OCM-18900 | fix: Improve error message for proxy passwords with special characters

Author: olucasfreitas

cmd/create/cluster/cmd.go

@@ -3053,15 +3053,15 @@ func run(cmd *cobra.Command, _ []string) {
 			Help:     cmd.Flags().Lookup("https-proxy").Usage,
 			Default:  httpsProxy,
 			Validators: []interactive.Validator{
-				interactive.IsURL,
+				ocm.ValidateHTTPSProxy,
 			},
 		})
 		if err != nil {
 			r.Reporter.Errorf("Expected a valid https proxy: %s", err)
 			os.Exit(1)
 		}
 	}
-	err = interactive.IsURL(httpsProxy)
+	err = ocm.ValidateHTTPSProxy(httpsProxy)
 	if err != nil {
 		r.Reporter.Errorf("%s", err)
 		os.Exit(1)

cmd/edit/cluster/cmd.go

@@ -513,7 +513,7 @@ func run(cmd *cobra.Command, _ []string) {
 		}
 	}
 	if httpsProxy != nil && *httpsProxy != input.DoubleQuotesToRemove {
-		err = interactive.IsURL(*httpsProxy)
+		err = ocm.ValidateHTTPSProxy(*httpsProxy)
 		if err != nil {
 			r.Reporter.Errorf("%s", err)
 			os.Exit(1)
@@ -562,10 +562,7 @@ func run(cmd *cobra.Command, _ []string) {
 	}
 
 	/*******  AdditionalTrustBundle *******/
-	updateAdditionalTrustBundle := false
-	if additionalTrustBundleFile != nil {
-		updateAdditionalTrustBundle = true
-	}
+	updateAdditionalTrustBundle := additionalTrustBundleFile != nil
 	if useExistingVPC && !updateAdditionalTrustBundle && additionalTrustBundleFile == nil &&
 		interactive.Enabled() {
 		updateAdditionalTrustBundleValue, err := interactive.GetBool(interactive.Input{
@@ -620,10 +617,7 @@ func run(cmd *cobra.Command, _ []string) {
 	}
 
 	/*******  AdditionalAllowedPrincipals *******/
-	updateAdditionalAllowedPrincipals := false
-	if additionalAllowedPrincipals != nil {
-		updateAdditionalAllowedPrincipals = true
-	}
+	updateAdditionalAllowedPrincipals := additionalAllowedPrincipals != nil
 	if !updateAdditionalAllowedPrincipals && additionalAllowedPrincipals == nil &&
 		interactive.Enabled() {
 		updateAdditionalAllowedPrincipalsValue, err := interactive.GetBool(interactive.Input{
@@ -1013,15 +1007,15 @@ func warnUserForOAuthHCPVisibility(r *rosa.Runtime, clusterKey string, cluster *
 func validateExpiration() (expiration time.Time, err error) {
 	// Validate options
 	if len(args.expirationTime) > 0 && args.expirationDuration != 0 {
-		err = errors.New("At most one of 'expiration-time' or 'expiration' may be specified")
+		err = errors.New("at most one of 'expiration-time' or 'expiration' may be specified")
 		return
 	}
 
 	// Parse the expiration options
 	if len(args.expirationTime) > 0 {
 		t, err := parseRFC3339(args.expirationTime)
 		if err != nil {
-			err = fmt.Errorf("Failed to parse expiration-time: %s", err)
+			err = fmt.Errorf("failed to parse expiration-time: %s", err)
 			return expiration, err
 		}
 
