Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Inconsistency handling passwords with special characters #2904

Open
bertinatto opened this issue May 27, 2024 · 5 comments
Open

Inconsistency handling passwords with special characters #2904

bertinatto opened this issue May 27, 2024 · 5 comments
Assignees
Labels
kind/bug Categorizes issue or PR as related to a bug. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.

Comments

@bertinatto
Copy link
Member

Is this a BUG REPORT or FEATURE REQUEST?:

/kind bug

What happened:

In OpenShift, we use a credentials minter to generate the vSphere password used by the CSI driver. The minter may generate passwords containing special characters that are not escaped. These passwords are then stored in a secret.

We observed that the CSI driver operates correctly when the password is provided via environment variables. However, it fails when the same password is supplied through an .INI file.

What you expected to happen:

The CSI driver should handle passwords consistently regardless of whether they are provided via environment variables or an .INI file. Specifically, it should successfully authenticate using the password in both scenarios.

How to reproduce it (as minimally and precisely as possible):

Try this unit test:

diff --git a/pkg/common/config/config_test.go b/pkg/common/config/config_test.go
index 23e23c77..0e7ca159 100644
--- a/pkg/common/config/config_test.go
+++ b/pkg/common/config/config_test.go
@@ -20,6 +20,7 @@ import (
 	"context"
 	"os"
 	"reflect"
+	"strings"
 	"testing"
 )
 
@@ -261,3 +262,41 @@ func isConfigEqual(actual *Config, expected *Config) bool {
 	}
 	return true
 }
+
+func TestReadCreadentialsFromConfig(t *testing.T) {
+	configStr := `
+[Global]
+user = "admin@vsphere.local"
+password = "password\"
+insecure-flag = "1"
+`
+
+	cfg, err := ReadConfig(ctx, strings.NewReader(configStr)) // <----- THIS FAILS
+	if err != nil {
+		t.Fatalf("Error reading config: %v", err)
+	}
+
+	err = validateConfig(ctx, cfg)
+	if err != nil {
+		t.Fatalf("Error validating config: %v", err)
+	}
+}
+
+func TestReadCredentialsFromEnv(t *testing.T) {
+	cfg := &Config{
+		VirtualCenter: idealVCConfig,
+	}
+
+	os.Setenv("VSPHERE_USER", `user@vsphere.local`)
+	os.Setenv("VSPHERE_PASSWORD", `password\`)
+
+	err := FromEnv(ctx, cfg)
+	if err != nil {
+		t.Fatalf("Error reading config from env: %v", err)
+	}
+
+	err = validateConfig(ctx, cfg)
+	if err != nil {
+		t.Fatalf("Error validating config: %v", err)
+	}
+}

Anything else we need to know?:

I understand that passwords passed via an .INI file must be escaped as noted in this previous issue [1]. However, the fact that passwords work when passed via environment variables but fail when passed via an .INI file creates confusion for users.

If it is not possible to achieve consistent behavior regardless of how passwords are passed to the CSI driver, could you please document which characters need to be escaped? According to this PR [2] in cluster-api-provider-vsphere, it appears that only \ and " need to be escaped. Can you confirm if escaping just these characters is sufficient?

[1] #121
[2] https://github.com/kubernetes-sigs/cluster-api-provider-vsphere/blob/71c23168794bed7401ba96e6405ffabd4ebab3d1/packaging/flavorgen/flavors/crs/types/cloudprovider_encoding.go#L33

@k8s-ci-robot k8s-ci-robot added the kind/bug Categorizes issue or PR as related to a bug. label May 27, 2024
@jsafrane
Copy link
Contributor

According to this PR [2] in cluster-api-provider-vsphere, it appears that only \ and " need to be escaped. Can you confirm if escaping just these characters is sufficient

It would be much better to document what are the escaping rules in the ini file. Backslash is a popular character in password or even in username.

@bertinatto
Copy link
Member Author

/assign @divyenpatel

@xing-yang
Copy link
Contributor

We added a note for special characters here: https://github.com/vmware-tanzu/velero-plugin-for-vsphere/blob/main/docs/vanilla.md#create-vc-credential-secret
@divyenpatel Can we add a similar note in the vSphere CSI driver doc?

@divyenpatel
Copy link
Member

I have filed internal ticket to get https://docs.vmware.com/en/VMware-vSphere-Container-Storage-Plug-in/3.0/vmware-vsphere-csp-getting-started/GUID-BFF39F1D-F70A-4360-ABC9-85BDAFBE8864.html page updated.

new content will be as below

New content
------------
Password for a vCenter Server user.
If password contains character which needs to be escaped then specify password with escaped character.

Examples:
    vCenter password: pwd\123
        Config file: password = "pwd\\123"
    vCenter password: pwd\nWithNewline
        Config file: password = "pwd\\nWithNewLine""
    vCenter password: Admin!23\'"
        Config file: password = "Admin!23\\\'\""
        

@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Oct 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Categorizes issue or PR as related to a bug. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.
Projects
None yet
Development

No branches or pull requests

6 participants