Adding regex validation for SSM parameters in nodeadm init command

Author: vikash-s1

internal/node/hybrid/validator.go

@@ -2,12 +2,19 @@ package hybrid
 
 import (
 	"fmt"
+	"regexp"
 	"strings"
 
 	"github.com/aws/eks-hybrid/internal/api"
 	"github.com/aws/eks-hybrid/internal/util/file"
 )
 
+const (
+	// https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_CreateActivation.html#systemsmanager-CreateActivation-response-ActivationId
+	ssmActivationIDPattern   = `^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$`
+	ssmActivationCodePattern = `^.{20,250}$`
+)
+
 func extractFlagValue(args []string, flag string) string {
 	flagPrefix := "--" + flag + "="
 	var flagValue string
@@ -51,6 +58,26 @@ func (hnp *HybridNodeProvider) withHybridValidators() {
 			if cfg.Spec.Hybrid.SSM.ActivationID == "" {
 				return fmt.Errorf("ActivationID is missing in hybrid ssm configuration")
 			}
+
+			// Compile the activation code pattern
+			reCode, err := regexp.Compile(ssmActivationCodePattern)
+			if err != nil {
+				return fmt.Errorf("internal error: invalid ActivationCode pattern: %v", err)
+			}
+			// Check if ActivationCode matches the pattern
+			if !reCode.MatchString(cfg.Spec.Hybrid.SSM.ActivationCode) {
+				return fmt.Errorf("invalid ActivationCode format: %s. Must be 20-250 characters", cfg.Spec.Hybrid.SSM.ActivationCode)
+			}
+
+			// Compile the regex patterns
+			reID, err := regexp.Compile(ssmActivationIDPattern)
+			if err != nil {
+				return fmt.Errorf("internal error: invalid ActivationID pattern: %v", err)
+			}
+			// Check if ActivationID matches the pattern
+			if !reID.MatchString(cfg.Spec.Hybrid.SSM.ActivationID) {
+				return fmt.Errorf("invalid ActivationID format: %s. Must be in format: ^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", cfg.Spec.Hybrid.SSM.ActivationID)
+			}
 		}
 		return nil
 	}

internal/node/hybrid/validator_test.go

@@ -2,6 +2,7 @@ package hybrid_test
 
 import (
 	"os"
+	"strings"
 	"testing"
 
