CA cert bundle validation (#17632)

* add validation to ca bundle certificate field + info tooltip

* add isBase64EncodedCert helper

* fix validation update issue with removed items + comments

---------

Co-authored-by: Mo Mesgin <mmesgin@Mos-M2-MacBook-Pro.local>

Author: momesgin

shell/assets/translations/en-us.yaml

@@ -8791,6 +8791,9 @@ registryConfig:
   toolTip: 'When an image needs to be pulled from the given registry hostname, this information will be used to verify the identity of the registry and authenticate to it.'
   addLabel: Add Registry
   description: "Define the TLS and credential configuration for each registry hostname and mirror."
+  caBundle:
+    tooltip: Accepts a CA PEM certificate or a base64 encoded CA PEM.
+    validationError: Invalid CA cert bundle. Must be a CA PEM certificate or a base64 encoded CA PEM.
 
 ##############################
 ### Advanced Settings

shell/edit/provisioning.cattle.io.cluster/rke2.vue

@@ -298,6 +298,7 @@ export default {
       isEmpty,
       AGENT_CONFIGURATION_TYPES,
       basicsValid:                              true,
+      registryConfigValid:                      true,
       originalIngressController:                this.value.spec.rkeConfig.machineGlobalConfig?.[INGRESS_CONTROLLER] || INGRESS_NONE,
     };
   },
@@ -906,7 +907,8 @@ export default {
       return this.validationPassed &&
             this.fvFormIsValid &&
             this.etcdConfigValid &&
-            this.basicsValid;
+            this.basicsValid &&
+            this.registryConfigValid;
     },
     nginxSupported() {
       if (this.serverArgs?.disable?.options.includes(RKE2_INGRESS_NGINX)) {
@@ -2688,6 +2690,7 @@ export default {
           <Tab
             :name="REGISTRIES_TAB_NAME"
             label-key="cluster.tabs.registry"
+            :error="!registryConfigValid"
           >
             <Registries
               v-if="isActiveTabRegistries"
@@ -2703,6 +2706,7 @@ export default {
               @custom-registry-changed="toggleCustomRegistry"
               @registry-host-changed="handleRegistryHostChanged"
               @registry-secret-changed="handleRegistrySecretChanged"
+              @registry-validation-changed="(val) => registryConfigValid = val"
             />
           </Tab>
 

shell/edit/provisioning.cattle.io.cluster/tabs/registries/RegistryConfigs.vue

@@ -7,11 +7,11 @@ import SelectOrCreateAuthSecret from '@shell/components/form/SelectOrCreateAuthS
 import CreateEditView from '@shell/mixins/create-edit-view';
 import SecretSelector from '@shell/components/form/SecretSelector';
 import { SECRET_TYPES as TYPES } from '@shell/config/secret';
-import { isBase64 } from '@shell/utils/string';
+import { isBase64EncodedCert } from '@shell/utils/string';
 import { base64Decode, base64Encode } from '@shell/utils/crypto';
 
 export default {
-  emits: ['updateConfigs'],
+  emits: ['updateConfigs', 'validation-changed'],
 
   components: {
     ArrayListGrouped,
@@ -62,6 +62,34 @@ export default {
         return TYPES.TLS;
       },
     },
+
+    caBundleRules() {
+      return [
+        (value) => {
+          if (!value) {
+            return undefined;
+          }
+
+          const isPem = value.trimStart().startsWith('-----BEGIN ');
+          const isValidBase64 = isBase64EncodedCert(value);
+
+          return (!isPem && !isValidBase64) ? this.t('registryConfig.caBundle.validationError') : undefined;
+        }
+      ];
+    },
+
+    // Derives validation state from entries directly, so it auto-updates when entries are added or removed
+    allCaBundlesValid() {
+      return this.entries.every((entry) => {
+        return this.caBundleRules.every((rule) => !rule(entry.caBundle));
+      });
+    },
+  },
+
+  watch: {
+    allCaBundlesValid(valid) {
+      this.$emit('validation-changed', valid);
+    },
   },
 
   mounted() {
@@ -78,7 +106,8 @@ export default {
 
         const caBundle = configMap[hostname].caBundle ?? this.defaultAddValue.caBundle;
 