@@ -1039,7 +1033,7 @@ func validateExpiration() (expiration time.Time, err error) {
 func validateOvnInternalSubnetConfiguration() (ovnInternalSubnets map[string]string, err error) {
 	if len(args.ovnInternalSubnets) > 0 {
 		if args.networkType == "" {
-			err = fmt.Errorf("Expected a value for %s when supplying the flag %s", ocm.NetworkTypeFlagName,
+			err = fmt.Errorf("expected a value for %s when supplying the flag %s", ocm.NetworkTypeFlagName,
 				ocm.OvnInternalSubnetsFlagName)
 			return
 		}
@@ -1052,7 +1046,7 @@ func validateOvnInternalSubnetConfiguration() (ovnInternalSubnets map[string]str
 func validateNetworkType() (networkConfig string, err error) {
 	if len(args.networkType) > 0 {
 		if args.networkType != ocm.NetworkTypeOvn && args.networkType != ocm.NetworkTypeOvnAlias {
-			err = fmt.Errorf("Incorrect network type '%s', please use '%s' or remove the flag",
+			err = fmt.Errorf("incorrect network type '%s', please use '%s' or remove the flag",
 				args.networkType, ocm.NetworkTypeOvn)
 		} else {
 			networkConfig = ocm.NetworkTypeOvn // allows use of alias (OVN-Kubernetes)- but sets it to correct value for API
@@ -1088,11 +1082,11 @@ func setAuditLogForwarding(r *rosa.Runtime, cmd *cobra.Command, cluster *cmv1.Cl
 	argValuePtr *string, err error) {
 	if cmd.Flags().Changed("audit-log-arn") {
 		if !aws.IsHostedCP(cluster) {
-			return nil, fmt.Errorf("Audit log forwarding to AWS CloudWatch is only supported for Hosted Control Plane clusters")
+			return nil, fmt.Errorf("audit log forwarding to AWS CloudWatch is only supported for Hosted Control Plane clusters")
 
 		}
 		if auditLogArn != "" && !aws.RoleArnRE.MatchString(auditLogArn) {
-			return nil, fmt.Errorf("Expected a valid value for audit-log-arn matching %s", aws.RoleArnRE.String())
+			return nil, fmt.Errorf("expected a valid value for audit-log-arn matching %s", aws.RoleArnRE.String())
 		}
 		argValuePtr := new(string)
 		*argValuePtr = auditLogArn
@@ -1129,7 +1123,7 @@ func auditLogInteractivePrompt(r *rosa.Runtime, cmd *cobra.Command, cluster *cmv
 		Required: true,
 	})
 	if err != nil {
-		return nil, fmt.Errorf("Expected a valid value: %s", err)
+		return nil, fmt.Errorf("expected a valid value: %s", err)
 	}
 	if requestAuditLogForwarding {
 
@@ -1146,7 +1140,7 @@ func auditLogInteractivePrompt(r *rosa.Runtime, cmd *cobra.Command, cluster *cmv
 			},
 		})
 		if err != nil {
-			return nil, fmt.Errorf("Expected a valid value for audit-log-arn: %s", err)
+			return nil, fmt.Errorf("expected a valid value for audit-log-arn: %s", err)
 		}
 		*auditLogRolePtr = auditLogRoleValue
 		return auditLogRolePtr, nil
@@ -1159,7 +1153,7 @@ func auditLogInteractivePrompt(r *rosa.Runtime, cmd *cobra.Command, cluster *cmv
 			Default:  false,
 		})
 		if err != nil {
-			return nil, fmt.Errorf("Expected a valid value: %s", err)
+			return nil, fmt.Errorf("expected a valid value: %s", err)
 		}
 		if disableAuditLog {
 			*auditLogRolePtr = ""
@@ -1190,7 +1184,7 @@ func BuildClusterConfigWithRegistry(clusterConfig ocm.Spec, allowedRegistries []
 		ca, err := clusterregistryconfig.BuildAdditionalTrustedCAFromInputFile(additionalTrustedCa)
 		if err != nil {
 			return clusterConfig, fmt.Errorf(
-				"Failed to build the additional trusted ca from file %s, got error: %s",
+				"failed to build the additional trusted ca from file %s, got error: %s",
 				additionalTrustedCa, err)
 		}
 		clusterConfig.AdditionalTrustedCa = ca

