diff --git a/pkg/ingress/model_build_actions.go b/pkg/ingress/model_build_actions.go index e2e883dbc..156229074 100644 --- a/pkg/ingress/model_build_actions.go +++ b/pkg/ingress/model_build_actions.go @@ -187,7 +187,7 @@ func (t *defaultModelBuildTask) buildAuthenticateOIDCAction(ctx context.Context, t.secretKeys = append(t.secretKeys, secretKey) clientID := strings.TrimRightFunc(string(rawClientID), unicode.IsSpace) - clientSecret := string(rawClientSecret) + clientSecret := strings.TrimRightFunc(string(rawClientSecret), unicode.IsControl) return elbv2model.Action{ Type: elbv2model.ActionTypeAuthenticateOIDC, AuthenticateOIDCConfig: &elbv2model.AuthenticateOIDCActionConfig{ diff --git a/pkg/ingress/model_build_actions_test.go b/pkg/ingress/model_build_actions_test.go index 91a3e5173..db24c7fe5 100644 --- a/pkg/ingress/model_build_actions_test.go +++ b/pkg/ingress/model_build_actions_test.go @@ -85,6 +85,61 @@ func Test_defaultModelBuildTask_buildAuthenticateOIDCAction(t *testing.T) { }, }, }, + { + name: "clientSecret has control characters at end", + env: env{ + secrets: []*corev1.Secret{ + { + ObjectMeta: metav1.ObjectMeta{ + Namespace: "my-ns", + Name: "my-k8s-secret", + }, + Data: map[string][]byte{ + "clientID": []byte("my-client-id"), + "clientSecret": []byte("my-client-secret\n"), + }, + }, + }, + }, + args: args{ + authCfg: AuthConfig{ + Type: AuthTypeCognito, + IDPConfigOIDC: &AuthIDPConfigOIDC{ + Issuer: "https://example.com", + AuthorizationEndpoint: "https://authorization.example.com", + TokenEndpoint: "https://token.example.com", + UserInfoEndpoint: "https://userinfo.example.co", + SecretName: "my-k8s-secret", + AuthenticationRequestExtraParams: map[string]string{ + "key1": "value1", + }, + }, + OnUnauthenticatedRequest: "authenticate", + Scope: "email", + SessionCookieName: "my-session-cookie", + SessionTimeout: 65536, + }, + namespace: "my-ns", + }, + want: elbv2model.Action{ + Type: elbv2model.ActionTypeAuthenticateOIDC, + AuthenticateOIDCConfig: &elbv2model.AuthenticateOIDCActionConfig{ + Issuer: "https://example.com", + AuthorizationEndpoint: "https://authorization.example.com", + TokenEndpoint: "https://token.example.com", + UserInfoEndpoint: "https://userinfo.example.co", + ClientID: "my-client-id", + ClientSecret: "my-client-secret", + AuthenticationRequestExtraParams: map[string]string{ + "key1": "value1", + }, + OnUnauthenticatedRequest: authBehaviorAuthenticate, + Scope: awssdk.String("email"), + SessionCookieName: awssdk.String("my-session-cookie"), + SessionTimeout: awssdk.Int64(65536), + }, + }, + }, { name: "clientID & clientSecret configured - legacy clientId", env: env{