Merge pull request #13282 from jim-minter/secret-injector-improvements

openshift-merge-robot · web-flow · commit a4e5e5340e71 · 2017-09-16T07:38:40.000-07:00
Automatic merge from submit-queue (batch tested with PRs 16269, 13282, 16386)

Improvements to secret injector

Disallow @ character in host component of URL patterns, so that people don't mistakenly try to add URL patterns of the form user@host.

Extend admission controller to reject invalid URL patterns on secrets to provide early feedback to end users when their patterns are wrong.
diff --git a/pkg/util/urlpattern/urlpattern.go b/pkg/util/urlpattern/urlpattern.go
@@ -12,7 +12,7 @@ var InvalidPatternError = errors.New("invalid pattern")
 
 var urlPatternRegex = regexp.MustCompile(`^` +
 	`(?:(\*|git|http|https|ssh)://)` +
-	`(\*|(?:\*\.)?[^/*]+)` +
+	`(\*|(?:\*\.)?[^@/*]+)` +
 	`(/.*)` +
 	`$`)
 
diff --git a/pkg/util/urlpattern/urlpattern_test.go b/pkg/util/urlpattern/urlpattern_test.go
@@ -44,7 +44,7 @@ func TestMatchPattern(t *testing.T) {
 			expectedScheme:   `^(git|http|https|ssh)$`,
 			expectedHost:     `^.*$`,
 			expectedPath:     `^/.*$`,
-			expectedMatch:    []string{`https://github.com/`},
+			expectedMatch:    []string{`https://github.com/`, `https://user:password@github.com/`, `ssh://git@github.com/`},
 			expectedNotMatch: []string{`ftp://github.com/`},
 		},
 		{
@@ -80,15 +80,15 @@ func TestMatchPattern(t *testing.T) {
 			expectedScheme:   `^https$`,
 			expectedHost:     `^github\.com$`,
 			expectedPath:     `^/.*$`,
-			expectedMatch:    []string{`https://github.com/`},
+			expectedMatch:    []string{`https://github.com/`, `https://user:password@github.com/`},
 			expectedNotMatch: []string{`https://test.github.com/`},
 		},
 		{
 			pattern:        `https://*.github.com/*`,
 			expectedScheme: `^https$`,
 			expectedHost:   `^(?:.*\.)?github\.com$`,
 			expectedPath:   `^/.*$`,
-			expectedMatch:  []string{`https://github.com/`, `https://test.github.com/`},
+			expectedMatch:  []string{`https://github.com/`, `https://user:password@github.com/`, `https://test.github.com/`},
 		},
 		{
 			pattern:        `https://\.+?()|[]{}^$/*`,
@@ -108,6 +108,10 @@ func TestMatchPattern(t *testing.T) {
 			pattern:     `https://git*hub.com/*`,
 			expectedErr: true,
 		},
+		{
+			pattern:     `*://git@github.com/*`,
+			expectedErr: true,
+		},
 		{
 			pattern:        `https://github.com/`,
 			expectedScheme: `^https$`,
