From 659dc86f1d85ada26b48c58eedd9ac6605d195da Mon Sep 17 00:00:00 2001 From: Alexander Matyushentsev Date: Thu, 7 Sep 2023 10:14:57 -0400 Subject: [PATCH] Merge pull request from GHSA-fwr2-64vr-xv9m * fix: prevent seeing/editing 'kubectl.kubernetes.io/last-applied-configuration' cluster annotation Signed-off-by: Alexander Matyushentsev * fix: failing unit test Signed-off-by: iam-veeramalla --------- Signed-off-by: Alexander Matyushentsev Signed-off-by: iam-veeramalla Co-authored-by: iam-veeramalla --- util/db/cluster.go | 5 +++++ util/db/cluster_test.go | 35 +++++++++++++++++++++++++++++++++++ 2 files changed, 40 insertions(+) diff --git a/util/db/cluster.go b/util/db/cluster.go index 9b405a9cacd609..69da0a3bd8fd2f 100644 --- a/util/db/cluster.go +++ b/util/db/cluster.go @@ -345,6 +345,9 @@ func clusterToSecret(c *appv1.Cluster, secret *apiv1.Secret) error { secret.Data = data secret.Labels = c.Labels + if c.Annotations != nil && c.Annotations[apiv1.LastAppliedConfigAnnotation] != "" { + return status.Errorf(codes.InvalidArgument, "annotation %s cannot be set", apiv1.LastAppliedConfigAnnotation) + } secret.Annotations = c.Annotations if secret.Annotations == nil { @@ -403,6 +406,8 @@ func SecretToCluster(s *apiv1.Secret) (*appv1.Cluster, error) { annotations := map[string]string{} if s.Annotations != nil { annotations = collections.CopyStringMap(s.Annotations) + // delete system annotations + delete(annotations, apiv1.LastAppliedConfigAnnotation) delete(annotations, common.AnnotationKeyManagedBy) } diff --git a/util/db/cluster_test.go b/util/db/cluster_test.go index 9d60a3073c3c2d..5d99edf83d05bb 100644 --- a/util/db/cluster_test.go +++ b/util/db/cluster_test.go @@ -7,6 +7,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/client-go/kubernetes/fake" @@ -56,6 +58,24 @@ func Test_secretToCluster(t *testing.T) { }) } +func Test_secretToCluster_LastAppliedConfigurationDropped(t *testing.T) { + secret := &v1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: "mycluster", + Namespace: fakeNamespace, + Annotations: map[string]string{v1.LastAppliedConfigAnnotation: "val2"}, + }, + Data: map[string][]byte{ + "name": []byte("test"), + "server": []byte("http://mycluster"), + "config": []byte("{\"username\":\"foo\"}"), + }, + } + cluster, err := SecretToCluster(secret) + require.NoError(t, err) + assert.Len(t, cluster.Annotations, 0) +} + func TestClusterToSecret(t *testing.T) { cluster := &appv1.Cluster{ Server: "server", @@ -78,6 +98,21 @@ func TestClusterToSecret(t *testing.T) { assert.Equal(t, cluster.Labels, s.Labels) } +func TestClusterToSecret_LastAppliedConfigurationRejected(t *testing.T) { + cluster := &appv1.Cluster{ + Server: "server", + Annotations: map[string]string{v1.LastAppliedConfigAnnotation: "val2"}, + Name: "test", + Config: v1alpha1.ClusterConfig{}, + Project: "project", + Namespaces: []string{"default"}, + } + s := &v1.Secret{} + err := clusterToSecret(cluster, s) + require.Error(t, err) + require.Equal(t, codes.InvalidArgument, status.Code(err)) +} + func Test_secretToCluster_NoConfig(t *testing.T) { secret := &v1.Secret{ ObjectMeta: metav1.ObjectMeta{