add tests and correct regex for assume role session name

zac-nixon · zac-nixon · commit db09cb9d010d · 2025-01-17T12:28:29.000-08:00
diff --git a/pkg/aws/cloud.go b/pkg/aws/cloud.go
@@ -6,7 +6,6 @@ import (
 	"k8s.io/apimachinery/pkg/util/cache"
 	"net"
 	"os"
-	"regexp"
 	"strings"
 	"sync"
 	"time"
@@ -40,8 +39,6 @@ const (
 	cacheTTLBufferTime = 30 * time.Second
 )
 
-var illegalValuesInSessionName = regexp.MustCompile(`[^a-zA-Z0-9=,.@-]+`)
-
 // NewCloud constructs new Cloud implementation.
 func NewCloud(cfg CloudConfig, clusterName string, metricsCollector *aws_metrics.Collector, logger logr.Logger, awsClientsProvider provider.AWSClientsProvider) (services.Cloud, error) {
 	hasIPv4 := true
@@ -261,7 +258,7 @@ func (c *defaultCloud) GetAssumedRoleELBV2(ctx context.Context, assumeRoleArn st
 	sourceAccount := sts.NewFromConfig(*existingAwsConfig)
 	response, err := sourceAccount.AssumeRole(ctx, &sts.AssumeRoleInput{
 		RoleArn:         aws.String(assumeRoleArn),
-		RoleSessionName: aws.String(c.makeClusterNameSessionNameSafe()),
+		RoleSessionName: aws.String(generateAssumeRoleSessionName(c.clusterName)),
 		ExternalId:      aws.String(externalId),
 	})
 	if err != nil {
@@ -286,11 +283,6 @@ func (c *defaultCloud) GetAssumedRoleELBV2(ctx context.Context, assumeRoleArn st
 	return elbv2WithAssumedRole, nil
 }
 
-func (c *defaultCloud) makeClusterNameSessionNameSafe() string {
-	safeClusterName := illegalValuesInSessionName.ReplaceAllString(c.clusterName, "")
-	return fmt.Sprintf("AWS-LBC-%s", safeClusterName)
-}
-
 func (c *defaultCloud) EC2() services.EC2 {
 	return c.ec2
 }
diff --git a/pkg/aws/cloud_util.go b/pkg/aws/cloud_util.go
@@ -0,0 +1,25 @@
+package aws
+
+import (
+	"fmt"
+	"regexp"
+)
+
+const (
+	sessionNamePrefix    = "AWS-LBC-"
+	maxSessionNameLength = 2047
+)
+
+var illegalValuesInSessionName = regexp.MustCompile(`[^a-zA-Z0-9=,.@\-_]+`)
+
+func generateAssumeRoleSessionName(clusterName string) string {
+	safeClusterName := illegalValuesInSessionName.ReplaceAllString(clusterName, "")
+
+	sessionName := fmt.Sprintf("%s%s", sessionNamePrefix, safeClusterName)
+
+	if len(sessionName) > maxSessionNameLength {
+		return sessionName[:maxSessionNameLength]
+	}
+
+	return sessionName
+}
diff --git a/pkg/aws/cloud_util_test.go b/pkg/aws/cloud_util_test.go
@@ -0,0 +1,42 @@
+package aws
+
+import (
+	"github.com/stretchr/testify/assert"
+	"testing"
+)
+
+func TestUpdateTrackedTargets(t *testing.T) {
+	testCases := []struct {
+		name                string
+		clusterName         string
+		expectedSessionName string
+	}{
+		{
+			name:                "no mods",
+			clusterName:         "my-cluster-name",
+			expectedSessionName: "AWS-LBC-my-cluster-name",
+		},
+		{
+			name:                "mix lower and upper case",
+			clusterName:         "My-ClUsTeR-name",
+			expectedSessionName: "AWS-LBC-My-ClUsTeR-name",
+		},
+		{
+			name:                "with legal characters",
+			clusterName:         "my_cluster-name=foo,something@here.",
+			expectedSessionName: "AWS-LBC-my_cluster-name=foo,something@here.",
+		},
+		{
+			name:                "with illegal characters",
+			clusterName:         "my&*&*cluster()!(&name",
+			expectedSessionName: "AWS-LBC-myclustername",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			result := generateAssumeRoleSessionName(tc.clusterName)
+			assert.Equal(t, tc.expectedSessionName, result)
+		})
+	}
+}
