search

kubernetes-sigs / vsphere-csi-driver

vSphere storage Container Storage Interface (CSI) plugin
https://docs.vmware.com/en/VMware-vSphere-Container-Storage-Plug-in/index.html
Apache License 2.0
288 stars 173 forks source link

Inconsistency handling passwords with special characters #2904

Open bertinatto opened 1 month ago

bertinatto commented 1 month ago

Is this a BUG REPORT or FEATURE REQUEST?:

/kind bug

What happened:

In OpenShift, we use a credentials minter to generate the vSphere password used by the CSI driver. The minter may generate passwords containing special characters that are not escaped. These passwords are then stored in a secret.

We observed that the CSI driver operates correctly when the password is provided via environment variables. However, it fails when the same password is supplied through an .INI file.

What you expected to happen:

The CSI driver should handle passwords consistently regardless of whether they are provided via environment variables or an .INI file. Specifically, it should successfully authenticate using the password in both scenarios.

How to reproduce it (as minimally and precisely as possible):

Try this unit test:

diff --git a/pkg/common/config/config_test.go b/pkg/common/config/config_test.go
index 23e23c77..0e7ca159 100644
--- a/pkg/common/config/config_test.go
+++ b/pkg/common/config/config_test.go
@@ -20,6 +20,7 @@ import (
    "context"
    "os"
    "reflect"
+   "strings"
    "testing"
 )

@@ -261,3 +262,41 @@ func isConfigEqual(actual *Config, expected *Config) bool {
    }
    return true
 }
+
+func TestReadCreadentialsFromConfig(t *testing.T) {
+   configStr := `
+[Global]
+user = "admin@vsphere.local"
+password = "password\"
+insecure-flag = "1"
+`
+
+   cfg, err := ReadConfig(ctx, strings.NewReader(configStr)) // <----- THIS FAILS
+   if err != nil {
+       t.Fatalf("Error reading config: %v", err)
+   }
+
+   err = validateConfig(ctx, cfg)
+   if err != nil {
+       t.Fatalf("Error validating config: %v", err)
+   }
+}
+
+func TestReadCredentialsFromEnv(t *testing.T) {
+   cfg := &Config{
+       VirtualCenter: idealVCConfig,
+   }
+
+   os.Setenv("VSPHERE_USER", `user@vsphere.local`)
+   os.Setenv("VSPHERE_PASSWORD", `password\`)
+
+   err := FromEnv(ctx, cfg)
+   if err != nil {
+       t.Fatalf("Error reading config from env: %v", err)
+   }
+
+   err = validateConfig(ctx, cfg)
+   if err != nil {
+       t.Fatalf("Error validating config: %v", err)
+   }
+}

Anything else we need to know?:

I understand that passwords passed via an .INI file must be escaped as noted in this previous issue [1]. However, the fact that passwords work when passed via environment variables but fail when passed via an .INI file creates confusion for users.

If it is not possible to achieve consistent behavior regardless of how passwords are passed to the CSI driver, could you please document which characters need to be escaped? According to this PR [2] in cluster-api-provider-vsphere, it appears that only \ and " need to be escaped. Can you confirm if escaping just these characters is sufficient?

[1] https://github.com/kubernetes-sigs/vsphere-csi-driver/issues/121 [2] https://github.com/kubernetes-sigs/cluster-api-provider-vsphere/blob/71c23168794bed7401ba96e6405ffabd4ebab3d1/packaging/flavorgen/flavors/crs/types/cloudprovider_encoding.go#L33

jsafrane commented 1 month ago

According to this PR [2] in cluster-api-provider-vsphere, it appears that only \ and " need to be escaped. Can you confirm if escaping just these characters is sufficient

It would be much better to document what are the escaping rules in the ini file. Backslash is a popular character in password or even in username.

bertinatto commented 1 month ago

/assign @divyenpatel

xing-yang commented 1 day ago

We added a note for special characters here: https://github.com/vmware-tanzu/velero-plugin-for-vsphere/blob/main/docs/vanilla.md#create-vc-credential-secret @divyenpatel Can we add a similar note in the vSphere CSI driver doc?