Merge pull request kubernetes-sigs#1216 from kishorj/newline_dev

Strip trailing newlines from OIDC clientId

Author: k8s-ci-robot

internal/ingress/auth/auth.go

@@ -3,6 +3,8 @@ package auth
 import (
 	"context"
 	"fmt"
+	"strings"
+	"unicode"
 
 	"github.com/aws/aws-sdk-go/service/elbv2"
 	"github.com/kubernetes-sigs/aws-alb-ingress-controller/internal/ingress/annotations"
@@ -118,7 +120,6 @@ func (m *defaultModule) NewConfig(ctx context.Context, ingress *extensions.Ingre
 	if _, err := annotations.LoadInt64Annotation(AnnotationAuthSessionTimeout, &cfg.SessionTimeout, serviceAnnos, ingressAnnos); err != nil {
 		return Config{}, err
 	}
-
 	switch cfg.Type {
 	case TypeCognito:
 		{
@@ -163,7 +164,7 @@ func (m *defaultModule) loadIDPOIDC(ctx context.Context, idpOIDC *IDPOIDC, names
 	if err := m.cache.Get(ctx, secretKey, &k8sSecret); err != nil {
 		return true, errors.Wrapf(err, "failed to load k8s secret: %v", secretKey)
 	}
-	clientId := string(k8sSecret.Data["clientId"])
+	clientId := strings.TrimRightFunc(string(k8sSecret.Data["clientId"]), unicode.IsSpace)
 	clientSecret := string(k8sSecret.Data["clientSecret"])
 	*idpOIDC = IDPOIDC{
 		AuthenticationRequestExtraParams: annoIDPOIDC.AuthenticationRequestExtraParams,

internal/ingress/auth/auth_test.go

@@ -211,6 +211,59 @@ func TestDefaultModule_NewConfig(t *testing.T) {
 				OnUnauthenticatedRequest: DefaultAuthOnUnauthenticatedRequest,
 			},
 		},
+		{
+			name: "service use oidc auth clientId with trailing whitespaces",
+			ingress: &extensions.Ingress{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "namespace",
+					Name:      "ingress",
+				},
+			},
+			backend: extensions.IngressBackend{
+				ServiceName: "service",
+				ServicePort: intstr.FromInt(80),
+			},
+			service: &corev1.Service{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "namespace",
+					Name:      "service",
+					Annotations: map[string]string{
+						parser.GetAnnotationWithPrefix(AnnotationAuthType):    "oidc",
+						parser.GetAnnotationWithPrefix(AnnotationAuthIDPOIDC): "{\"Issuer\": \"Issuer\",\"AuthorizationEndpoint\": \"AuthorizationEndpoint\",\"TokenEndpoint\": \"TokenEndpoint\",\"UserInfoEndpoint\": \"UserInfoEndpoint\",\"SecretName\": \"oidc-secret\",\"AuthenticationRequestExtraParams\": { \"param1\": \"value1\",\"param2\": \"value2\"}}",
+					},
+				},
+			},
+			secret: &corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "namespace",
+					Name:      "oidc-secret",
+				},
+				Data: map[string][]byte{
+					"clientId":     []byte("clientId\t \n"),
+					"clientSecret": []byte("clientSecret"),
+				},
+			},
+			protocol: "HTTPS",
+			expectedAuthCfg: Config{
+				Type: TypeOIDC,
+				IDPOIDC: IDPOIDC{
+					Issuer:                "Issuer",
+					AuthorizationEndpoint: "AuthorizationEndpoint",
+					AuthenticationRequestExtraParams: AuthenticationRequestExtraParams{
+						"param1": "value1",
+						"param2": "value2",
+					},
+					TokenEndpoint:    "TokenEndpoint",
+					UserInfoEndpoint: "UserInfoEndpoint",
+					ClientId:         "clientId",
+					ClientSecret:     "clientSecret",
+				},
+				Scope:                    DefaultAuthScope,
+				SessionCookie:            DefaultAuthSessionCookie,
+				SessionTimeout:           DefaultAuthSessionTimeout,
+				OnUnauthenticatedRequest: DefaultAuthOnUnauthenticatedRequest,
+			},
+		},
 		{
 			name: "service use oidc auth",
 			ingress: &extensions.Ingress{