Merge branch 'main' into adding-lint-commit-and-husky-to-root-configuration

Signed-off-by: Dibyanshu Pal Kushwaha <dibyanshupkushwaha@gmail.com>

Author: dibyanshu-pal-kushwaha

.github/workflows/backend-test.yml

@@ -76,6 +76,10 @@ jobs:
           rm ~/.config/Headlamp/kubeconfigs/config
         shell: bash
 
+      - name: Run fuzz tests
+        run: npm run backend:fuzz
+        shell: bash
+
       - name: Upload coverage report as artifact
         id: upload-artifact
         uses: actions/upload-artifact@84480863f228bb9747b473957fcc9e309aa96097 # v4.4.2

.github/workflows/draft-release.yml

@@ -20,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           fetch-depth: 0
 
@@ -48,7 +48,7 @@ jobs:
           echo "EOF" >> $GITHUB_OUTPUT
 
       - name: Create Release Coordination Issue
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
         with:
           github-token: ${{ github.token }}
           script: |

.github/workflows/helm-chart-release.yml

@@ -76,6 +76,7 @@ jobs:
         with:
           config: .github/cr.yaml
           mark_as_latest: false # only headlamp is set to latest
+          skip_existing: true # skip package upload if release already exists
 
       - name: Push Charts to GHCR
         run: |

AGENTS.md

@@ -194,6 +194,10 @@ backend-embed-linux-386:
 backend-test:
 	cd backend && go test -v -p 1 ./...
 
+.PHONY: backend-fuzz
+backend-fuzz:
+	npm run backend:fuzz
+
 .PHONY: backend-coverage
 backend-coverage:
 	cd backend && go test -v -p 1 -coverprofile=coverage.out ./...

Makefile

@@ -3,11 +3,11 @@ aliases:
     - joaquimrocha
     - illume
     - sniok
+    - yolossn
   headlamp-reviewers:
     - joaquimrocha
     - illume
     - sniok
     - ashu8912
-    - yolossn
     - vyncent-t
     - skoeva

OWNERS_ALIASES

@@ -0,0 +1,83 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package auth_test
+
+import (
+	"regexp"
+	"testing"
+	"unicode/utf8"
+
+	"github.com/kubernetes-sigs/headlamp/backend/pkg/auth"
+)
+
+// FuzzSanitizeClusterName tests the SanitizeClusterName function with various inputs
+// to ensure it handles edge cases, special characters, and maintains its invariants.
+func FuzzSanitizeClusterName(f *testing.F) {
+	// Seed corpus with known interesting test cases
+	f.Add("my-cluster")
+	f.Add("my_cluster")
+	f.Add("cluster123")
+	f.Add("my-cluster@#$%")
+	f.Add("")
+	f.Add("very-long-cluster-name-that-exceeds-fifty-characters-limit")
+	f.Add("special!@#$%^&*()chars")
+	f.Add("unicode-日本語-cluster")
+	f.Add("spaces in name")
+	f.Add("trailing-dash-")
+	f.Add("-leading-dash")
+	f.Add("___underscores___")
+	f.Add("UPPERCASE")
+	f.Add("MixedCase123")
+
+	validCharsRegex := regexp.MustCompile(`^[a-zA-Z0-9\-_]*$`)
+
+	f.Fuzz(func(t *testing.T, input string) {
+		result := auth.SanitizeClusterName(input)
+
+		// Invariant 1: Result should never be longer than 50 characters
+		if len(result) > 50 {
+			t.Errorf("SanitizeClusterName(%q) returned result with length %d, expected <= 50", input, len(result))
+		}
+
+		// Invariant 2: Result should only contain alphanumeric characters, hyphens, and underscores
+		if !validCharsRegex.MatchString(result) {
+			t.Errorf("SanitizeClusterName(%q) = %q contains invalid characters", input, result)
+		}
+
+		// Invariant 3: Result should be a valid UTF-8 string
+		if !utf8.ValidString(result) {
+			t.Errorf("SanitizeClusterName(%q) = %q is not valid UTF-8", input, result)
+		}
+
+		// Invariant 4: If input is empty, result should be empty
+		if input == "" && result != "" {
+			t.Errorf("SanitizeClusterName(%q) = %q, expected empty string", input, result)
+		}
+
+		// Invariant 5: Result should be idempotent - sanitizing the result again should give the same result
+		result2 := auth.SanitizeClusterName(result)
+		if result != result2 {
+			t.Errorf("SanitizeClusterName is not idempotent: first=%q, second=%q", result, result2)
+		}
+
+		// Invariant 6: Result length should never exceed input length (sanitization only removes characters)
+		if len(input) > 0 && len(result) > len(input) {
+			t.Errorf("SanitizeClusterName(%q) returned result longer than input: input_len=%d, result_len=%d",
+				input, len(input), len(result))
+		}
+	})
+}

backend/pkg/auth/cookies_fuzz_test.go

@@ -0,0 +1,2 @@
+go test fuzz v1
+string("my-cluster@#$%")

backend/pkg/auth/testdata/fuzz/FuzzSanitizeClusterName/seed1

@@ -0,0 +1,2 @@
+go test fuzz v1
+string("very-long-cluster-name-that-exceeds-fifty-characters-limit")

backend/pkg/auth/testdata/fuzz/FuzzSanitizeClusterName/seed2

@@ -0,0 +1,2 @@
+go test fuzz v1
+string("unicode-日本語-cluster")