fix(container.provider): generate valid temporary identity names with retries

Author: MMaiero

kura/org.eclipse.kura.container.provider/src/main/java/org/eclipse/kura/container/provider/ContainerInstance.java

@@ -39,6 +39,7 @@
 import java.util.stream.Collectors;
 
 import org.eclipse.kura.KuraException;
+import org.eclipse.kura.KuraErrorCode;
 import org.eclipse.kura.configuration.ComponentConfiguration;
 import org.eclipse.kura.configuration.ConfigurableComponent;
 import org.eclipse.kura.configuration.ConfigurationService;
@@ -67,6 +68,9 @@ public class ContainerInstance implements ConfigurableComponent, ContainerOrches
     private static final Logger logger = LoggerFactory.getLogger(ContainerInstance.class);
 
     private static final ValidationResult FAILED_VALIDATION = new ValidationResult();
+    private static final String CONTAINER_IDENTITY_PREFIX = "container_";
+    private static final int MAX_IDENTITY_NAME_LENGTH = 255;
+    private static final int MAX_IDENTITY_NAME_GENERATION_ATTEMPTS = 10;
 
     private final ExecutorService executor = Executors.newSingleThreadExecutor();
 
@@ -412,23 +416,11 @@ private void createTemporaryIdentityIfEnabled(final ContainerInstanceOptions opt
                     final Set<Permission> permissions = options.getContainerPermissions().stream().map(Permission::new)
                             .collect(Collectors.toSet());
 
-                    final String identityName = "container_" + options.getContainerName().replace("-", "_");
-
                     // Generate password
                     final String password = new String(PasswordGenerator
                             .generatePassword(passwordStrengthVerificationService.getPasswordStrengthRequirements()));
 
-                    // Create identity configuration (computePasswordHash will clear this char[])
-                    final PasswordConfiguration passwordConfiguration = new PasswordConfiguration(false, true,
-                            Optional.of(password.toCharArray()), Optional.empty());
-                    final AssignedPermissions assignedPermissions = new AssignedPermissions(permissions);
-                    final IdentityConfiguration configuration = new IdentityConfiguration(identityName,
-                            Arrays.asList(passwordConfiguration, assignedPermissions));
-
-                    // Create temporary identity with very long lifetime (365 days)
-                    // The identity lifetime matches the container lifecycle - cleanup happens when container stops
-                    // The duration is a safety net for cases where cleanup fails
-                    ContainerInstance.this.identityService.createTemporaryIdentity(configuration, Duration.ofDays(365));
+                    final String identityName = createTemporaryIdentityWithValidName(options, permissions, password);
 
                     // Store identity name and password for env injection (fresh char[] from same string)
                     ContainerInstance.this.currentTemporaryIdentityName.set(identityName);
@@ -445,6 +437,76 @@ private void createTemporaryIdentityIfEnabled(final ContainerInstanceOptions opt
             }
         }
 
+        private String createTemporaryIdentityWithValidName(final ContainerInstanceOptions options,
+                final Set<Permission> permissions, final String password) throws KuraException {
+
+            final String baseIdentityName = sanitizeContainerIdentityName(options.getContainerName());
+
+            for (int attempt = 0; attempt < MAX_IDENTITY_NAME_GENERATION_ATTEMPTS; attempt++) {
+                final String candidateName = buildIdentityNameCandidate(baseIdentityName, attempt);
+
+                try {
+                    final PasswordConfiguration passwordConfiguration = new PasswordConfiguration(false, true,
+                            Optional.of(password.toCharArray()), Optional.empty());
+                    final AssignedPermissions assignedPermissions = new AssignedPermissions(permissions);
+                    final IdentityConfiguration configuration = new IdentityConfiguration(candidateName,
+                            Arrays.asList(passwordConfiguration, assignedPermissions));
+
+                    ContainerInstance.this.identityService.createTemporaryIdentity(configuration, Duration.ofDays(365));
+                    return candidateName;
+
+                } catch (final KuraException e) {
+                    if (!shouldRetryIdentityNameGeneration(e, attempt)) {
+                        throw e;
+                    }
+                }
+            }
+
+            throw new KuraException(KuraErrorCode.INTERNAL_ERROR,
+                    "Unable to generate a valid temporary identity name for container " + options.getContainerName());
+        }
+
+        private String sanitizeContainerIdentityName(final String containerName) {
+            String safeName = containerName.replaceAll("[^a-zA-Z0-9._]", "_");
+            safeName = safeName.replaceAll("[._]{2,}", "_");
+            safeName = safeName.replaceAll("^[._]+", "").replaceAll("[._]+$", "");
+
+            if (safeName.isEmpty()) {
+                safeName = "auto";
+            }
+
+            return CONTAINER_IDENTITY_PREFIX + safeName;
+        }
+
+        private String buildIdentityNameCandidate(final String baseIdentityName, final int attempt) {
+            final String candidate = attempt == 0 ? baseIdentityName : baseIdentityName + "_" + attempt;
+
+            if (candidate.length() <= MAX_IDENTITY_NAME_LENGTH) {
+                return candidate;
+            }
+
+            if (attempt == 0) {
+                return candidate.substring(0, MAX_IDENTITY_NAME_LENGTH);
+            }
+
+            final String suffix = "_" + attempt;
+            return candidate.substring(0, MAX_IDENTITY_NAME_LENGTH - suffix.length()) + suffix;
+        }
+
+        private boolean shouldRetryIdentityNameGeneration(final KuraException e, final int attempt) {
+            if (attempt == MAX_IDENTITY_NAME_GENERATION_ATTEMPTS - 1) {
+                return false;
+            }
+
+            if (!KuraErrorCode.INVALID_PARAMETER.equals(e.getCode())) {
+                return false;
+            }
+
+            final String message = e.getMessage();
+            return message != null && (message.contains("Identity name") || message.contains("identity with name")
+                    || message.contains("already exists"));
+        }
+
         @Override
         public State onConfigurationUpdated(ContainerInstanceOptions newOptions) {
             if (newOptions.equals(this.options)) {

