qontract-reconcile 0.10.1rc473__py3-none-any.whl → 0.10.1rc474__py3-none-any.whl

{qontract_reconcile-0.10.1rc473.dist-info → qontract_reconcile-0.10.1rc474.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: qontract-reconcile
-Version: 0.10.1rc473
+Version: 0.10.1rc474
 Summary: Collection of tools to reconcile services with their desired state as defined in the app-interface DB.
 Home-page: https://github.com/app-sre/qontract-reconcile
 Author: Red Hat App-SRE Team

{qontract_reconcile-0.10.1rc473.dist-info → qontract_reconcile-0.10.1rc474.dist-info}/RECORD

@@ -68,7 +68,7 @@ reconcile/openshift_namespaces.py,sha256=DboMc6t0vXD54lL9ZP9P9fQnCRo2g_0z5FWubtW
 reconcile/openshift_network_policies.py,sha256=_qqv7yj17OM1J8KJPsFmzFZ85gzESJeBocC672z4_WU,4231
 reconcile/openshift_resourcequotas.py,sha256=yUi56PiOn3inMMfq_x_FEHmaW-reGipzoorjdar372g,2415
 reconcile/openshift_resources.py,sha256=kwsY5cko7udEKNlhL2oKiKv_5wzEw9wmmwROE016ng8,1400
-reconcile/openshift_resources_base.py,sha256=H8pxBzHgp9dC5W7plFTnm6iai1oQvPj6sW1S2khct3U,44866
+reconcile/openshift_resources_base.py,sha256=aMrblZnviFMiAPS5SZsYWmGIRA-l8XlHwtxPr_klui0,45728
 reconcile/openshift_rolebindings.py,sha256=0sEKajdqVuBSzlagyPbLxtNXQdI2vyabmbIRifs0des,6629
 reconcile/openshift_routes.py,sha256=fXvuPSjcjVw1X3j2EQvUAdbOepmIFdKk-M3qP8QzPiw,1075
 reconcile/openshift_saas_deploy.py,sha256=MySDWBQN2N3rv_B8ifWzRY5t2Afq3DEVkFECHMpW_Sk,11908
@@ -402,7 +402,7 @@ reconcile/test/test_openshift_base.py,sha256=uVsnMghAQhHaJTreeOw4x2INTKJ6qeiZiit
 reconcile/test/test_openshift_namespace_labels.py,sha256=P1hqi6P88NijNrurdXG_QR2usyo3EYZSy9zpwYHvDsM,12104
 reconcile/test/test_openshift_namespaces.py,sha256=HmRnCE5EnFt3MYceVEFHmk8wWRtCrxu2AFGFkY9pdyA,9214
 reconcile/test/test_openshift_resource.py,sha256=lbTf48jX1q6rGnRiA5pPvfU0uPfY8zhNylMtryn0sLI,12995
-reconcile/test/test_openshift_resources_base.py,sha256=i4tk9knD5F1DppSsjBJ5pfrLSm1aP7lt--OSx3gmO9M,14058
+reconcile/test/test_openshift_resources_base.py,sha256=4UucdsD0nCMFT1WmgNXf4r7ZZ11cJ_MP13IcK7_Vs0g,15042
 reconcile/test/test_openshift_saas_deploy.py,sha256=YLJGkc--u5aP0UkQ-b9ZGEFGS2gw25jjcSgknQdI3Ic,5892
 reconcile/test/test_openshift_saas_deploy_change_tester.py,sha256=1yVe54Hx9YdVjn6qdnKge5Sa_s732c-8uZqCnuT1gGI,12871
 reconcile/test/test_openshift_tekton_resources.py,sha256=RtRWsdm51S13OSkENC9nY_rOH0QELSCaO5tjF0XqIDI,11222
@@ -650,8 +650,8 @@ tools/test/test_app_interface_metrics_exporter.py,sha256=SX7qL3D1SIRKFo95FoQztvf
 tools/test/test_qontract_cli.py,sha256=awwTHEc2DWlykuqGIYM0WOBoSL0KRnOraCLk3C7izis,1401
 tools/test/test_sd_app_sre_alert_report.py,sha256=v363r9zM7__0kR5K6mvJoGFcM9BvE33fWAayrqkpojA,2116
 tools/test/test_sre_checkpoints.py,sha256=SKqPPTl9ua0RFdSSofnoQX-JZE6dFLO3LRhfQzqtfh8,2607
-qontract_reconcile-0.10.1rc473.dist-info/METADATA,sha256=Rnigg-CBRz8a3ixHxvm6IblRrV35SbamdffbAThCeJM,2348
-qontract_reconcile-0.10.1rc473.dist-info/WHEEL,sha256=oiQVh_5PnQM0E3gPdiz09WCNmwiHDMaGer_elqB3coM,92
-qontract_reconcile-0.10.1rc473.dist-info/entry_points.txt,sha256=rTjAv28I_CHLM8ID3OPqMI_suoQ9s7tFbim4aYjn9kk,376
-qontract_reconcile-0.10.1rc473.dist-info/top_level.txt,sha256=l5ISPoXzt0SdR4jVdkfa7RPSKNc8zAHYWAnR-Dw8Ey8,24
-qontract_reconcile-0.10.1rc473.dist-info/RECORD,,
+qontract_reconcile-0.10.1rc474.dist-info/METADATA,sha256=ny9B6p1OQXpsG5S6qvXUJ4U64v1WFkOdm6Qzti96uG4,2348
+qontract_reconcile-0.10.1rc474.dist-info/WHEEL,sha256=oiQVh_5PnQM0E3gPdiz09WCNmwiHDMaGer_elqB3coM,92
+qontract_reconcile-0.10.1rc474.dist-info/entry_points.txt,sha256=rTjAv28I_CHLM8ID3OPqMI_suoQ9s7tFbim4aYjn9kk,376
+qontract_reconcile-0.10.1rc474.dist-info/top_level.txt,sha256=l5ISPoXzt0SdR4jVdkfa7RPSKNc8zAHYWAnR-Dw8Ey8,24
+qontract_reconcile-0.10.1rc474.dist-info/RECORD,,

