalid(fieldPath, nil, "one of organizations or teams must be specified unless hostname is set or lookup is used"))
+	}
+	for i, organization := range provider.Organizations {
+		if strings.Contains(organization, "/") {
+			errs = append(errs, field.Invalid(fieldPath.Child("organizations").Index(i), organization, "cannot contain /"))
+		}
+		if len(organization) == 0 {
+			errs = append(errs, field.Required(fieldPath.Child("organizations").Index(i), "cannot be empty"))
+		}
+	}
+	for i, team := range provider.Teams {
+		if split := strings.Split(team, "/"); len(split) != 2 {
+			errs = append(errs, field.Invalid(fieldPath.Child("teams").Index(i), team, "must be in the format <org>/<team>"))
+		} else if org, t := split[0], split[1]; len(org) == 0 || len(t) == 0 {
+			errs = append(errs, field.Invalid(fieldPath.Child("teams").Index(i), team, "must be in the format <org>/<team>"))
+		}
+	}
+
+	if hostname := provider.Hostname; len(hostname) != 0 {
+		hostnamePath := fieldPath.Child("hostname")
+
+		if hostname == "github.com" || strings.HasSuffix(hostname, ".github.com") {
+			errs = append(errs, field.Invalid(hostnamePath, hostname, "cannot equal [*.]github.com"))
+		}
+
+		if !isValidHostname(hostname) {
+			errs = append(errs, field.Invalid(hostnamePath, hostname, "must be a valid DNS subdomain or IP address"))
+		}
+	}
+
+	if caFile := provider.CA; len(caFile.Name) != 0 {
+		caPath := fieldPath.Child("ca")
+
+		errs = append(errs, crvalidation.ValidateConfigMapReference(caPath, caFile, true)...)
+
+		if len(provider.Hostname) == 0 {
+			errs = append(errs, field.Invalid(caPath, caFile, "cannot be specified when hostname is empty"))
+		}
+	}
+
+	return errs
+}

pkg/admission/customresourcevalidation/oauth/validate_github_test.go

@@ -0,0 +1,249 @@
+package oauth
+
+import (
+	"reflect"
+	"testing"
+
+	"k8s.io/apimachinery/pkg/util/validation/field"
+
+	configv1 "github.com/openshift/api/config/v1"
+)
+
+func TestValidateGitHubIdentityProvider(t *testing.T) {
+	type args struct {
+		provider      *configv1.GitHubIdentityProvider
+		mappingMethod configv1.MappingMethodType
+		fieldPath     *field.Path
+	}
+	tests := []struct {
+		name   string
+		args   args
+		errors field.ErrorList
+	}{
+		{
+			name: "cannot use GH as hostname",
+			args: args{
+				provider: &configv1.GitHubIdentityProvider{
+					ClientID:      "client",
+					ClientSecret:  configv1.SecretNameReference{Name: "secret"},
+					Organizations: []string{"org1"},
+					Teams:         nil,
+					Hostname:      "github.com",
+					CA:            configv1.ConfigMapNameReference{Name: "caconfigmap"},
+				},
+				mappingMethod: "",
+			},
+			errors: field.ErrorList{
+				{Type: field.ErrorTypeInvalid, Field: "hostname", BadValue: "github.com", Detail: "cannot equal [*.]github.com"},
+			},
+		},
+		{
+			name: "cannot use GH subdomain as hostname",
+			args: args{
+				provider: &configv1.GitHubIdentityProvider{
+					ClientID:      "client",
+					ClientSecret:  configv1.SecretNameReference{Name: "secret"},
+					Organizations: []string{"org1"},
+					Teams:         nil,
+					Hostname:      "foo.github.com",
+					CA:            configv1.ConfigMapNameReference{Name: "caconfigmap"},
+				},
+				mappingMethod: "",
+			},
+			errors: field.ErrorList{
+				{Type: field.ErrorTypeInvalid, Field: "hostname", BadValue: "foo.github.com", Detail: "cannot equal [*.]github.com"},
+			},
+		},
+		{
+			name: "valid domain hostname",
+			args: args{
+				provider: &configv1.GitHubIdentityProvider{
+					ClientID:      "client",
+					ClientSecret:  configv1.SecretNameReference{Name: "secret"},
+					Organizations: []string{"org1"},
+					Teams:         nil,
+					Hostname:      "company.com",
+					CA:            configv1.ConfigMapNameReference{Name: "caconfigmap"},
