Fix undesirable regex pattern compliation approach. (#5537)

closes #5515 Signed-off-by: Edwin Buck <[email protected]>
spiffe · Oct 5, 2024 · 500e291 · 500e291
1 parent 3d48ac3
commit 500e291
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 2 deletions.
diff --git a/pkg/server/plugin/nodeattestor/httpchallenge/httpchallenge.go b/pkg/server/plugin/nodeattestor/httpchallenge/httpchallenge.go
@@ -64,7 +64,11 @@ func buildConfig(coreConfig catalog.CoreConfig, hclText string, status *pluginco
 
 	var dnsPatterns []*regexp.Regexp
 	for _, r := range hclConfig.AllowedDNSPatterns {
-		re := regexp.MustCompile(r)
+		re, err := regexp.Compile(r)
+		if err != nil {
+			status.ReportErrorf("cannot compile allowed_dns_pattern: %q, %s", r, err)
+			continue
+		}
 		dnsPatterns = append(dnsPatterns, re)
 	}
 

diff --git a/pkg/server/plugin/nodeattestor/httpchallenge/httpchallenge_test.go b/pkg/server/plugin/nodeattestor/httpchallenge/httpchallenge_test.go
@@ -69,6 +69,40 @@ func TestConfigure(t *testing.T) {
 			coreConf: &configv1.CoreConfiguration{TrustDomain: "example.org"},
 			hclConf:  "tofu = false\nallow_non_root_ports = true",
 		},
+		{
+			name:     "allowed_dns_patterns cannot compile, report an error",
+			expErr:   "rpc error: code = InvalidArgument desc = cannot compile allowed_dns_pattern: ",
+			coreConf: &configv1.CoreConfiguration{TrustDomain: "example.org"},
+			hclConf:  `allowed_dns_patterns = ["*"]`,
+		},
+		{
+			name:     "first allowed_dns_patterns cannot compile, report an error",
+			expErr:   "rpc error: code = InvalidArgument desc = cannot compile allowed_dns_pattern: ",
+			coreConf: &configv1.CoreConfiguration{TrustDomain: "example.org"},
+			hclConf: `allowed_dns_patterns = [
+					"*",
+					"gateway[.]example[.]com"
+			  	  ]`,
+		},
+		{
+			name:     "middle allowed_dns_patterns cannot compile, report an error",
+			expErr:   "rpc error: code = InvalidArgument desc = cannot compile allowed_dns_pattern: ",
+			coreConf: &configv1.CoreConfiguration{TrustDomain: "example.org"},
+			hclConf: `allowed_dns_patterns = [
+                                         "ps1[.]example[.]org",
+                                         "*",
+                                         "gateway[.]example[.]com"
+                                   ]`,
+		},
+		{
+			name:     "last allowed_dns_patterns cannot compile, report an error",
+			expErr:   "rpc error: code = InvalidArgument desc = cannot compile allowed_dns_pattern: ",
+			coreConf: &configv1.CoreConfiguration{TrustDomain: "example.org"},
+			hclConf: `allowed_dns_patterns = [
+                                         "gateway[.]example[.]com",
+                                         "*"
+                                   ]`,
+		},
 	}
 
 	for _, tt := range tests {
@@ -80,7 +114,8 @@ func TestConfigure(t *testing.T) {
 				CoreConfiguration: tt.coreConf,
 			})
 			if tt.expErr != "" {
-				require.Contains(t, err.Error(), tt.expErr)
+				require.Error(t, err, "no error raised when error is expected")
+				require.ErrorContains(t, err, tt.expErr)
 				require.Nil(t, resp)
 				return
 			}