Merge pull request #145 from bcgov/dev

ikethecoder · web-flow · commit 716ce7b86a8a · 2025-02-11T15:01:57.000-08:00
allow exact match upstream host validation (#143)
diff --git a/.github/workflows/pr-reminder.yaml b/.github/workflows/pr-reminder.yaml
@@ -1,7 +1,7 @@
 name: 'Send review reminders'
 on:
   schedule:
-    - cron: '30 8 * * 1,2,3,4,5' # Scheduled to run at 1:30 AM, weekdays
+    - cron: '30 13 * * 1,2,3,4,5' # Scheduled to run at 5:30 AM PST, weekdays
 
 jobs:
   remind:
diff --git a/microservices/gatewayApi/tests/utils/test_validate_upstream.py b/microservices/gatewayApi/tests/utils/test_validate_upstream.py
@@ -137,6 +137,17 @@ def test_upstream_pass_validation(app):
 
     validate_upstream (y, { "perm-upstreams": ["my-namespace"]}, [], True) 
 
+def test_upstream_pass_validation_exact_match(app):
+    payload = '''
+services:
+  - name: my-service
+    tags: ["ns.mytest", "another"]
+    host: 192.168.1.1
+'''
+    y = yaml.load(payload, Loader=yaml.FullLoader)
+
+    validate_upstream (y, { "perm-upstreams": ["192.168.1.1"]}, [], True) 
+
 def test_upstream_fail_validation(app):
     payload = '''
 services:
diff --git a/microservices/gatewayApi/utils/validators.py b/microservices/gatewayApi/utils/validators.py
@@ -52,7 +52,7 @@ def validate_upstream_host(_host, errors, allow_protected_ns, protected_kube_nam
 
     if host in restricted:
         errors.append("service upstream is invalid (e1)")
-    elif host.endswith('svc'):
+    elif host.endswith('.svc'):
         partials = host.split('.')
         # get the namespace, and make sure it is not in the protected_kube_namespaces list
         if len(partials) != 3:
@@ -61,7 +61,7 @@ def validate_upstream_host(_host, errors, allow_protected_ns, protected_kube_nam
             errors.append("service upstream is invalid (e3)")
         elif do_validate_upstreams and (partials[1] in perm_upstreams) is False:
             errors.append("service upstream is invalid (e6)")
-    elif host.endswith('svc.cluster.local'):
+    elif host.endswith('.svc.cluster.local'):
         partials = host.split('.')
         # get the namespace, and make sure it is not in the protected_kube_namespaces list
         if len(partials) != 5:
@@ -70,5 +70,5 @@ def validate_upstream_host(_host, errors, allow_protected_ns, protected_kube_nam
             errors.append("service upstream is invalid (e5)")
         elif do_validate_upstreams and (partials[1] in perm_upstreams) is False:
             errors.append("service upstream is invalid (e6)")
-    elif do_validate_upstreams:
+    elif do_validate_upstreams and (host in perm_upstreams) is False:
         errors.append("service upstream is invalid (e6)")
