Merge pull request #183 from stefankonig/checkValidBase64Cert

Check whether provided base64 encoded data in KubeConfig is valid
renoki-co · Dec 31, 2021 · 09b15a5 · 09b15a5
2 parents 9f72121 + 9edef5f
commit 09b15a5
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 1 deletion.
diff --git a/src/Exceptions/KubeConfigBaseEncodedDataInvalid.php b/src/Exceptions/KubeConfigBaseEncodedDataInvalid.php
@@ -0,0 +1,8 @@
+<?php
+
+namespace RenokiCo\PhpK8s\Exceptions;
+
+class KubeConfigBaseEncodedDataInvalid extends PhpK8sException
+{
+    //
+}
diff --git a/src/Traits/Cluster/LoadsFromKubeConfig.php b/src/Traits/Cluster/LoadsFromKubeConfig.php
@@ -4,6 +4,7 @@
 
 use Exception;
 use Illuminate\Support\Arr;
+use RenokiCo\PhpK8s\Exceptions\KubeConfigBaseEncodedDataInvalid;
 use RenokiCo\PhpK8s\Exceptions\KubeConfigClusterNotFound;
 use RenokiCo\PhpK8s\Exceptions\KubeConfigContextNotFound;
 use RenokiCo\PhpK8s\Exceptions\KubeConfigUserNotFound;
@@ -219,7 +220,13 @@ protected function writeTempFileForContext(string $context, string $fileName, st
             return $tempFilePath;
         }
 
-        if (file_put_contents($tempFilePath, base64_decode($contents, true)) === false) {
+        $decodedContents = base64_decode($contents, true);
+
+        if ($decodedContents === false) {
+            throw new KubeConfigBaseEncodedDataInvalid("Failed to decode base64-encoded data for: {$fileName}");
+        }
+
+        if (file_put_contents($tempFilePath, $decodedContents) === false) {
             throw new Exception("Failed to write content to temp file: {$tempFilePath}");
         }
 

diff --git a/tests/KubeConfigTest.php b/tests/KubeConfigTest.php
@@ -2,6 +2,7 @@
 
 namespace RenokiCo\PhpK8s\Test;
 
+use RenokiCo\PhpK8s\Exceptions\KubeConfigBaseEncodedDataInvalid;
 use RenokiCo\PhpK8s\Exceptions\KubeConfigClusterNotFound;
 use RenokiCo\PhpK8s\Exceptions\KubeConfigContextNotFound;
 use RenokiCo\PhpK8s\Exceptions\KubeConfigUserNotFound;
@@ -157,6 +158,13 @@ public function test_kube_config_from_yaml_cannot_load_if_wrong_context()
         KubernetesCluster::fromKubeConfigYamlFile(__DIR__.'/cluster/kubeconfig.yaml', 'inexistent-context');
     }
 
+    public function test_kube_config_from_yaml_invalid_base64_ca()
+    {
+        $this->expectException(KubeConfigBaseEncodedDataInvalid::class);
+
+        KubernetesCluster::fromKubeConfigYamlFile(__DIR__.'/cluster/kubeconfig.yaml', 'minikube-invalid-base64-ca');
+    }
+
     public function test_http_authentication()
     {
         $cluster = KubernetesCluster::fromUrl('http://127.0.0.1:8080')->httpAuthentication('some-user', 'some-password');

diff --git a/tests/cluster/kubeconfig.yaml b/tests/cluster/kubeconfig.yaml
@@ -13,6 +13,10 @@ clusters:
     server: https://minikube-2:8443
     insecure-skip-tls-verify: true
   name: minikube-skip-tls
+- cluster:
+    certificate-authority-data: c29tZS1j1YQo= # invalid base64
+    server: https://minikube:8443
+  name: minikube-invalid-base64-ca
 contexts:
 - context:
     cluster: minikube
@@ -39,6 +43,11 @@ contexts:
     user: no-user
   name: minikube-without-user
   namespace: some-namespace
+- context:
+    cluster: minikube-invalid-base64-ca
+    user: minikube
+  name: minikube-invalid-base64-ca
+  namespace: some-namespace
 current-context: minikube
 kind: Config
 preferences: {}