From 229f7057b746e5713c84da96c244d74e4667ba4a Mon Sep 17 00:00:00 2001
From: Eric Fried <efried@redhat.com>
Date: Fri, 19 Jul 2024 15:03:17 -0500
Subject: [PATCH] AWS: Forbid case-insensitive `credential_process`

A previous commit (#2306 / 13ea4f47) put in checks to forbid the use of
`credential_process` in AWS config/credentials files. It turns out that
AWS accepts this key case-insensitively, so this commit updates our
checks accordingly.

HIVE-2485
---
 pkg/awsclient/client.go | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/pkg/awsclient/client.go b/pkg/awsclient/client.go
index c52ca98fec4..252123ee70e 100644
--- a/pkg/awsclient/client.go
+++ b/pkg/awsclient/client.go
@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"os"
 	"regexp"
+	"strings"
 
 	"github.com/pkg/errors"
 	"github.com/prometheus/client_golang/prometheus"
@@ -630,7 +631,7 @@ func NewSessionFromSecret(secret *corev1.Secret, region string) (*session.Sessio
 	return s, nil
 }
 
-var credentialProcessRE = regexp.MustCompile(`\bcredential_process\b`)
+var credentialProcessRE = regexp.MustCompile(`(?i)\bcredential_process\b`)
 
 func ContainsCredentialProcess(config []byte) bool {
 	return len(credentialProcessRE.Find(config)) != 0
@@ -648,7 +649,7 @@ func awsCLIConfigFromSecret(secret *corev1.Secret) ([]byte, error) {
 	buf := &bytes.Buffer{}
 	fmt.Fprint(buf, "[default]\n")
 	for k, v := range secret.Data {
-		if k == "credential_process" {
+		if strings.ToLower(k) == "credential_process" {
 			return nil, errors.New("credential_process is insecure and thus forbidden")
 		}
 		fmt.Fprintf(buf, "%s = %s\n", k, v)