fix: generate role session name should only contain valid chars

binxio · Sep 18, 2023 · 4caa1ae · 4caa1ae
1 parent 65b003e
commit 4caa1ae
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 6 deletions.
diff --git a/pkg/cmd/root.go b/pkg/cmd/root.go
@@ -4,7 +4,9 @@ import (
 	"errors"
 	"fmt"
 	"os"
+	"regexp"
 	"strconv"
+	"strings"
 
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/credentials"
@@ -81,6 +83,16 @@ func (c *RootCommand) SetDefaults() {
 	}
 }
 
+// GenerateRoleSessionName generates a valid role session name based on the role name and pipeline id.
+func GenerateRoleSessionName(roleName, pipelineId string) string {
+	invalidCharacters := regexp.MustCompile(`[^=,.@A-Za-z0-9_]+`)
+	validRoleSessionName := strings.Trim(invalidCharacters.ReplaceAllString(roleName, "-"), "-")
+	if pipelineId == "" {
+		return validRoleSessionName
+	}
+	return fmt.Sprintf("%s-%s", validRoleSessionName, pipelineId)
+}
+
 // GetSTSCredentials gets the STS credentials based upon the gitlab pipeline id token.
 func (c *RootCommand) GetSTSCredentials() error {
 	if c.RoleName == "" {
@@ -100,12 +112,7 @@ func (c *RootCommand) GetSTSCredentials() error {
 	}
 
 	if c.RoleSessionName == "" {
-		if c.PipelineId == "" {
-			c.RoleSessionName = c.RoleName
-
-		} else {
-			c.RoleSessionName = fmt.Sprintf("%s-%s", c.RoleName, c.PipelineId)
-		}
+		c.RoleSessionName = GenerateRoleSessionName(c.RoleName, c.PipelineId)
 	}
 
 	var err error

diff --git a/pkg/cmd/root_test.go b/pkg/cmd/root_test.go
@@ -102,3 +102,30 @@ func TestSetDefaultsInvalidDuration(t *testing.T) {
 		t.Errorf("expected the default of 3600 as duration seconds")
 	}
 }
+
+func TestGenerateRoleSessionName(t *testing.T) {
+	type args struct {
+		roleName   string
+		pipelineId string
+	}
+	tests := []struct {
+		name string
+		args args
+		want string
+	}{
+		{"no pipeline", args{"role", ""}, "role"},
+		{"role and pipeline", args{"role", "1234"}, "role-1234"},
+		{"no leading or trailing dash", args{"-role-", ""}, "role"},
+		{"invalid chars", args{"/gitlab/role", "1234"}, "gitlab-role-1234"},
+		{"multiple invalid chars", args{"/gitlab/role-%^$abc", "1234"}, "gitlab-role-abc-1234"},
+		{"all valid special chars", args{"[email protected]_", "1234"}, "[email protected]_-1234"},
+		{"keep dashes", args{"gitlab-role--nice", ""}, "gitlab-role-nice"},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := GenerateRoleSessionName(tt.args.roleName, tt.args.pipelineId); got != tt.want {
+				t.Errorf("GenerateRoleSessionName() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}