+				},
+				mappingMethod: "",
+			},
+		},
+		{
+			name: "valid ip hostname",
+			args: args{
+				provider: &configv1.GitHubIdentityProvider{
+					ClientID:      "client",
+					ClientSecret:  configv1.SecretNameReference{Name: "secret"},
+					Organizations: []string{"org1"},
+					Teams:         nil,
+					Hostname:      "192.168.8.1",
+					CA:            configv1.ConfigMapNameReference{Name: "caconfigmap"},
+				},
+				mappingMethod: "",
+			},
+		},
+		{
+			name: "invalid ip hostname with port",
+			args: args{
+				provider: &configv1.GitHubIdentityProvider{
+					ClientID:      "client",
+					ClientSecret:  configv1.SecretNameReference{Name: "secret"},
+					Organizations: []string{"org1"},
+					Teams:         nil,
+					Hostname:      "192.168.8.1:8080",
+					CA:            configv1.ConfigMapNameReference{Name: "caconfigmap"},
+				},
+				mappingMethod: "",
+			},
+			errors: field.ErrorList{
+				{Type: field.ErrorTypeInvalid, Field: "hostname", BadValue: "192.168.8.1:8080", Detail: "must be a valid DNS subdomain or IP address"},
+			},
+		},
+		{
+			name: "invalid domain hostname",
+			args: args{
+				provider: &configv1.GitHubIdentityProvider{
+					ClientID:      "client",
+					ClientSecret:  configv1.SecretNameReference{Name: "secret"},
+					Organizations: []string{"org1"},
+					Teams:         nil,
+					Hostname:      "google-.com",
+					CA:            configv1.ConfigMapNameReference{Name: "caconfigmap"},
+				},
+				mappingMethod: "",
+			},
+			errors: field.ErrorList{
+				{Type: field.ErrorTypeInvalid, Field: "hostname", BadValue: "google-.com", Detail: "must be a valid DNS subdomain or IP address"},
+			},
+		},
+		{
+			name: "invalid name in ca ref and no hostname",
+			args: args{
+				provider: &configv1.GitHubIdentityProvider{
+					ClientID:      "client",
+					ClientSecret:  configv1.SecretNameReference{Name: "secret"},
+					Organizations: []string{"org1"},
+					Teams:         nil,
+					Hostname:      "",
+					CA:            configv1.ConfigMapNameReference{Name: "ca&config-map"},
+				},
+				mappingMethod: "",
+			},
+			errors: field.ErrorList{
+				{Type: field.ErrorTypeInvalid, Field: "ca.name", BadValue: "ca&config-map", Detail: "a DNS-1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')"},
+				{Type: field.ErrorTypeInvalid, Field: "ca", BadValue: configv1.ConfigMapNameReference{Name: "ca&config-map"}, Detail: "cannot be specified when hostname is empty"},
+			},
+		},
+		{
+			name: "valid ca and hostname",
+			args: args{
+				provider: &configv1.GitHubIdentityProvider{
+					ClientID:      "client",
+					ClientSecret:  configv1.SecretNameReference{Name: "secret"},
+					Organizations: []string{"org1"},
+					Teams:         nil,
+					Hostname:      "mo.co",
+					CA:            configv1.ConfigMapNameReference{Name: "ca-config-map"},
+				},
+				mappingMethod: "",
+			},
+		},
+		{
+			name: "GitHub requires client ID and secret",
+			args: args{
+				provider: &configv1.GitHubIdentityProvider{
+					ClientID:      "",
+					ClientSecret:  configv1.SecretNameReference{},
+					Organizations: []string{"org1"},
+					Teams:         nil,
+					Hostname:      "",
+					CA:            configv1.ConfigMapNameReference{},
+				},
+				mappingMethod: "",
+			},
+			errors: field.ErrorList{
+				{Type: field.ErrorTypeRequired, Field: "provider.clientID", BadValue: "", Detail: ""},
+				{Type: field.ErrorTypeRequired, Field: "provider.clientSecret.name", BadValue: "", Detail: ""},
+			},
+		},
+		{
+			name: "GitHub warns when not constrained to organizations or teams without lookup",
+			args: args{
+				provider: &configv1.GitHubIdentityProvider{
+					ClientID:      "client",
+					ClientSecret:  configv1.SecretNameReference{Name: "secret"},
