feat!: Support both inline and secret-ref based auth for http file rules (#270)

## Issue
Resolves
#263

## Description
- Adds an `Auth` struct which contains both a
`*BasicAuthSecretReference` and a `*BasicAuth`
- Modifies `Validate` func to take in a `map[string][]string` instead of
a `[][][]byte`. The key for the auth for each rule is the `rule.Name()`.
This addresses a TODO thats found in validatorctl:
https://github.com/validator-labs/validatorctl/blob/c7408a6254238c174deb005f4ac98c1ec2f25c99/pkg/components/validator.go#L450

Author: ahmad-ibra

.gitignore

@@ -1,4 +1,3 @@
-
 # Binaries for programs and plugins
 *.exe
 *.exe~
@@ -15,14 +14,17 @@ Dockerfile.cross
 *.out
 
 # Kubernetes Generated files - skip generated files, except for vendored files
-
 !vendor/**/zz_generated.*
 
-# editor and IDE paraphernalia
+# Editor and IDE paraphernalia
 .devspace
 .idea
 .vscode
 !.vscode/launch.json
 *.swp
 *.swo
 *~
+
+# Misc
+.DS_Store
+tmp/*

api/v1alpha1/networkvalidator_types.go

@@ -33,26 +33,32 @@ type NetworkValidatorSpec struct {
 	// +kubebuilder:validation:MaxItems=5
 	// +kubebuilder:validation:XValidation:message="DNSRules must have unique names",rule="self.all(e, size(self.filter(x, x.name == e.name)) == 1)"
 	DNSRules []DNSRule `json:"dnsRules,omitempty" yaml:"dnsRules,omitempty"`
+
 	// ICMPRules validate ICMP pings to network hosts
 	// +kubebuilder:validation:MaxItems=5
 	// +kubebuilder:validation:XValidation:message="ICMPRules must have unique names",rule="self.all(e, size(self.filter(x, x.name == e.name)) == 1)"
 	ICMPRules []ICMPRule `json:"icmpRules,omitempty" yaml:"icmpRules,omitempty"`
+
 	// IPRangeRules validate that all IPs in a given CIDR range are free (unallocated)
 	// +kubebuilder:validation:MaxItems=5
 	// +kubebuilder:validation:XValidation:message="IPRangeRules must have unique names",rule="self.all(e, size(self.filter(x, x.name == e.name)) == 1)"
 	IPRangeRules []IPRangeRule `json:"ipRangeRules,omitempty" yaml:"ipRangeRules,omitempty"`
+
 	// MTURules validate that the default NIC has an MTU of at least X, where X is the provided MTU
 	// +kubebuilder:validation:MaxItems=5
 	// +kubebuilder:validation:XValidation:message="MTURules must have unique names",rule="self.all(e, size(self.filter(x, x.name == e.name)) == 1)"
 	MTURules []MTURule `json:"mtuRules,omitempty" yaml:"mtuRules,omitempty"`
+
 	// TCPConnRules validate arbitrary TCP connections, including proxied connections
 	// +kubebuilder:validation:MaxItems=5
 	// +kubebuilder:validation:XValidation:message="TCPConnRules must have unique names",rule="self.all(e, size(self.filter(x, x.name == e.name)) == 1)"
 	TCPConnRules []TCPConnRule `json:"tcpConnRules,omitempty" yaml:"tcpConnRules,omitempty"`
+
 	// HTTPFileRules validate that files are available via HTTP HEAD requests
 	// +kubebuilder:validation:MaxItems=5
 	// +kubebuilder:validation:XValidation:message="HTTPFileRules must have unique names",rule="self.all(e, size(self.filter(x, x.name == e.name)) == 1)"
 	HTTPFileRules []HTTPFileRule `json:"httpFileRules,omitempty" yaml:"httpFileRules,omitempty"`
+
 	// CACerts allow additional CA certificates to be used for TLS. Applies to TCPConnRules and HTTPFileRules.
 	CACerts CACertificates `json:"caCerts,omitempty" yaml:"caCerts,omitempty"`
 }
@@ -76,6 +82,7 @@ type CACertificates struct {
 	// Certs is a list of certificates to use.
 	// +kubebuilder:validation:MaxItems=500
 	Certs []Certificate `json:"certs,omitempty" yaml:"certs,omitempty"`
+
 	// SecretRefs is a list of CA secret references to use.
 	// +kubebuilder:validation:MaxItems=500
 	SecretRefs []CASecretReference `json:"secretRefs,omitempty" yaml:"secretRefs,omitempty"`