pkg/helper/helpers.go

@@ -268,3 +268,67 @@ func FilterEmptyStrings(strings []string) []string {
 	}
 	return filteredResult
 }
+
+type URLCredentialValidation struct {
+	Field       string
+	InvalidChar rune
+	HasInvalid  bool
+}
+
+func ValidateURLCredentials(urlString string) *URLCredentialValidation {
+	if !strings.Contains(urlString, "@") || !strings.Contains(urlString, "://") {
+		return &URLCredentialValidation{HasInvalid: false}
+	}
+
+	schemeIdx := strings.Index(urlString, "://")
+	if schemeIdx == -1 {
+		return &URLCredentialValidation{HasInvalid: false}
+	}
+
+	rest := urlString[schemeIdx+3:]
+	atIdx := strings.LastIndex(rest, "@")
+	if atIdx == -1 {
+		return &URLCredentialValidation{HasInvalid: false}
+	}
+
+	userinfo := rest[:atIdx]
+
+	// Check for multiple @ symbols first (indicates @ in credentials)
+	if strings.Count(urlString, "@") > 1 {
+		return &URLCredentialValidation{
+			Field:       "password",
+			InvalidChar: '@',
+			HasInvalid:  true,
+		}
+	}
+
+	// Check username and password separately
+	colonIdx := strings.Index(userinfo, ":")
+	if colonIdx == -1 {
+		return checkForInvalidChars(userinfo, "username")
+	}
+
+	username := userinfo[:colonIdx]
+	if result := checkForInvalidChars(username, "username"); result.HasInvalid {
+		return result
+	}
+
+	password := userinfo[colonIdx+1:]
+	return checkForInvalidChars(password, "password")
+}
+
+func checkForInvalidChars(value, field string) *URLCredentialValidation {
+	invalidChars := "/:#?[]@!$&'()*+,;="
+
+	for _, char := range value {
+		if strings.ContainsRune(invalidChars, char) {
+			return &URLCredentialValidation{
+				Field:       field,
+				InvalidChar: char,
+				HasInvalid:  true,
+			}
+		}
+	}
+
+	return &URLCredentialValidation{HasInvalid: false}
+}

pkg/interactive/validation.go

@@ -89,6 +89,9 @@ func IsURLHttps(val interface{}) error {
 	if err != nil {
 		return err
 	}
+	if parsedUri == nil {
+		return nil
+	}
 	if parsedUri.Scheme != helper.ProtocolHttps {
 		return fmt.Errorf("expect URL '%s' to use an 'https://' scheme", val.(string))
 	}
@@ -106,8 +109,20 @@ func _isUrl(val interface{}) (*url.URL, error) {
 	if s == "" {
 		return nil, nil
 	}
-	parsedUri, err := url.ParseRequestURI(fmt.Sprintf("%v", val))
-	return parsedUri, err
+
+	if credValidation := helper.ValidateURLCredentials(s); credValidation.HasInvalid {
+		return nil, fmt.Errorf("invalid URL: %s contains invalid character '%c'",
+			credValidation.Field, credValidation.InvalidChar)
+	}
+
+	parsedUri, err := url.Parse(fmt.Sprintf("%v", val))
+	if err != nil {
+		return nil, err
+	}
+	if parsedUri.Scheme == "" || parsedUri.Host == "" {
+		return nil, fmt.Errorf("url must have a scheme and host")
+	}
+	return parsedUri, nil
 }
 
 // IsCert validates whether the given filepath is a valid cert file

pkg/interactive/validation_test.go

@@ -108,6 +108,134 @@ var _ = Describe("Validation", func() {
 		})
 	})
 
