Add user dashboard validation for secrets in recipes

Add mild validation (metadata, kind) for recipes containing secrets. Note that routes are currently unvalidated since they are not permissible in Kubernetes recipes (as they are OpenShift objects) and all validation is done through the kubernetes parser / validator. Signed-off-by: Angel Misevski <amisevsk@redhat.com>
eclipse-che · Jan 24, 2019 · 81ea06f · 81ea06f
1 parent 1dce7a6
commit 81ea06f
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 3 deletions.
diff --git a/dashboard/src/components/api/environment/kubernetes-environment-recipe-parser.ts b/dashboard/src/components/api/environment/kubernetes-environment-recipe-parser.ts
@@ -10,7 +10,7 @@
  *   Red Hat, Inc. - initial API and implementation
  */
 'use strict';
-import {ISupportedListItem, KubernetesMachineRecipeParser} from './kubernetes-machine-recipe-parser';
+import {ISupportedListItem, KubernetesMachineRecipeParser, isSupportedItem} from './kubernetes-machine-recipe-parser';
 import {IParser} from './parser';
 
 export interface ISupportedItemList {
@@ -79,14 +79,20 @@ export class KubernetesEnvironmentRecipeParser implements IParser {
     if (!angular.isArray(items) || items.length === 0) {
       throw new TypeError(`Recipe kubernetes list should contain at least one 'item'.`);
     } else {
-      items.forEach((item: ISupportedListItem) => {
+      items.forEach((item: any) => {
         if (!item) {
           return;
         }
         // skip services
         if (item.kind && item.kind.toLowerCase() === 'service') {
           return;
         }
+        if (!isSupportedItem(item)) {
+          // should throw a TypeError here but this code is currently used to validate OpenShift recipes
+          // (which support Routes) as well as Kubernetes recipes, so we need to ignore some elements
+          // rather than complain. Returning here prevents warning about typos in the `kind` section.
+          return;
+        }
         this.machineRecipeParser.validate(item);
       });
     }

diff --git a/dashboard/src/components/api/environment/kubernetes-machine-recipe-parser.ts b/dashboard/src/components/api/environment/kubernetes-machine-recipe-parser.ts
@@ -13,7 +13,11 @@
 
 import {IParser} from './parser';
 
-export type ISupportedListItem = IPodItem | IDeploymentItem | IConfigMapItem;
+export type ISupportedListItem = IPodItem | IDeploymentItem | IConfigMapItem | ISecretItem;
+
+export function isSupportedItem(item: any): item is ISupportedListItem {
+  return isDeploymentItem(item) || isPodItem(item) || isConfigMapItem(item) || isSecretItem(item);
+}
 
 export function isDeploymentItem(item: ISupportedListItem): item is IDeploymentItem {
   return (item.kind && item.kind.toLowerCase() === 'deployment');
@@ -27,6 +31,10 @@ export function isConfigMapItem(item: ISupportedListItem): item is IConfigMapIte
   return (item.kind && item.kind.toLowerCase() === 'configmap');
 }
 
+export function isSecretItem(item: ISupportedListItem): item is ISecretItem {
+  return (item.kind && item.kind.toLowerCase() === 'secret');
+}
+
 export function getPodItemOrNull(item: ISupportedListItem): IPodItem {
   if (isDeploymentItem(item)) {
     return item.spec.template;
@@ -84,6 +92,14 @@ export interface IConfigMapItem {
   data: { [propName: string]: string | Object };
 }
 
+export interface ISecretItem {
+  apiVersion: string;
+  kind: string;
+  metadata: IObjectMetadata;
+  data?: { [propName: string]: string | Object };
+  stringData?: { [propName: string]: string | Object};
+}
+
 /**
  * Wrapper for jsyaml and simple validator for kubernetes machine recipe.
  *
@@ -141,6 +157,8 @@ export class KubernetesMachineRecipeParser implements IParser {
       this.validatePod(<IPodItem>recipe);
     } else if (isConfigMapItem(recipe)) {
       this.validateConfigMap(<IConfigMapItem>recipe);
+    } else if (isSecretItem(recipe)) {
+      this.validateSecret(<ISecretItem> recipe);
     }
   }
 
@@ -224,6 +242,15 @@ export class KubernetesMachineRecipeParser implements IParser {
     }
   }
 
+  validateSecret(secret: ISecretItem) {
+    this.validateMetadata(secret.metadata);
+    if (!secret.data && !secret.stringData) {
+      throw new TypeError(`Recipe secret item should contain either data or stringData section.`);
+    }
+    // secret.data values must also be base64 encoded but nodejs doesn't allow an easy way to check
+    // if the encoding is valid (ignores errors silently).
+  }
+
   validateMetadata(metadata: IObjectMetadata) {
     if (!metadata) {
       throw new TypeError(`Recipe item should contain 'metadata' section.`);