@@ -100,6 +107,7 @@ type CASecretReference struct {
 	// Name is the name of the secret.
 	// +kubebuilder:validation:MinLength=1
 	Name string `json:"name" yaml:"name"`
+
 	// Key is the key in the secret data.
 	// +kubebuilder:validation:MinLength=1
 	Key string `json:"key" yaml:"key"`
@@ -187,6 +195,7 @@ type MTURule struct {
 	RuleName string `json:"name" yaml:"name"`
 	Host     string `json:"host" yaml:"host"`
 	MTU      int    `json:"mtu" yaml:"mtu"`
+
 	// Optionally specify the size in bytes of the packet headers for the MTU ping packet.
 	// This varies by medium, e.g. Ethernet, WiFi, etc.) and defaults to 28 bytes
 	// (20 bytes IP header + 8 bytes ICMP header)
@@ -214,9 +223,11 @@ type TCPConnRule struct {
 	RuleName string `json:"name" yaml:"name"`
 	Host     string `json:"host" yaml:"host"`
 	Ports    []int  `json:"ports" yaml:"ports"`
+
 	// InsecureSkipTLSVerify controls whether the HTTP client used validate the rule skips TLS certificate verification.
 	// Defaults to false.
 	InsecureSkipTLSVerify bool `json:"insecureSkipTlsVerify,omitempty" yaml:"insecureSkipTlsVerify,omitempty"`
+
 	// Timeout is the duration to wait, in seconds, for a connection to be established. Defaults to 5 seconds.
 	// +kubebuilder:default=5
 	Timeout int `json:"timeout,omitempty" yaml:"timeout,omitempty"`
@@ -241,11 +252,16 @@ type HTTPFileRule struct {
 	// RuleName is a unique identifier for the rule in the validator. Used to ensure conditions do not overwrite each other.
 	// +kubebuilder:validation:MaxLength=500
 	RuleName string `json:"name" yaml:"name"`
+
 	// Paths is a list of file paths to check. When performing HTTP requests, if any of the paths result in a non-200 OK response code, the rule fails validation.
 	// +kubebuilder:validation:MaxItems=1000
 	Paths []string `json:"paths" yaml:"paths"`
-	// AuthSecretRef is an optional basic auth secret reference.
-	AuthSecretRef *BasicAuthSecretReference `json:"authSecretRef,omitempty" yaml:"authSecretRef,omitempty"`
+
+	// Auth contains optional basic authentication details.
+	// If a SecretRef is provided, the secret is used to retrieve the credentials and the inline auth is ignored.
+	// If a SecretRef is not provided but Basic is, the inline credentials within Basic are used directly.
+	Auth Auth `json:"auth,omitempty" yaml:"auth,omitempty"`
+
 	// InsecureSkipTLSVerify controls whether the HTTP client used validate the rule skips TLS certificate verification.
 	// Defaults to false.
 	InsecureSkipTLSVerify bool `json:"insecureSkipTlsVerify,omitempty" yaml:"insecureSkipTlsVerify,omitempty"`
@@ -263,19 +279,41 @@ func (r *HTTPFileRule) SetName(name string) {
 	r.RuleName = name
 }
 
+// Auth contains optional basic authentication details.
+type Auth struct {
+	// SecretRef is an optional basic auth secret reference.
+	SecretRef *BasicAuthSecretReference `json:"secretRef,omitempty" yaml:"secretRef,omitempty"`
+
+	// Basic provides optional basic auth credentials inline.
+	Basic *BasicAuth `json:"basic,omitempty" yaml:"basic,omitempty"`
+}
+
 // BasicAuthSecretReference is a reference to a secret containing HTTP basic authentication credentials.
 type BasicAuthSecretReference struct {
 	// Name is the name of the secret.
 	// +kubebuilder:validation:MinLength=1
 	Name string `json:"name" yaml:"name"`
+
 	// UsernameKey is the username key in the secret data.
 	// +kubebuilder:validation:MinLength=1
 	UsernameKey string `json:"usernameKey" yaml:"usernameKey"`
+
 	// PasswordKey is the password key in the secret data.
 	// +kubebuilder:validation:MinLength=1
 	PasswordKey string `json:"passwordKey" yaml:"passwordKey"`
 }
 