reconcile/openshift_resources_base.py

@@ -3,6 +3,7 @@ import hashlib
 import itertools
 import json
 import logging
+import re
 import sys
 from collections import defaultdict
 from collections.abc import (
@@ -224,6 +225,7 @@ QONTRACT_INTEGRATION = "openshift_resources_base"
 QONTRACT_INTEGRATION_VERSION = make_semver(1, 9, 2)
 QONTRACT_BASE64_SUFFIX = "_qb64"
 APP_INT_BASE_URL = "https://gitlab.cee.redhat.com/service/app-interface"
+KUBERNETES_SECRET_DATA_KEY_RE = "^[-._a-zA-Z0-9]+$"
 
 _log_lock = Lock()
 
@@ -262,6 +264,10 @@ class ResourceTemplateRenderError(Exception):
     pass
 
 
+class SecretKeyFormatError(Exception):
+    pass
+
+
 class UnknownProviderError(Exception):
     def __init__(self, msg):
         super().__init__("unknown provider error: " + str(msg))
@@ -585,6 +591,8 @@ def fetch_provider_vault_secret(
     if labels:
         body["metadata"]["labels"] = labels
 
+    assert_valid_secret_keys(raw_data)
+
     # populate data
     for k, v in raw_data.items():
         if k.lower().endswith(QONTRACT_BASE64_SUFFIX):
@@ -600,6 +608,19 @@ def fetch_provider_vault_secret(
         raise FetchResourceError(str(e))
 
 
+# check to ensure that all of the keys are valid by looking to see if there are
+# any white space issues. If any issues are uncovered, an exception will be
+# raised.
+# we're receiving the full key: value information, not simply a list of keys.
+def assert_valid_secret_keys(secrets_data: dict[str, str]):
+    for k in secrets_data:
+        matches = re.search(KUBERNETES_SECRET_DATA_KEY_RE, k)
+        if not matches:
+            raise SecretKeyFormatError(
+                f"'{k}' is not valid key name for a Secret. a valid Secret key must consist of alphanumeric characters, '-', '_' or '.' (e.g. 'key.name',  or 'KEY_NAME',  or 'key-name', regex used for validation is '^[-._a-zA-Z0-9]+$')"
+            )
+
+
 def fetch_provider_route(resource: dict, tls_path, tls_version, settings=None) -> OR:
     path = resource["path"]
     openshift_resource = fetch_provider_resource(resource)

reconcile/test/test_openshift_resources_base.py

@@ -482,3 +482,28 @@ def test_cluster_params():
 
     with pytest.raises(RuntimeError):
         orb.run(dry_run=False, cluster_name=["cluster-1", "cluster-2"])
+
+
+@pytest.mark.parametrize(
+    "test_parameters, exception_expected",
+    [
+        ({" leading_space": "test"}, orb.SecretKeyFormatError),
+        ({" space_padding ": "test"}, orb.SecretKeyFormatError),
+        ({"trailing_space ": "test"}, orb.SecretKeyFormatError),
+        ({"&invalidkey": "test"}, orb.SecretKeyFormatError),
+        ({"!invalidkey": "test"}, orb.SecretKeyFormatError),
+        ({"space issues": "test"}, orb.SecretKeyFormatError),
+        ({"/etc/passwd": "test"}, orb.SecretKeyFormatError),
+        ({"": "test"}, orb.SecretKeyFormatError),
+        ({".": "test"}, None),
+        ({"0validkey": "test"}, None),
+        ({"no_spacing": "test"}, None),
+        ({"-": "test"}, None),
+    ],
+)
+def test_secret_keys(test_parameters, exception_expected):
+    if exception_expected is not None:
+        with pytest.raises(exception_expected):
+            orb.assert_valid_secret_keys(test_parameters)
+    else:
+        orb.assert_valid_secret_keys(test_parameters)