kura/test/org.eclipse.kura.container.provider.test/src/test/java/org/eclipse/kura/container/provider/ContainerIdentityIntegrationTest.java

@@ -33,6 +33,7 @@
 import java.util.Set;
 import java.util.concurrent.CountDownLatch;
 import java.util.concurrent.TimeUnit;
+import java.util.concurrent.atomic.AtomicBoolean;
 import java.util.concurrent.atomic.AtomicInteger;
 import java.util.concurrent.atomic.AtomicReference;
 
@@ -66,6 +67,7 @@ public class ContainerIdentityIntegrationTest {
     private static final String CONTAINER_ID = "container-id";
     private static final String SECOND_CONTAINER_ID = "container-id-2";
     private static final String UPDATED_CONTAINER_NAME = CONTAINER_NAME + "-v2";
+    private static final String INVALID_CONTAINER_NAME = "....@@@....";
 
     private ContainerInstance containerInstance;
     private ContainerOrchestrationService containerOrchestrationService;
@@ -213,14 +215,42 @@ public void clearsTemporaryPasswordAfterCleanupTemporaryIdentity() throws Except
         thenTemporaryPasswordIsCleared();
     }
 
+    @Test
+    public void generatesValidTemporaryIdentityNameFromInvalidContainerName() throws Exception {
+        givenIdentityIntegrationIsEnabled(INVALID_CONTAINER_NAME);
+        givenTemporaryIdentityServiceProvidesPassword();
+        givenContainerOrchestratorStartsSuccessfully();
+
+        whenContainerInstanceIsActivated();
+
+        thenTemporaryIdentityUsesName("container_auto");
+        thenStartContainerReceivesTokenEnvironment();
+    }
+
+    @Test
+    public void retriesTemporaryIdentityCreationWhenNameAlreadyExists() throws Exception {
+        givenIdentityIntegrationIsEnabled();
+        givenTemporaryIdentityServiceRetriesNameConflict();
+        givenContainerOrchestratorStartsSuccessfully();
+
+        whenContainerInstanceIsActivated();
+
+        thenTemporaryIdentityCreationIsRetriedWithSuffixedName();
+        thenStartContainerReceivesTokenEnvironment();
+    }
+
     /*
      * GIVEN
      */
 
     private void givenIdentityIntegrationIsEnabled() {
+        givenIdentityIntegrationIsEnabled(CONTAINER_NAME);
+    }
+
+    private void givenIdentityIntegrationIsEnabled(final String containerName) {
         this.properties.put("container.enabled", true);
-        this.properties.put("container.name", CONTAINER_NAME);
-        this.properties.put("kura.service.pid", CONTAINER_NAME);
+        this.properties.put("container.name", containerName);
+        this.properties.put("kura.service.pid", containerName);
         this.properties.put("container.image", CONTAINER_IMAGE);
         this.properties.put("container.image.tag", CONTAINER_TAG);
         this.properties.put("container.identity.enabled", true);
@@ -269,6 +299,35 @@ private void givenContainerOrchestratorStartsSuccessfullyWithIds(final String...
         }).when(this.containerOrchestrationService).startContainer(this.configurationCaptor.capture());
     }
 