+	Context("IsURL", func() {
+		It("accepts empty string", func() {
+			err := IsURL("")
+			Expect(err).NotTo(HaveOccurred())
+		})
+
+		It("accepts nil", func() {
+			err := IsURL(nil)
+			Expect(err).NotTo(HaveOccurred())
+		})
+
+		It("accepts valid http URL", func() {
+			err := IsURL("http://example.com")
+			Expect(err).NotTo(HaveOccurred())
+		})
+
+		It("accepts valid https URL", func() {
+			err := IsURL("https://example.com")
+			Expect(err).NotTo(HaveOccurred())
+		})
+
+		It("accepts URL with authentication", func() {
+			err := IsURL("http://user:[email protected]:8080")
+			Expect(err).NotTo(HaveOccurred())
+		})
+
+		It("rejects URL with unencoded special characters in password", func() {
+			err := IsURL("http://proxyuser:QvoZjyy/[email protected]:8080")
+			Expect(err).To(HaveOccurred())
+		})
+
+		It("accepts URL with percent-encoded special characters in password", func() {
+			err := IsURL("http://proxyuser:QvoZjyy%[email protected]:8080")
+			Expect(err).NotTo(HaveOccurred())
+		})
+
+		It("rejects URL with unencoded @ in password", func() {
+			err := IsURL("http://user:pass@[email protected]:8080")
+			Expect(err).To(HaveOccurred())
+			Expect(err.Error()).To(Equal("invalid URL: password contains invalid character '@'"))
+		})
+
+		It("accepts URL with percent-encoded @ in password", func() {
+			err := IsURL("http://user:pass%[email protected]:8080")
+			Expect(err).NotTo(HaveOccurred())
+		})
+
+		It("rejects URL with extra colon in password", func() {
+			err := IsURL("http://user:pass:[email protected]:8080")
+			Expect(err).To(HaveOccurred())
+			Expect(err.Error()).To(Equal("invalid URL: password contains invalid character ':'"))
+		})
+
+		It("accepts URL with percent-encoded colon in password", func() {
+			err := IsURL("http://user:pass%[email protected]:8080")
+			Expect(err).NotTo(HaveOccurred())
+		})
+
+		It("rejects URL without scheme", func() {
+			err := IsURL("example.com")
+			Expect(err).To(HaveOccurred())
+			Expect(err.Error()).To(ContainSubstring("url must have a scheme and host"))
+		})
+
+		It("rejects URL without host", func() {
+			err := IsURL("http://")
+			Expect(err).To(HaveOccurred())
+			Expect(err.Error()).To(ContainSubstring("url must have a scheme and host"))
+		})
+
+		It("rejects non-string input", func() {
+			err := IsURL(123)
+			Expect(err).To(HaveOccurred())
+			Expect(err.Error()).To(ContainSubstring("can only validate strings"))
+		})
+	})
+
+	Context("IsURLHttps", func() {
+		It("accepts empty string", func() {
+			err := IsURLHttps("")
+			Expect(err).NotTo(HaveOccurred())
+		})
+
+		It("accepts nil", func() {
+			err := IsURLHttps(nil)
+			Expect(err).NotTo(HaveOccurred())
+		})
+
+		It("accepts valid https URL", func() {
+			err := IsURLHttps("https://example.com")
+			Expect(err).NotTo(HaveOccurred())
+		})
+
+		It("accepts https URL with authentication", func() {
+			err := IsURLHttps("https://user:[email protected]:8080")
+			Expect(err).NotTo(HaveOccurred())
+		})
+
+		It("rejects https URL with unencoded special characters in password", func() {
+			err := IsURLHttps("https://proxyuser:QvoZjyy/[email protected]:8080")
+			Expect(err).To(HaveOccurred())
+			Expect(err.Error()).To(Equal("invalid URL: password contains invalid character '/'"))
+		})
+
+		It("accepts https URL with percent-encoded special characters in password", func() {
+			err := IsURLHttps("https://proxyuser:QvoZjyy%[email protected]:8080")
+			Expect(err).NotTo(HaveOccurred())
+		})
+
+		It("rejects http URL", func() {
+			err := IsURLHttps("http://example.com")
+			Expect(err).To(HaveOccurred())
+			Expect(err.Error()).To(ContainSubstring("expect URL 'http://example.com' to use an 'https://' scheme"))
+		})
+
+		It("rejects URL without scheme", func() {
+			err := IsURLHttps("example.com")
+			Expect(err).To(HaveOccurred())
+			Expect(err.Error()).To(ContainSubstring("url must have a scheme and host"))
+		})
+
+		It("rejects non-string input", func() {
+			err := IsURLHttps(123)
+			Expect(err).To(HaveOccurred())
+			Expect(err.Error()).To(ContainSubstring("can only validate strings"))
+		})
+	})
+
 })
 
 var _ = Describe("SubnetsValidator", func() {