+// BasicAuth contains basic authentication credentials.
+type BasicAuth struct {
+	// Username is the username used to authenticate to the OCI Registry.
+	// +kubebuilder:validation:MinLength=1
+	Username string `json:"username" yaml:"username"`
+
+	// Password is the password used to authenticate to the OCI Registry.
+	// +kubebuilder:validation:MinLength=1
+	Password string `json:"password" yaml:"password"`
+}
+
 // Keys returns the keys in a BasicAuthSecretReference.
 func (r BasicAuthSecretReference) Keys() []string {
 	return []string{r.UsernameKey, r.PasswordKey}
@@ -323,3 +361,20 @@ type NetworkValidatorList struct {
 func init() {
 	SchemeBuilder.Register(&NetworkValidator{}, &NetworkValidatorList{})
 }
+
+// HTTPFileAuthBytesDirect converts all of the inline basic authentication details in a NetworkValidatorSpec
+// to a map of rule names to basic auth details.
+func (s *NetworkValidatorSpec) HTTPFileAuthBytesDirect() map[string][]string {
+	auths := make(map[string][]string)
+	for _, rule := range s.HTTPFileRules {
+		if rule.Auth.Basic == nil {
+			continue
+		}
+
+		auths[rule.Name()] = []string{
+			rule.Auth.Basic.Username,
+			rule.Auth.Basic.Password,
+		}
+	}
+	return auths
+}

api/v1alpha1/networkvalidator_types_test.go

@@ -0,0 +1,91 @@
+package v1alpha1
+
+import (
+	"github.com/stretchr/testify/assert"
+	"testing"
+)
+
+func TestHTTPFileAuthBytesDirect(t *testing.T) {
+	tests := []struct {
+		name     string
+		spec     NetworkValidatorSpec
+		expected map[string][]string
+	}{
+		{
+			name: "No HTTPFileRules",
+			spec: NetworkValidatorSpec{
+				HTTPFileRules: []HTTPFileRule{},
+			},
+			expected: map[string][]string{},
+		},
+		{
+			name: "HTTPFileRule without basic auth",
+			spec: NetworkValidatorSpec{
+				HTTPFileRules: []HTTPFileRule{
+					{
+						RuleName: "rule1",
+					},
+				},
+			},
+			expected: map[string][]string{},
+		},
+		{
+			name: "Single HTTPFileRule with basic auth",
+			spec: NetworkValidatorSpec{
+				HTTPFileRules: []HTTPFileRule{
+					{
+						RuleName: "rule1",
+						Auth: Auth{
+							Basic: &BasicAuth{
+								Username: "user1",
+								Password: "pass1",
+							},
+						},
+					},
+				},
+			},
+			expected: map[string][]string{
+				"rule1": {"user1", "pass1"},
+			},
+		},
+		{
+			name: "Multiple HTTPFileRules with and without basic auth",
+			spec: NetworkValidatorSpec{
+				HTTPFileRules: []HTTPFileRule{
+					{
+						RuleName: "rule1",
+						Auth: Auth{
+							Basic: &BasicAuth{
+								Username: "user1",
+								Password: "pass1",
+							},
+						},
+					},
+					{
+						RuleName: "rule2",
+						Auth: Auth{
+							Basic: &BasicAuth{
+								Username: "user2",
+								Password: "pass2",
+							},
+						},
+					},
+					{
+						RuleName: "rule3",
+					},
+				},
+			},
+			expected: map[string][]string{
+				"rule1": {"user1", "pass1"},
+				"rule2": {"user2", "pass2"},
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			actual := tt.spec.HTTPFileAuthBytesDirect()
+			assert.Equal(t, tt.expected, actual)
+		})
+	}
+}