Skip to content

Commit 836c66e

Browse files
bzp2010bzp2010
authored
fix: ssl secret ref (#164)
1 parent 2467ac5 commit 836c66e

File tree

3 files changed

+126
-18
lines changed

3 files changed

+126
-18
lines changed

apps/cli/src/linter/schema.ts

+15-9
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,3 @@
1-
import { max } from 'lodash';
21
import { z } from 'zod';
32

43
const nameSchema = z.string().min(1).max(100);
@@ -17,14 +16,21 @@ const timeoutSchema = z.object({
1716
read: z.number().gt(0),
1817
});
1918
const portSchema = z.number().int().min(1).max(65535);
20-
const certificateSchema = z
21-
.string()
22-
.min(128)
23-
.max(64 * 1024);
24-
const certificateKeySchema = z
25-
.string()
26-
.min(32)
27-
.max(64 * 1024);
19+
const secretRefSchema = z.string().regex(/^\$(secret|env):\/\//);
20+
const certificateSchema = z.union([
21+
z
22+
.string()
23+
.min(128)
24+
.max(64 * 1024),
25+
secretRefSchema,
26+
]);
27+
const certificateKeySchema = z.union([
28+
z
29+
.string()
30+
.min(32)
31+
.max(64 * 1024),
32+
secretRefSchema,
33+
]);
2834

2935
const upstreamHealthCheckPassiveHealthy = z
3036
.object({

apps/cli/src/linter/specs/ssl.spec.ts

+90
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,90 @@
1+
import * as ADCSDK from '@api7/adc-sdk';
2+
3+
import { check } from '../';
4+
5+
describe('SSL Linter', () => {
6+
const cases = [
7+
{
8+
name: 'should check for too short certificates and keys',
9+
input: {
10+
ssls: [
11+
{
12+
snis: ['test.com'],
13+
certificates: [
14+
{
15+
certificate: 'short',
16+
key: 'short',
17+
},
18+
],
19+
},
20+
],
21+
} as ADCSDK.Configuration,
22+
expect: false,
23+
errors: [
24+
{
25+
code: 'too_small',
26+
exact: false,
27+
inclusive: true,
28+
message: 'String must contain at least 128 character(s)',
29+
minimum: 128,
30+
path: ['ssls', 0, 'certificates', 0, 'certificate'],
31+
type: 'string',
32+
},
33+
{
34+
code: 'too_small',
35+
exact: false,
36+
inclusive: true,
37+
message: 'String must contain at least 32 character(s)',
38+
minimum: 32,
39+
path: ['ssls', 0, 'certificates', 0, 'key'],
40+
type: 'string',
41+
},
42+
],
43+
},
44+
{
45+
name: 'should check for dataplane env ref certificates and keys',
46+
input: {
47+
ssls: [
48+
{
49+
snis: ['test.com'],
50+
certificates: [
51+
{
52+
certificate: '$env://CERT',
53+
key: '$env://CERT_KEY',
54+
},
55+
],
56+
},
57+
],
58+
} as ADCSDK.Configuration,
59+
expect: true,
60+
},
61+
{
62+
name: 'should check for dataplane secret ref certificates and keys',
63+
input: {
64+
ssls: [
65+
{
66+
snis: ['test.com'],
67+
certificates: [
68+
{
69+
certificate: '$secret://vault/test.com/cert',
70+
key: '$secret://vault/test.com/key',
71+
},
72+
],
73+
},
74+
],
75+
} as ADCSDK.Configuration,
76+
expect: true,
77+
},
78+
];
79+
80+
// test cases runner
81+
cases.forEach((item) => {
82+
it(item.name, () => {
83+
const result = check(item.input);
84+
expect(result.success).toEqual(item.expect);
85+
if (!item.expect) {
86+
expect(result.error.errors).toEqual(item.errors);
87+
}
88+
});
89+
});
90+
});

schema.json

+21-9
Original file line numberDiff line numberDiff line change
@@ -380,9 +380,6 @@
380380
"additionalProperties": {}
381381
}
382382
},
383-
"required": [
384-
"nodes"
385-
],
386383
"additionalProperties": false
387384
},
388385
"plugins": {
@@ -576,14 +573,29 @@
576573
"type": "object",
577574
"properties": {
578575
"certificate": {
579-
"type": "string",
580-
"minLength": 128,
581-
"maxLength": 65536
576+
"anyOf": [
577+
{
578+
"type": "string",
579+
"minLength": 128,
580+
"maxLength": 65536
581+
},
582+
{
583+
"type": "string",
584+
"pattern": "^\\$(secret|env):\\/\\/"
585+
}
586+
]
582587
},
583588
"key": {
584-
"type": "string",
585-
"minLength": 32,
586-
"maxLength": 65536
589+
"anyOf": [
590+
{
591+
"type": "string",
592+
"minLength": 32,
593+
"maxLength": 65536
594+
},
595+
{
596+
"$ref": "#/properties/ssls/items/properties/certificates/items/properties/certificate/anyOf/1"
597+
}
598+
]
587599
}
588600
},
589601
"required": [

0 commit comments

Comments
 (0)