-        configMap[hostname].caBundle = isBase64(caBundle) ? base64Decode(caBundle) : caBundle;
+        // Decode base64 for display so the user sees readable PEM text
+        configMap[hostname].caBundle = isBase64EncodedCert(caBundle) ? base64Decode(caBundle) : caBundle;
 
         configMap[hostname].tlsSecretName = configMap[hostname].tlsSecretName ?? this.defaultAddValue.tlsSecretName;
       }
@@ -103,7 +132,8 @@ export default {
 
         configs[h] = {
           ...entry,
-          caBundle: entry.caBundle ? base64Encode(entry.caBundle) : null
+          // If the value is already base64, use as-is to avoid double-encoding
+          caBundle: entry.caBundle ? (isBase64EncodedCert(entry.caBundle) ? entry.caBundle : base64Encode(entry.caBundle)) : null
         };
 
         delete configs[h].hostname;
@@ -192,6 +222,9 @@ export default {
               type="multiline"
               label="CA Cert Bundle"
               :mode="mode"
+              :rules="caBundleRules"
+              :require-dirty="false"
+              :tooltip="t('registryConfig.caBundle.tooltip')"
             />
 
             <div>

shell/edit/provisioning.cattle.io.cluster/tabs/registries/__tests__/RegistryConfigs.test.ts

@@ -4,6 +4,9 @@ import { _EDIT } from '@shell/config/query-params';
 import { PROV_CLUSTER } from '@shell/edit/provisioning.cattle.io.cluster/__tests__/utils/cluster';
 import RegistryConfigs from '@shell/edit/provisioning.cattle.io.cluster/tabs/registries/RegistryConfigs.vue';
 
+const VALID_BASE64_CERT = 'LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0t';
+const VALID_PEM_TEXT = '-----BEGIN CERTIFICATE-----\nMIIBkTCB+wIJA';
+
 describe('component: RegistryConfigs', () => {
   let wrapper: Wrapper<InstanceType<typeof RegistryConfigs> & { [key: string]: any }>;
 
@@ -18,14 +21,14 @@ describe('component: RegistryConfigs', () => {
         SelectOrCreateAuthSecret: true,
         SecretSelector:           true,
       },
-      mocks: { $store: { getters: { 'i18n/t': jest.fn() } } }
+      mocks: { $store: { getters: { 'i18n/t': jest.fn((key: string) => key) } } }
     }
   };
 
   describe('key CA Cert Bundle', () => {
     it.each([
-      ['source is plain text', 'Zm9vYmFy', 'foobar'],
-      ['source is base64', 'foobar', 'foobar'],
+      ['source is base64', VALID_BASE64_CERT, '-----BEGIN CERTIFICATE-----'],
+      ['source is plain text', 'foobar', 'foobar'],
     ])('should display key, %p', (_, sourceCaBundle, displayedCaBundle) => {
       const value = clone(PROV_CLUSTER);
 
@@ -43,10 +46,10 @@ describe('component: RegistryConfigs', () => {
       expect(registry.props().value).toBe(displayedCaBundle);
     });
 
-    it('should update key in base64 format', async() => {
+    it('should base64 encode plain PEM text on save', async() => {
       const value = clone(PROV_CLUSTER);
 
-      value.spec.rkeConfig.registries.configs = { foo: { caBundle: 'Zm9vYmFy' } };
+      value.spec.rkeConfig.registries.configs = { foo: { caBundle: VALID_BASE64_CERT } };
 
       mountOptions.propsData.value = value;
 
@@ -57,10 +60,132 @@ describe('component: RegistryConfigs', () => {
 
       const registry = wrapper.findComponent('[data-testid^="registry-caBundle"]');
 
-      registry.vm.$emit('update:value', 'ssh key');
+      registry.vm.$emit('update:value', VALID_PEM_TEXT);
       wrapper.vm.update();
 
