Add GCP validation

Signed-off-by: Keegan Witt <keeganwitt@gmail.com>

pkg/server/plugin/keymanager/gcpkms/gcpkms.go

@@ -11,9 +11,12 @@ import (
 	"fmt"
 	"hash/crc32"
 	"os"
+	"regexp"
+	"strconv"
 	"strings"
 	"sync"
 	"time"
+	"unicode"
 
 	"cloud.google.com/go/iam"
 	"cloud.google.com/go/iam/apiv1/iampb"
@@ -1126,10 +1129,32 @@ func parseAndValidateConfig(c string) (*Config, error) {
 	if config.KeyMetadataFile != "" && config.KeyIdentifierFile != "" {
 		return nil, status.Error(codes.InvalidArgument, "configuration must not contain both 'key_identifier_file' and deprecated 'key_metadata_file'")
 	}
+	if config.KeyIdentifierValue != "" {
+		if !validateCharacters(config.KeyIdentifierValue) {
+			return nil, status.Error(codes.InvalidArgument, "Key identifier must contain only alphanumeric characters, underscores (_), and dashes (-)")
+		}
+		if !unicode.IsLetter(rune(config.KeyIdentifierValue[0])) {
+			return nil, status.Error(codes.InvalidArgument, "Key identifier must start with a letter character")
+		}
+		if len(config.KeyIdentifierValue) > 63 {
+			return nil, status.Error(codes.InvalidArgument, "Key identifier must not be longer than 63 characters")
+		}
+	}
 
 	return config, nil
 }
 
+func validateCharacters(str string) bool {
+	re := regexp.MustCompile("[0-9_-]")
+	for _, r := range str {
+		s := strconv.QuoteRune(r)
+		if !unicode.IsLetter(r) && !re.MatchString(s) {
+			return false
+		}
+	}
+	return true
+}
+
 // parsePolicyFile parses a file containing iam.Policy3 data in JSON format.
 func parsePolicyFile(policyFile string) (*iam.Policy3, error) {
 	policyBytes, err := os.ReadFile(policyFile)

pkg/server/plugin/keymanager/gcpkms/gcpkms_test.go

@@ -265,6 +265,24 @@ func TestConfigure(t *testing.T) {
 			expectMsg:        "configuration must not contain both 'key_identifier_file' and deprecated 'key_metadata_file'",
 			expectCode:       codes.InvalidArgument,
 		},
+		{
+			name:             "key metadata value invalid character",
+			configureRequest: configureRequestWithString(fmt.Sprintf(`{"access_key_id":"access_key_id","secret_access_key":"secret_access_key","region":"region","key_identifier_value":"key_identifier_value@","key_policy_file":"","key_ring":"%s"}`, validKeyRing)),
+			expectMsg:        "Key identifier must contain only alphanumeric characters, underscores (_), and dashes (-)",
+			expectCode:       codes.InvalidArgument,
+		},
+		{
+			name:             "key metadata value too long",
+			configureRequest: configureRequestWithString(fmt.Sprintf(`{"access_key_id":"access_key_id","secret_access_key":"secret_access_key","region":"region","key_identifier_value":"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA","key_policy_file":"","key_ring":"%s"}`, validKeyRing)),
+			expectMsg:        "Key identifier must not be longer than 63 characters",
+			expectCode:       codes.InvalidArgument,
+		},
+		{
+			name:             "key metadata value starts with non alphabetic character",
+			configureRequest: configureRequestWithString(fmt.Sprintf(`{"access_key_id":"access_key_id","secret_access_key":"secret_access_key","region":"region","key_identifier_value":"0_key_identifier_value","key_policy_file":"","key_ring":"%s"}`, validKeyRing)),
+			expectMsg:        "Key identifier must start with a letter character",
+			expectCode:       codes.InvalidArgument,
+		},
 		{
 			name: "custom policy file does not exist",
 			config: &Config{
@@ -1737,7 +1755,8 @@ func configureRequestWithDefaults(t *testing.T) *configv1.ConfigureRequest {
 
 func configureRequestWithString(config string) *configv1.ConfigureRequest {
 	return &configv1.ConfigureRequest{
-		HclConfiguration: config,
+		HclConfiguration:  config,
+		CoreConfiguration: &configv1.CoreConfiguration{TrustDomain: "test.example.org"},
 	}
 }