+					Organizations: nil,
+					Teams:         nil,
+					Hostname:      "",
+					CA:            configv1.ConfigMapNameReference{},
+				},
+				mappingMethod: "",
+			},
+			errors: field.ErrorList{
+				{Type: field.ErrorTypeInvalid, Field: "", BadValue: nil, Detail: "one of organizations or teams must be specified unless hostname is set or lookup is used"},
+			},
+		},
+		{
+			name: "GitHub does not warn when not constrained to organizations or teams with lookup",
+			args: args{
+				provider: &configv1.GitHubIdentityProvider{
+					ClientID:      "client",
+					ClientSecret:  configv1.SecretNameReference{Name: "secret"},
+					Organizations: nil,
+					Teams:         nil,
+					Hostname:      "",
+					CA:            configv1.ConfigMapNameReference{},
+				},
+				mappingMethod: "lookup",
+			},
+		},
+		{
+			name: "invalid cannot specific both organizations and teams",
+			args: args{
+				provider: &configv1.GitHubIdentityProvider{
+					ClientID:      "client",
+					ClientSecret:  configv1.SecretNameReference{Name: "secret"},
+					Organizations: []string{"org1"},
+					Teams:         []string{"org1/team1"},
+					Hostname:      "",
+					CA:            configv1.ConfigMapNameReference{},
+				},
+				mappingMethod: "",
+			},
+			errors: field.ErrorList{
+				{Type: field.ErrorTypeInvalid, Field: "organizations", BadValue: []string{"org1"}, Detail: "specify organizations or teams, not both"},
+				{Type: field.ErrorTypeInvalid, Field: "teams", BadValue: []string{"org1/team1"}, Detail: "specify organizations or teams, not both"},
+			},
+		},
+		{
+			name: "invalid team format",
+			args: args{
+				provider: &configv1.GitHubIdentityProvider{
+					ClientID:      "client",
+					ClientSecret:  configv1.SecretNameReference{Name: "secret"},
+					Organizations: nil,
+					Teams:         []string{"org1/team1", "org2/not/team2", "org3//team3", "", "org4/team4"},
+					Hostname:      "",
+					CA:            configv1.ConfigMapNameReference{},
+				},
+				mappingMethod: "",
+			},
+			errors: field.ErrorList{
+				{Type: field.ErrorTypeInvalid, Field: "teams[1]", BadValue: "org2/not/team2", Detail: "must be in the format <org>/<team>"},
+				{Type: field.ErrorTypeInvalid, Field: "teams[2]", BadValue: "org3//team3", Detail: "must be in the format <org>/<team>"},
+				{Type: field.ErrorTypeInvalid, Field: "teams[3]", BadValue: "", Detail: "must be in the format <org>/<team>"},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := ValidateGitHubIdentityProvider(tt.args.provider, tt.args.mappingMethod, tt.args.fieldPath)
+			if tt.errors == nil && len(got) == 0 {
+				return
+			}
+			if !reflect.DeepEqual(got, tt.errors) {
+				t.Errorf("ValidateGitHubIdentityProvider() = %v, want %v", got, tt.errors)
+			}
+		})
+	}
+}

pkg/admission/customresourcevalidation/oauth/validate_gitlab.go

@@ -0,0 +1,26 @@
+package oauth
+
+import (
+	"k8s.io/apimachinery/pkg/util/validation/field"
+
+	configv1 "github.com/openshift/api/config/v1"
+	crvalidation "github.com/openshift/origin/pkg/admission/customresourcevalidation"
+	"github.com/openshift/origin/pkg/cmd/server/apis/config/validation/common"
+)
+
+func ValidateGitLabIdentityProvider(provider *configv1.GitLabIdentityProvider, fieldPath *field.Path) field.ErrorList {
+	allErrs := field.ErrorList{}
+	if provider == nil {
+		allErrs = append(allErrs, field.Required(fieldPath, ""))
+		return allErrs
+	}
+
+	allErrs = append(allErrs, ValidateOAuthIdentityProvider(provider.ClientID, provider.ClientSecret, fieldPath)...)
+
+	_, urlErrs := common.ValidateSecureURL(provider.URL, fieldPath.Child("url"))
+	allErrs = append(allErrs, urlErrs...)
+
+	allErrs = append(allErrs, crvalidation.ValidateConfigMapReference(fieldPath.Child("ca"), provider.CA, false)...)
+
+	return allErrs
+}