diff --git a/pkg/tkn/host_access_secret_test.go b/pkg/tkn/host_access_secret_test.go new file mode 100644 index 000000000..4580bf58e --- /dev/null +++ b/pkg/tkn/host_access_secret_test.go @@ -0,0 +1,72 @@ +package tkn + +import ( + "bufio" + "os" + "path/filepath" + "strings" + "testing" +) + +func TestAWSHostAccessSecretEncoding(t *testing.T) { + root := moduleRoot(t) + + for _, dir := range []string{"tkn", filepath.Join("tkn", "template")} { + entries, err := os.ReadDir(filepath.Join(root, dir)) + if err != nil { + t.Fatal(err) + } + for _, entry := range entries { + name := entry.Name() + if !strings.HasPrefix(name, "infra-aws-") || !strings.HasSuffix(name, ".yaml") { + continue + } + checkFile(t, filepath.Join(root, dir, name)) + } + } +} + +func checkFile(t *testing.T, path string) { + t.Helper() + + f, err := os.Open(path) + if err != nil { + t.Fatal(err) + } + defer f.Close() + + sc := bufio.NewScanner(f) + for sc.Scan() { + line := sc.Text() + if !strings.Contains(line, "$(cat /opt/host-info/") { + continue + } + if strings.Contains(line, "id_rsa:") { + if strings.Contains(line, "tr -d") { + t.Errorf("%s: id_rsa must not use tr -d: %s", path, strings.TrimSpace(line)) + } + continue + } + if !strings.Contains(line, `tr -d '\n\r'`) { + t.Errorf("%s: host/username must use tr -d: %s", path, strings.TrimSpace(line)) + } + } + if err := sc.Err(); err != nil { + t.Fatal(err) + } +} + +func moduleRoot(t *testing.T) string { + t.Helper() + dir, _ := os.Getwd() + for { + if _, err := os.Stat(filepath.Join(dir, "go.mod")); err == nil { + return dir + } + parent := filepath.Dir(dir) + if parent == dir { + t.Fatal("go.mod not found") + } + dir = parent + } +} diff --git a/tkn/infra-aws-fedora.yaml b/tkn/infra-aws-fedora.yaml index 431347b6b..79de09b66 100644 --- a/tkn/infra-aws-fedora.yaml +++ b/tkn/infra-aws-fedora.yaml @@ -342,14 +342,14 @@ spec: cat <> host-info.yaml type: Opaque data: - host: $(cat /opt/host-info/host | base64 -w0) - username: $(cat /opt/host-info/username | base64 -w0) + host: $(cat /opt/host-info/host | tr -d '\n\r' | base64 -w0) + username: $(cat /opt/host-info/username | tr -d '\n\r' | base64 -w0) id_rsa: $(cat /opt/host-info/id_rsa | base64 -w0) EOF if [[ "$(params.airgap)" == "true" ]]; then cat <> host-info.yaml - bastion-host: $(cat /opt/host-info/bastion_host | base64 -w0) - bastion-username: $(cat /opt/host-info/bastion_username | base64 -w0) + bastion-host: $(cat /opt/host-info/bastion_host | tr -d '\n\r' | base64 -w0) + bastion-username: $(cat /opt/host-info/bastion_username | tr -d '\n\r' | base64 -w0) bastion-id_rsa: $(cat /opt/host-info/bastion_id_rsa | base64 -w0) EOF fi diff --git a/tkn/infra-aws-mac.yaml b/tkn/infra-aws-mac.yaml index c5070af63..b378bf446 100644 --- a/tkn/infra-aws-mac.yaml +++ b/tkn/infra-aws-mac.yaml @@ -294,14 +294,14 @@ spec: cat <> host-info.yaml type: Opaque data: - host: $(cat /opt/host-info/host | base64 -w0) - username: $(cat /opt/host-info/username | base64 -w0) + host: $(cat /opt/host-info/host | tr -d '\n\r' | base64 -w0) + username: $(cat /opt/host-info/username | tr -d '\n\r' | base64 -w0) id_rsa: $(cat /opt/host-info/id_rsa | base64 -w0) EOF if [[ $(params.airgap) == "true" ]]; then cat <> host-info.yaml - bastion-host: $(cat /opt/host-info/bastion_host | base64 -w0) - bastion-username: $(cat /opt/host-info/bastion_username | base64 -w0) + bastion-host: $(cat /opt/host-info/bastion_host | tr -d '\n\r' | base64 -w0) + bastion-username: $(cat /opt/host-info/bastion_username | tr -d '\n\r' | base64 -w0) bastion-id_rsa: $(cat /opt/host-info/bastion_id_rsa | base64 -w0) EOF fi diff --git a/tkn/infra-aws-rhel-ai.yaml b/tkn/infra-aws-rhel-ai.yaml index e62c3f606..dbe1bd04a 100644 --- a/tkn/infra-aws-rhel-ai.yaml +++ b/tkn/infra-aws-rhel-ai.yaml @@ -350,8 +350,8 @@ spec: cat <> host-info.yaml type: Opaque data: - host: $(cat /opt/host-info/host | base64 -w0) - username: $(cat /opt/host-info/username | base64 -w0) + host: $(cat /opt/host-info/host | tr -d '\n\r' | base64 -w0) + username: $(cat /opt/host-info/username | tr -d '\n\r' | base64 -w0) id_rsa: $(cat /opt/host-info/id_rsa | base64 -w0) EOF diff --git a/tkn/infra-aws-rhel.yaml b/tkn/infra-aws-rhel.yaml index c56e2e7e8..f6284e2ef 100644 --- a/tkn/infra-aws-rhel.yaml +++ b/tkn/infra-aws-rhel.yaml @@ -368,14 +368,14 @@ spec: cat <> host-info.yaml type: Opaque data: - host: $(cat /opt/host-info/host | base64 -w0) - username: $(cat /opt/host-info/username | base64 -w0) + host: $(cat /opt/host-info/host | tr -d '\n\r' | base64 -w0) + username: $(cat /opt/host-info/username | tr -d '\n\r' | base64 -w0) id_rsa: $(cat /opt/host-info/id_rsa | base64 -w0) EOF if [[ "$(params.airgap)" == "true" ]]; then cat <> host-info.yaml - bastion-host: $(cat /opt/host-info/bastion_host | base64 -w0) - bastion-username: $(cat /opt/host-info/bastion_username | base64 -w0) + bastion-host: $(cat /opt/host-info/bastion_host | tr -d '\n\r' | base64 -w0) + bastion-username: $(cat /opt/host-info/bastion_username | tr -d '\n\r' | base64 -w0) bastion-id_rsa: $(cat /opt/host-info/bastion_id_rsa | base64 -w0) EOF fi diff --git a/tkn/infra-aws-windows-server.yaml b/tkn/infra-aws-windows-server.yaml index f6e989e3c..efdbd969b 100644 --- a/tkn/infra-aws-windows-server.yaml +++ b/tkn/infra-aws-windows-server.yaml @@ -301,14 +301,14 @@ spec: cat <> host-info.yaml type: Opaque data: - host: $(cat /opt/host-info/host | base64 -w0) - username: $(cat /opt/host-info/username | base64 -w0) + host: $(cat /opt/host-info/host | tr -d '\n\r' | base64 -w0) + username: $(cat /opt/host-info/username | tr -d '\n\r' | base64 -w0) id_rsa: $(cat /opt/host-info/id_rsa | base64 -w0) EOF if [[ $(params.airgap) == "true" ]]; then cat <> host-info.yaml - bastion-host: $(cat /opt/host-info/bastion_host | base64 -w0) - bastion-username: $(cat /opt/host-info/bastion_username | base64 -w0) + bastion-host: $(cat /opt/host-info/bastion_host | tr -d '\n\r' | base64 -w0) + bastion-username: $(cat /opt/host-info/bastion_username | tr -d '\n\r' | base64 -w0) bastion-id_rsa: $(cat /opt/host-info/bastion_id_rsa | base64 -w0) EOF fi diff --git a/tkn/template/infra-aws-fedora.yaml b/tkn/template/infra-aws-fedora.yaml index 08627de38..87a5db782 100644 --- a/tkn/template/infra-aws-fedora.yaml +++ b/tkn/template/infra-aws-fedora.yaml @@ -342,14 +342,14 @@ spec: cat <> host-info.yaml type: Opaque data: - host: $(cat /opt/host-info/host | base64 -w0) - username: $(cat /opt/host-info/username | base64 -w0) + host: $(cat /opt/host-info/host | tr -d '\n\r' | base64 -w0) + username: $(cat /opt/host-info/username | tr -d '\n\r' | base64 -w0) id_rsa: $(cat /opt/host-info/id_rsa | base64 -w0) EOF if [[ "$(params.airgap)" == "true" ]]; then cat <> host-info.yaml - bastion-host: $(cat /opt/host-info/bastion_host | base64 -w0) - bastion-username: $(cat /opt/host-info/bastion_username | base64 -w0) + bastion-host: $(cat /opt/host-info/bastion_host | tr -d '\n\r' | base64 -w0) + bastion-username: $(cat /opt/host-info/bastion_username | tr -d '\n\r' | base64 -w0) bastion-id_rsa: $(cat /opt/host-info/bastion_id_rsa | base64 -w0) EOF fi diff --git