 	. "github.com/onsi/gomega"
@@ -195,6 +196,157 @@ func Test_HybridNodeProviderValidateConfig(t *testing.T) {
 			},
 			wantError: "hostname-override kubelet flag is not supported for hybrid nodes but found override: bad-config",
 		},
+		{
+			name: "invalid when both iamRoleAnywhere and ssm provided",
+			node: &api.NodeConfig{
+				Spec: api.NodeConfigSpec{
+					Cluster: api.ClusterDetails{
+						Region: "us-west-2",
+						Name:   "my-cluster",
+					},
+					Hybrid: &api.HybridOptions{
+						IAMRolesAnywhere: &api.IAMRolesAnywhere{
+							NodeName:        "my-node",
+							TrustAnchorARN:  "trust-anchor-arn",
+							ProfileARN:      "profile-arn",
+							RoleARN:         "role-arn",
+							CertificatePath: certPath,
+							PrivateKeyPath:  keyPath,
+						},
+						SSM: &api.SSM{
+							ActivationID:   "activation-id",
+							ActivationCode: "activation-code",
+						},
+					},
+				},
+			},
+			wantError: "Only one of IAMRolesAnywhere or SSM must be provided for hybrid node configuration",
+		},
+		{
+			name: "valid ssm activation code and activation id",
+			node: &api.NodeConfig{
+				Spec: api.NodeConfigSpec{
+					Cluster: api.ClusterDetails{
+						Region: "us-west-2",
+						Name:   "my-cluster",
+					},
+					Hybrid: &api.HybridOptions{
+						SSM: &api.SSM{
+							ActivationCode: "Fjz3/sZfSvv78EXAMPLE",
+							ActivationID:   "e488f2f6-e686-4afb-8a04-ef6dfabcdeff",
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "missing ssm activation code",
+			node: &api.NodeConfig{
+				Spec: api.NodeConfigSpec{
+					Cluster: api.ClusterDetails{
+						Region: "us-west-2",
+						Name:   "my-cluster",
+					},
+					Hybrid: &api.HybridOptions{
+						SSM: &api.SSM{
+							ActivationCode: "",
+							ActivationID:   "e488f2f6-e686-4afb-8a04-ef6dfabcdeff",
+						},
+					},
+				},
+			},
+			wantError: "ActivationCode is missing in hybrid ssm configuration",
+		},
+		{
+			name: "missing ssm activation id",
+			node: &api.NodeConfig{
+				Spec: api.NodeConfigSpec{
+					Cluster: api.ClusterDetails{
+						Region: "us-west-2",
+						Name:   "my-cluster",
+					},
+					Hybrid: &api.HybridOptions{
+						SSM: &api.SSM{
+							ActivationCode: "Fjz3/sZfSvv78EXAMPLE",
+							ActivationID:   "",
+						},
+					},
+				},
+			},
+			wantError: "ActivationID is missing in hybrid ssm configuration",
+		},
+		{
+			name: "invalid ssm activation code (too short)",
+			node: &api.NodeConfig{
+				Spec: api.NodeConfigSpec{
+					Cluster: api.ClusterDetails{
+						Region: "us-west-2",
+						Name:   "my-cluster",
+					},
+					Hybrid: &api.HybridOptions{
+						SSM: &api.SSM{
+							ActivationCode: "activation-code",
+							ActivationID:   "e488f2f6-e686-4afb-8a04-ef6dfabcdeff",
+						},
+					},
+				},
+			},
+			wantError: "invalid ActivationCode format: activation-code. Must be 20-250 characters",
+		},
+		{
+			name: "invalid ssm activation code (too long - 251 chars)",
+			node: &api.NodeConfig{
+				Spec: api.NodeConfigSpec{
+					Cluster: api.ClusterDetails{
+						Region: "us-west-2",
+						Name:   "my-cluster",
+					},
+					Hybrid: &api.HybridOptions{
+						SSM: &api.SSM{
+							ActivationCode: strings.Repeat("a", 251),
+							ActivationID:   "e488f2f6-e686-4afb-8a04-ef6dfabcdeff",
+						},
+					},
+				},
+			},
+			wantError: "invalid ActivationCode format: " + strings.Repeat("a", 251) + ". Must be 20-250 characters",
+		},
+		{
+			name: "invalid ssm activation id by length",
+			node: &api.NodeConfig{
+				Spec: api.NodeConfigSpec{
+					Cluster: api.ClusterDetails{
+						Region: "us-west-2",
+						Name:   "my-cluster",
+					},
+					Hybrid: &api.HybridOptions{
+						SSM: &api.SSM{
+							ActivationCode: "Fjz3/sZfSvv78EXAMPLE",
+							ActivationID:   "e488f2f6-e686-4afb-8a04-ef6dfabcdefff",
+						},
+					},
+				},
+			},
+			wantError: "invalid ActivationID format: e488f2f6-e686-4afb-8a04-ef6dfabcdefff. Must be in format: ^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$",
+		},
+		{
+			name: "invalid ssm activation id by characters",
+			node: &api.NodeConfig{
+				Spec: api.NodeConfigSpec{
+					Cluster: api.ClusterDetails{
+						Region: "us-west-2",
+						Name:   "my-cluster",
+					},
+					Hybrid: &api.HybridOptions{
+						SSM: &api.SSM{
+							ActivationCode: "Fjz3/sZfSvv78EXAMPLE",
+							ActivationID:   "e488f2f6-e686-4afb-8A04-ef6dfabcdefff",
+						},
+					},
+				},
+			},
+			wantError: "invalid ActivationID format: e488f2f6-e686-4afb-8A04-ef6dfabcdefff. Must be in format: ^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$",
+		},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {