From 500e291bbd7e336d1a33d88e15178a8e3758892e Mon Sep 17 00:00:00 2001
From: Edwin Buck <edwbuck@gmail.com>
Date: Sat, 5 Oct 2024 11:39:51 -0500
Subject: [PATCH] Fix undesirable regex pattern compliation approach. (#5537)

closes #5515

Signed-off-by: Edwin Buck <edwbuck@gmail.com>
---
 .../httpchallenge/httpchallenge.go            |  6 ++-
 .../httpchallenge/httpchallenge_test.go       | 37 ++++++++++++++++++-
 2 files changed, 41 insertions(+), 2 deletions(-)

diff --git a/pkg/server/plugin/nodeattestor/httpchallenge/httpchallenge.go b/pkg/server/plugin/nodeattestor/httpchallenge/httpchallenge.go
index 0946f6c7f5..838cced731 100644
--- a/pkg/server/plugin/nodeattestor/httpchallenge/httpchallenge.go
+++ b/pkg/server/plugin/nodeattestor/httpchallenge/httpchallenge.go
@@ -64,7 +64,11 @@ func buildConfig(coreConfig catalog.CoreConfig, hclText string, status *pluginco
 
 	var dnsPatterns []*regexp.Regexp
 	for _, r := range hclConfig.AllowedDNSPatterns {
-		re := regexp.MustCompile(r)
+		re, err := regexp.Compile(r)
+		if err != nil {
+			status.ReportErrorf("cannot compile allowed_dns_pattern: %q, %s", r, err)
+			continue
+		}
 		dnsPatterns = append(dnsPatterns, re)
 	}
 
diff --git a/pkg/server/plugin/nodeattestor/httpchallenge/httpchallenge_test.go b/pkg/server/plugin/nodeattestor/httpchallenge/httpchallenge_test.go
index 8cf9ea6a29..c0573027ef 100644
--- a/pkg/server/plugin/nodeattestor/httpchallenge/httpchallenge_test.go
+++ b/pkg/server/plugin/nodeattestor/httpchallenge/httpchallenge_test.go
@@ -69,6 +69,40 @@ func TestConfigure(t *testing.T) {
 			coreConf: &configv1.CoreConfiguration{TrustDomain: "example.org"},
 			hclConf:  "tofu = false\nallow_non_root_ports = true",
 		},
+		{
+			name:     "allowed_dns_patterns cannot compile, report an error",
+			expErr:   "rpc error: code = InvalidArgument desc = cannot compile allowed_dns_pattern: ",
+			coreConf: &configv1.CoreConfiguration{TrustDomain: "example.org"},
+			hclConf:  `allowed_dns_patterns = ["*"]`,
+		},
+		{
+			name:     "first allowed_dns_patterns cannot compile, report an error",
+			expErr:   "rpc error: code = InvalidArgument desc = cannot compile allowed_dns_pattern: ",
+			coreConf: &configv1.CoreConfiguration{TrustDomain: "example.org"},
+			hclConf: `allowed_dns_patterns = [
+					"*",
+					"gateway[.]example[.]com"
+			  	  ]`,
+		},
+		{
+			name:     "middle allowed_dns_patterns cannot compile, report an error",
+			expErr:   "rpc error: code = InvalidArgument desc = cannot compile allowed_dns_pattern: ",
+			coreConf: &configv1.CoreConfiguration{TrustDomain: "example.org"},
+			hclConf: `allowed_dns_patterns = [
+                                         "ps1[.]example[.]org",
+                                         "*",
+                                         "gateway[.]example[.]com"
+                                   ]`,
+		},
+		{
+			name:     "last allowed_dns_patterns cannot compile, report an error",
+			expErr:   "rpc error: code = InvalidArgument desc = cannot compile allowed_dns_pattern: ",
+			coreConf: &configv1.CoreConfiguration{TrustDomain: "example.org"},
+			hclConf: `allowed_dns_patterns = [
+                                         "gateway[.]example[.]com",
+                                         "*"
+                                   ]`,
+		},
 	}
 
 	for _, tt := range tests {
@@ -80,7 +114,8 @@ func TestConfigure(t *testing.T) {
 				CoreConfiguration: tt.coreConf,
 			})
 			if tt.expErr != "" {
-				require.Contains(t, err.Error(), tt.expErr)
+				require.Error(t, err, "no error raised when error is expected")
+				require.ErrorContains(t, err, tt.expErr)
 				require.Nil(t, resp)
 				return
 			}