a/tkn/template/infra-aws-mac.yaml b/tkn/template/infra-aws-mac.yaml index 2ff862b3c..7d08b6404 100644 --- a/tkn/template/infra-aws-mac.yaml +++ b/tkn/template/infra-aws-mac.yaml @@ -294,14 +294,14 @@ spec: cat <> host-info.yaml type: Opaque data: - host: $(cat /opt/host-info/host | base64 -w0) - username: $(cat /opt/host-info/username | base64 -w0) + host: $(cat /opt/host-info/host | tr -d '\n\r' | base64 -w0) + username: $(cat /opt/host-info/username | tr -d '\n\r' | base64 -w0) id_rsa: $(cat /opt/host-info/id_rsa | base64 -w0) EOF if [[ $(params.airgap) == "true" ]]; then cat <> host-info.yaml - bastion-host: $(cat /opt/host-info/bastion_host | base64 -w0) - bastion-username: $(cat /opt/host-info/bastion_username | base64 -w0) + bastion-host: $(cat /opt/host-info/bastion_host | tr -d '\n\r' | base64 -w0) + bastion-username: $(cat /opt/host-info/bastion_username | tr -d '\n\r' | base64 -w0) bastion-id_rsa: $(cat /opt/host-info/bastion_id_rsa | base64 -w0) EOF fi diff --git a/tkn/template/infra-aws-rhel-ai.yaml b/tkn/template/infra-aws-rhel-ai.yaml index 4817c5006..8c9506712 100644 --- a/tkn/template/infra-aws-rhel-ai.yaml +++ b/tkn/template/infra-aws-rhel-ai.yaml @@ -350,8 +350,8 @@ spec: cat <> host-info.yaml type: Opaque data: - host: $(cat /opt/host-info/host | base64 -w0) - username: $(cat /opt/host-info/username | base64 -w0) + host: $(cat /opt/host-info/host | tr -d '\n\r' | base64 -w0) + username: $(cat /opt/host-info/username | tr -d '\n\r' | base64 -w0) id_rsa: $(cat /opt/host-info/id_rsa | base64 -w0) EOF diff --git a/tkn/template/infra-aws-rhel.yaml b/tkn/template/infra-aws-rhel.yaml index cc33482a9..ec324fefc 100644 --- a/tkn/template/infra-aws-rhel.yaml +++ b/tkn/template/infra-aws-rhel.yaml @@ -368,14 +368,14 @@ spec: cat <> host-info.yaml type: Opaque data: - host: $(cat /opt/host-info/host | base64 -w0) - username: $(cat /opt/host-info/username | base64 -w0) + host: $(cat /opt/host-info/host | tr -d '\n\r' | base64 -w0) + username: $(cat /opt/host-info/username | tr -d '\n\r' | base64 -w0) id_rsa: $(cat /opt/host-info/id_rsa | base64 -w0) EOF if [[ "$(params.airgap)" == "true" ]]; then cat <> host-info.yaml - bastion-host: $(cat /opt/host-info/bastion_host | base64 -w0) - bastion-username: $(cat /opt/host-info/bastion_username | base64 -w0) + bastion-host: $(cat /opt/host-info/bastion_host | tr -d '\n\r' | base64 -w0) + bastion-username: $(cat /opt/host-info/bastion_username | tr -d '\n\r' | base64 -w0) bastion-id_rsa: $(cat /opt/host-info/bastion_id_rsa | base64 -w0) EOF fi diff --git a/tkn/template/infra-aws-windows-server.yaml b/tkn/template/infra-aws-windows-server.yaml index 05ff00600..c3133efd9 100644 --- a/tkn/template/infra-aws-windows-server.yaml +++ b/tkn/template/infra-aws-windows-server.yaml @@ -301,14 +301,14 @@ spec: cat <> host-info.yaml type: Opaque data: - host: $(cat /opt/host-info/host | base64 -w0) - username: $(cat /opt/host-info/username | base64 -w0) + host: $(cat /opt/host-info/host | tr -d '\n\r' | base64 -w0) + username: $(cat /opt/host-info/username | tr -d '\n\r' | base64 -w0) id_rsa: $(cat /opt/host-info/id_rsa | base64 -w0) EOF if [[ $(params.airgap) == "true" ]]; then cat <> host-info.yaml - bastion-host: $(cat /opt/host-info/bastion_host | base64 -w0) - bastion-username: $(cat /opt/host-info/bastion_username | base64 -w0) + bastion-host: $(cat /opt/host-info/bastion_host | tr -d '\n\r' | base64 -w0) + bastion-username: $(cat /opt/host-info/bastion_username | tr -d '\n\r' | base64 -w0) bastion-id_rsa: $(cat /opt/host-info/bastion_id_rsa | base64 -w0) EOF fi