Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

validate secrets only with text #2574

Merged
merged 1 commit into from
Oct 25, 2023
Merged

validate secrets only with text #2574

merged 1 commit into from
Oct 25, 2023

Conversation

strehle
Copy link
Member

@strehle strehle commented Oct 25, 2023

This fixes client creation rest call with empty secret.
Empty client secret is allowed via YAML setting already, but
in a REST call there is an error:
Client Secret must be at least 1 characters in length.

Why this occurs: There is a policy validator for user and client
policy validation.

For users, a minimum of 1 char for a password might be ok,
for a client not. A secret can be empty.

Before 76.22.0 a missing secret in a client creation call was defaulted
to an empty secret, but with #2455
this was fixed. The fix prevented the creation with an empty secret.

Therefore, this here is a fix for a regression introduced with 76.22.0.
It simply prevents the policy validation if the secret is without text
(null or empty).

Fix for issue #2570

@cf-gitbot
Copy link

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/186329816

The labels on this github issue will be updated when the story is started.

@peterhaochen47
Copy link
Member

peterhaochen47 commented Oct 25, 2023

@strehle In #2570, you mentioned that the empty string client secret is not allowed in API because of this code. So I'm a little confused on why this PR would solve your problem without touching that code?

@strehle
Copy link
Member Author

strehle commented Oct 25, 2023

@strehle In #2570, you mentioned that the empty string client secret is not allowed in API because of this code. So I'm a little confused on why this PR would solve your problem without touching that code?

With this PR we do not reach this code

Copy link
Member

@peterhaochen47 peterhaochen47 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The general approach is fine.

Please rewrite the commit to include all the context/motivations behind the change such that future developers would understand why the change was made.

This fixes client creation rest call with empty secret.
Empty client secret is allowed via YAML setting already, but
in a REST call there is an error:
Client Secret must be at least 1 characters in length.

Why this occurs: There is a policy validator for user and client
policy validation.

For users, a minimum of 1 char for a password might be ok,
for a client not. A secret can be empty.

Before 76.22.0 a missing secret in a client creation call was defaulted
to an empty secret, but with #2455
this was fixed. The fix prevented the creation with an empty secret.

Therefore, this here is a fix for a regression introduced with 76.22.0.
It simply prevents the policy validation if the secret is without text
(null or empty).
@strehle strehle force-pushed the fix/issue/2570-allowempty branch from 8edebb4 to 1b1bff7 Compare October 25, 2023 18:28
@strehle strehle merged commit 276a98e into develop Oct 25, 2023
18 checks passed
@strehle strehle deleted the fix/issue/2570-allowempty branch October 25, 2023 20:10
@cf-gitbot cf-gitbot added delivered accepted Accepted the issue and removed delivered labels Nov 28, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
accepted Accepted the issue
Projects
Development

Successfully merging this pull request may close these issues.

Create client with empty secret is not possible
3 participants