-      expect(wrapper.emitted('updateConfigs')[0][0]['foo']['caBundle']).toBe('c3NoIGtleQ==');
+      expect(wrapper.emitted('updateConfigs')[0][0]['foo']['caBundle']).toBe('LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJrVENCK3dJSkE=');
+    });
+
+    it('should keep base64 value as-is on save', async() => {
+      const value = clone(PROV_CLUSTER);
+
+      value.spec.rkeConfig.registries.configs = { foo: { caBundle: VALID_BASE64_CERT } };
+
+      mountOptions.propsData.value = value;
+
+      wrapper = mount(
+        RegistryConfigs,
+        mountOptions
+      );
+
+      const registry = wrapper.findComponent('[data-testid^="registry-caBundle"]');
+
+      registry.vm.$emit('update:value', VALID_BASE64_CERT);
+      wrapper.vm.update();
+
+      expect(wrapper.emitted('updateConfigs')[0][0]['foo']['caBundle']).toBe(VALID_BASE64_CERT);
+    });
+  });
+
+  describe('cA Cert Bundle validation', () => {
+    it('should pass validation for valid base64 value', () => {
+      const value = clone(PROV_CLUSTER);
+
+      value.spec.rkeConfig.registries.configs = {};
+      mountOptions.propsData.value = value;
+
+      wrapper = mount(RegistryConfigs, mountOptions);
+
+      const rule = wrapper.vm.caBundleRules[0];
+
+      expect(rule(VALID_BASE64_CERT)).toBeUndefined();
+    });
+
+    it('should pass validation for PEM text', () => {
+      const value = clone(PROV_CLUSTER);
+
+      value.spec.rkeConfig.registries.configs = {};
+      mountOptions.propsData.value = value;
+
+      wrapper = mount(RegistryConfigs, mountOptions);
+
+      const rule = wrapper.vm.caBundleRules[0];
+
+      expect(rule(VALID_PEM_TEXT)).toBeUndefined();
+    });
+
+    it('should pass validation for empty value', () => {
+      const value = clone(PROV_CLUSTER);
+
+      value.spec.rkeConfig.registries.configs = {};
+      mountOptions.propsData.value = value;
+
+      wrapper = mount(RegistryConfigs, mountOptions);
+
+      const rule = wrapper.vm.caBundleRules[0];
+
+      expect(rule('')).toBeUndefined();
+      expect(rule(null)).toBeUndefined();
+      expect(rule(undefined)).toBeUndefined();
+    });
+
+    it('should fail validation for invalid value', () => {
+      const value = clone(PROV_CLUSTER);
+
+      value.spec.rkeConfig.registries.configs = {};
+      mountOptions.propsData.value = value;
+
+      wrapper = mount(RegistryConfigs, mountOptions);
+
+      const rule = wrapper.vm.caBundleRules[0];
+
+      expect(rule('not-valid-base64!')).toContain('registryConfig.caBundle.validationError');
+    });
+
+    it('should report allCaBundlesValid as true when all entries have valid caBundles', () => {
+      const value = clone(PROV_CLUSTER);
+
+      value.spec.rkeConfig.registries.configs = {
+        'reg1.example.com': { caBundle: VALID_BASE64_CERT },
+        'reg2.example.com': { caBundle: VALID_BASE64_CERT },
+      };
+      mountOptions.propsData.value = value;
+
+      wrapper = mount(RegistryConfigs, mountOptions);
+
+      expect(wrapper.vm.allCaBundlesValid).toBe(true);
+    });
+
+    it('should report allCaBundlesValid as false when any entry has an invalid caBundle', () => {
+      const value = clone(PROV_CLUSTER);
+
+      value.spec.rkeConfig.registries.configs = {
+        'reg1.example.com': { caBundle: VALID_BASE64_CERT },
+        'reg2.example.com': { caBundle: 'not-valid!' },
+      };
+      mountOptions.propsData.value = value;
+
+      wrapper = mount(RegistryConfigs, mountOptions);
+
+      expect(wrapper.vm.allCaBundlesValid).toBe(false);
+    });
+
+    it('should update validation when an invalid entry is removed', () => {
+      const value = clone(PROV_CLUSTER);
+
+      value.spec.rkeConfig.registries.configs = {
+        'reg1.example.com': { caBundle: VALID_BASE64_CERT },
+        'reg2.example.com': { caBundle: 'not-valid!' },
+      };
+      mountOptions.propsData.value = value;
+
+      wrapper = mount(RegistryConfigs, mountOptions);
+
+      expect(wrapper.vm.allCaBundlesValid).toBe(false);
+
+      wrapper.vm.entries.splice(1, 1);
+
+      expect(wrapper.vm.allCaBundlesValid).toBe(true);
     });
   });
 });