+    private void givenTemporaryIdentityServiceRetriesNameConflict() throws Exception {
+        final AtomicBoolean conflictRaised = new AtomicBoolean(false);
+
+        doAnswer(invocation -> {
+            this.createCount.incrementAndGet();
+
+            final IdentityConfiguration config = invocation.getArgument(0);
+            this.capturedIdentityNames.add(config.getName());
+            final char[] newPassword = config.getComponent(PasswordConfiguration.class).orElseThrow()
+                    .getNewPassword().orElseThrow();
+            this.capturedPasswords.add(new String(newPassword));
+
+            final String expectedBaseName = "container_" + CONTAINER_NAME.replace("-", "_");
+            if (!conflictRaised.get() && expectedBaseName.equals(config.getName())) {
+                conflictRaised.set(true);
+                throw new KuraException(KuraErrorCode.INVALID_PARAMETER,
+                        "An identity with name '" + config.getName() + "' already exists");
+            }
+
+            return null;
+        }).when(this.identityService).createTemporaryIdentity(
+                this.identityConfigCaptor.capture(), this.durationCaptor.capture());
+
+        doAnswer(invocation -> {
+            this.deleteCount.incrementAndGet();
+            return true;
+        }).when(this.identityService).deleteIdentity(anyString());
+    }
+
     private void givenTemporaryPasswordIsSet() throws Exception {
         final Field field = ContainerInstance.class.getDeclaredField("currentTemporaryPassword");
         field.setAccessible(true);
@@ -374,16 +433,28 @@ private void thenTemporaryIdentityIsCreatedWithPermissions() throws Exception {
                 permissions.stream().anyMatch(permission -> "rest.write".equals(permission.getName())));
     }
 
+    private void thenTemporaryIdentityUsesName(final String expectedIdentityName) throws Exception {
+        awaitCounterAtLeast(this.createCount, 1);
+
+        verify(this.identityService).createTemporaryIdentity(
+                this.identityConfigCaptor.capture(), this.durationCaptor.capture());
+
+        final IdentityConfiguration config = this.identityConfigCaptor.getValue();
+        assertEquals("Identity name should be normalized", expectedIdentityName, config.getName());
+    }
+
     private void thenStartContainerReceivesTokenEnvironment() throws Exception {
         assertTrue("Container start was not invoked", this.startLatch.await(2, TimeUnit.SECONDS));
 
         final ContainerConfiguration configuration = this.configurationCaptor.getValue();
         final List<String> envVars = configuration.getContainerEnvVars();
+        final String latestIdentityName = this.capturedIdentityNames.get(this.capturedIdentityNames.size() - 1);
+        final String latestPassword = this.capturedPasswords.get(this.capturedPasswords.size() - 1);
 
         assertTrue("Identity name var missing",
-                envVars.contains("KURA_IDENTITY_NAME=" + this.capturedIdentityNames.get(0)));
+                envVars.contains("KURA_IDENTITY_NAME=" + latestIdentityName));
         assertTrue("Password var missing",
-                envVars.contains("KURA_IDENTITY_PASSWORD=" + this.capturedPasswords.get(0)));
+                envVars.contains("KURA_IDENTITY_PASSWORD=" + latestPassword));
         // Check that KURA_REST_BASE_URL is set (now dynamic, not hardcoded to localhost:8080)
         assertTrue("Base URL env var missing",
                 envVars.stream().anyMatch(envVar -> envVar.startsWith("KURA_REST_BASE_URL=")));
@@ -424,6 +495,15 @@ private void thenLatestContainerStartReceivesRefreshedPassword() {
                 envVars.contains("KURA_IDENTITY_PASSWORD=" + latestPassword));
     }
 
+    private void thenTemporaryIdentityCreationIsRetriedWithSuffixedName() throws Exception {
+        awaitCounterAtLeast(this.createCount, 2);
+
+        final String expectedBaseName = "container_" + CONTAINER_NAME.replace("-", "_");
+        assertEquals("First identity creation should use base name", expectedBaseName, this.capturedIdentityNames.get(0));
+        assertEquals("Second identity creation should use suffixed name", expectedBaseName + "_1",
+                this.capturedIdentityNames.get(1));
+    }
+
     private void thenTemporaryPasswordIsCleared() throws Exception {
         final Field field = ContainerInstance.class.getDeclaredField("currentTemporaryPassword");
         field.setAccessible(true);