From 3b6d13cea803f880b40a9dd4a394a8bcf8c83a4c Mon Sep 17 00:00:00 2001
From: Pavel Tankov <4014969+ptankov@users.noreply.github.com>
Date: Fri, 4 Aug 2023 00:04:00 +0300
Subject: [PATCH 1/3] adding password leak check in demand-backup, init-deploy,
 monitoring-2-0

---
 e2e-tests/demand-backup/run  |  3 +++
 e2e-tests/functions          | 42 ++++++++++++++++++++++++++++++++++++
 e2e-tests/init-deploy/run    |  3 +++
 e2e-tests/monitoring-2-0/run |  3 +++
 4 files changed, 51 insertions(+)

diff --git a/e2e-tests/demand-backup/run b/e2e-tests/demand-backup/run
index 4579fc149e..330ea6780d 100755
--- a/e2e-tests/demand-backup/run
+++ b/e2e-tests/demand-backup/run
@@ -180,6 +180,9 @@ if [ -z "$SKIP_BACKUPS_TO_AWS_GCP_AZURE" ]; then
 	check_backup_deletion "https://engk8soperators.blob.core.windows.net/operator-testing/${backup_dest_azure}" "azure-blob"
 fi
 
+desc 'check for passwords leak'
+check_passwords_leak
+
 destroy $namespace
 
 desc 'test passed'
diff --git a/e2e-tests/functions b/e2e-tests/functions
index 309477a714..be7a0cdc5d 100755
--- a/e2e-tests/functions
+++ b/e2e-tests/functions
@@ -1217,3 +1217,45 @@ function get_mongod_ver_from_image() {
 	fi
 	echo ${version_info}
 }
+
+check_passwords_leak() {
+	secrets=$(kubectl_bin get secrets -o json | jq -r '.items[].data | to_entries | .[] | select(.key | (contains("_PASSWORD"))) | .value')
+	echo secrets=$secrets
+
+	passwords="$(for i in $secrets; do base64 -d <<< $i; echo; done) $secrets"
+	echo passwords=$passwords
+
+	pods=$(kubectl_bin get pods -o name | awk -F "/" '{print $2}')
+	echo pods=$pods
+
+	TEMP_DIR=$(mktemp -d)
+
+	collect_logs() {
+		NS=$1
+		for p in $pods; do
+			containers=$(kubectl_bin -n "$NS" get pod $p -o jsonpath='{.spec.containers[*].name}')
+			for c in $containers; do
+				# temporary, because of: https://jira.percona.com/browse/PMM-8357
+				if [[ ${c,,} =~ "pmm" ]]; then
+					continue
+				fi
+				kubectl_bin -n "$NS" logs $p -c $c > ${TEMP_DIR}/logs_output-$p-$c.txt
+				echo logs saved in: ${TEMP_DIR}/logs_output-$p-$c.txt
+				for pass in $passwords; do
+					count=$(grep -c --fixed-strings -- "$pass" ${TEMP_DIR}/logs_output-$p-$c.txt || :)
+					if [[ $count != 0 ]]; then
+						echo leaked passwords are found in log ${TEMP_DIR}/logs_output-$p-$c.txt
+						false
+					fi
+				done
+			done
+			echo
+		done
+	}
+
+	collect_logs $namespace
+	if [ -n "$OPERATOR_NS" ]; then
+		pods=$(kubectl_bin -n "${OPERATOR_NS}" get pods -o name | awk -F "/" '{print $2}')
+		collect_logs $OPERATOR_NS
+	fi
+}
\ No newline at end of file
diff --git a/e2e-tests/init-deploy/run b/e2e-tests/init-deploy/run
index 42eb32c30f..9e1f954e90 100755
--- a/e2e-tests/init-deploy/run
+++ b/e2e-tests/init-deploy/run
@@ -97,6 +97,9 @@ compare_mongo_cmd "find" "myApp:myPass@$cluster2-0.$cluster2.$namespace" "-3rd"
 compare_mongo_cmd "find" "myApp:myPass@$cluster2-1.$cluster2.$namespace" "-3rd"
 compare_mongo_cmd "find" "myApp:myPass@$cluster2-2.$cluster2.$namespace" "-3rd"
 
+desc 'check for passwords leak'
+check_passwords_leak
+
 desc 'delete custom RuntimeClass'
 kubectl_bin delete -f "$conf_dir/container-rc.yaml"
 destroy $namespace
diff --git a/e2e-tests/monitoring-2-0/run b/e2e-tests/monitoring-2-0/run
index 40ade03dbb..548716d361 100755
--- a/e2e-tests/monitoring-2-0/run
+++ b/e2e-tests/monitoring-2-0/run
@@ -91,6 +91,9 @@ if [[ -n ${OPENSHIFT} ]]; then
 	oc adm policy remove-scc-from-user privileged -z percona-server-mongodb-operator
 fi
 
+desc 'check for passwords leak'
+check_passwords_leak
+
 helm uninstall monitoring
 destroy $namespace
 

From 7ce90dd38fd0dde8cd65d4124b682093cb12880f Mon Sep 17 00:00:00 2001
From: Tomislav Plavcic <tomislav.plavcic@percona.com>
Date: Sat, 5 Aug 2023 15:16:35 +0200
Subject: [PATCH 2/3] CLOUD-789 - Add password leak check into
 demand-backup-sharded test

---
 e2e-tests/demand-backup-sharded/run | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/e2e-tests/demand-backup-sharded/run b/e2e-tests/demand-backup-sharded/run
index 49c7ad4cd0..058df83c1a 100755
--- a/e2e-tests/demand-backup-sharded/run
+++ b/e2e-tests/demand-backup-sharded/run
@@ -176,5 +176,8 @@ if [ -z "$SKIP_BACKUPS_TO_AWS_GCP_AZURE" ]; then
 	check_backup_deletion "https://engk8soperators.blob.core.windows.net/operator-testing/${backup_dest_azure}" "azure-blob"
 fi
 
+desc 'check for passwords leak'
+check_passwords_leak
+
 kubectl_bin delete -f "$conf_dir/container-rc.yaml"
 destroy "$namespace"

From d247c49883bcd9d0bc5fad76bc10861679ee3ae7 Mon Sep 17 00:00:00 2001
From: Tomislav Plavcic <tomislav.plavcic@percona.com>
Date: Sat, 5 Aug 2023 17:06:57 +0200
Subject: [PATCH 3/3] Remove bash to lowercase conversion so it works on older
 bash

---
 e2e-tests/functions | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/e2e-tests/functions b/e2e-tests/functions
index be7a0cdc5d..3384eb2573 100755
--- a/e2e-tests/functions
+++ b/e2e-tests/functions
@@ -1236,7 +1236,7 @@ check_passwords_leak() {
 			containers=$(kubectl_bin -n "$NS" get pod $p -o jsonpath='{.spec.containers[*].name}')
 			for c in $containers; do
 				# temporary, because of: https://jira.percona.com/browse/PMM-8357
-				if [[ ${c,,} =~ "pmm" ]]; then
+				if [[ ${c} =~ "pmm" ]]; then
 					continue
 				fi
 				kubectl_bin -n "$NS" logs $p -c $c > ${TEMP_DIR}/logs_output-$p-$c.txt
@@ -1258,4 +1258,4 @@ check_passwords_leak() {
 		pods=$(kubectl_bin -n "${OPERATOR_NS}" get pods -o name | awk -F "/" '{print $2}')
 		collect_logs $OPERATOR_NS
 	fi
-}
\ No newline at end of file
+}