shell/edit/provisioning.cattle.io.cluster/tabs/registries/index.vue

@@ -8,7 +8,7 @@ import RegistryConfigs from '@shell/edit/provisioning.cattle.io.cluster/tabs/reg
 import RegistryMirrors from '@shell/edit/provisioning.cattle.io.cluster/tabs/registries/RegistryMirrors';
 
 export default {
-  emits:      ['custom-registry-changed', 'registry-host-changed', 'registry-secret-changed', 'input', 'update-configs-changed'],
+  emits:      ['custom-registry-changed', 'registry-host-changed', 'registry-secret-changed', 'input', 'update-configs-changed', 'registry-validation-changed'],
   components: {
     LabeledInput,
     Banner,
@@ -142,6 +142,7 @@ export default {
           :cluster-register-before-hook="registerBeforeHook"
           @update:value="$emit('input', $event)"
           @updateConfigs="$emit('update-configs-changed', $event)"
+          @validation-changed="$emit('registry-validation-changed', $event)"
         />
       </AdvancedSection>
     </div>

shell/utils/__tests__/string.test.ts

@@ -1,4 +1,4 @@
-import { decodeHtml, resourceNames, pathArrayToTree } from '@shell/utils/string';
+import { decodeHtml, resourceNames, pathArrayToTree, isBase64EncodedCert } from '@shell/utils/string';
 
 describe('fx: decodeHtml', () => {
   it('should decode HTML values from escaped string into valid markup', () => {
@@ -361,3 +361,25 @@ describe('fx: pathArrayToTree', () => {
     expect(actual).toStrictEqual(expected);
   });
 });
+
+describe('fx: isBase64EncodedCert', () => {
+  it.each([
+    ['valid base64 cert', 'LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0t', true],
+    ['base64 with padding', 'c3NoIGtleQ==', false],
+    ['base64 with newlines', 'LS0tLS1CRUdJTiBDRVJU\nSUZJQ0FURS0tLS0t\nTUlJQmtUQ0I=', true],
+    ['base64 with CRLF', 'LS0tLS1CRUdJTiBDRVJU\r\nSUZJQ0FURS0tLS0t\r\nTUlJQmtUQ0I=', true],
+  ])('should return %p for %p', (_, value, expected) => {
+    expect(isBase64EncodedCert(value as string)).toBe(expected);
+  });
+
+  it.each([
+    ['empty string', ''],
+    ['null', null],
+    ['undefined', undefined],
+    ['short string like "test"', 'test'],
+    ['short valid base64', 'Zm9v'],
+    ['invalid characters', 'not-valid-base64!'],
+  ])('should return false for %p', (_, value) => {
+    expect(isBase64EncodedCert(value as string)).toBe(false);
+  });
+});

shell/utils/string.js

@@ -349,10 +349,33 @@ export function xOfy(x, y) {
   return `${ typeof x === 'number' ? x : '?' }/${ typeof y === 'number' ? y : '?' }`;
 }
 
+const BASE64_REGEX = /^([0-9a-zA-Z+/]{4})*(([0-9a-zA-Z+/]{2}==)|([0-9a-zA-Z+/]{3}=))?$/;
+
 export function isBase64(value) {
-  const base64regex = /^([0-9a-zA-Z+/]{4})*(([0-9a-zA-Z+/]{2}==)|([0-9a-zA-Z+/]{3}=))?$/;
+  return BASE64_REGEX.test(value);
+}
+
+/**
+ * Checks if a value is a valid base64-encoded CA bundle.
+ * Unlike isBase64, this handles multiline base64 (e.g. openssl wraps at 76 chars)
+ * and rejects short strings that could be false positives.
+ * @param {string} value
+ * @returns {boolean}
+ */
+export function isBase64EncodedCert(value) {
+  if (!value || typeof value !== 'string') {
+    return false;
+  }
+
+  // Strip whitespace to handle line-wrapped base64 output
+  const stripped = value.replace(/\s/g, '');
+
+  // CA certs are long enough that legitimate base64 will always exceed this
+  if (stripped.length < 16) {
+    return false;
+  }
 
-  return base64regex.test(value);
+  return BASE64_REGEX.test(stripped);
 }
 
 export function generateRandomAlphaString(length) {