Added err checks for glob validations

Signed-off-by: anandf <anjoseph@redhat.com>

cmd/util/project.go

@@ -48,6 +48,8 @@ func AddProjFlags(command *cobra.Command, opts *ProjectOpts) {
 	command.Flags().StringArrayVar(&opts.allowedNamespacedResources, "allow-namespaced-resource", []string{}, "List of allowed namespaced resources")
 	command.Flags().StringArrayVar(&opts.deniedNamespacedResources, "deny-namespaced-resource", []string{}, "List of denied namespaced resources")
 	command.Flags().StringSliceVar(&opts.SourceNamespaces, "source-namespaces", []string{}, "List of source namespaces for applications")
+	command.Flags().StringArrayVarP(&opts.destinationServiceAccounts, "dest-service-accounts", "", []string{},
+		"Destination server, namespace and target service account (e.g. https://192.168.99.100:8443,default,default-sa)")
 }
 
 func getGroupKindList(values []string) []v1.GroupKind {
@@ -98,8 +100,8 @@ func (opts *ProjectOpts) GetDestinationServiceAccounts() []v1alpha1.ApplicationD
 	destinationServiceAccounts := make([]v1alpha1.ApplicationDestinationServiceAccount, 0)
 	for _, destStr := range opts.destinationServiceAccounts {
 		parts := strings.Split(destStr, ",")
-		if len(parts) != 2 {
-			log.Fatalf("Expected destination of the form: server,namespace. Received: %s", destStr)
+		if len(parts) != 3 {
+			log.Fatalf("Expected destination service account of the form: server,namespace, defaultServiceAccount. Received: %s", destStr)
 		} else {
 			destinationServiceAccounts = append(destinationServiceAccounts, v1alpha1.ApplicationDestinationServiceAccount{
 				Server:                parts[0],

controller/sync.go

@@ -574,8 +574,14 @@ func deriveServiceAccountToImpersonate(project *v1alpha1.AppProject, application
 	// Loop through the destinationServiceAccounts and see if there is any destination that is a candidate.
 	// if so, return the service account specified for that destination.
 	for _, item := range project.Spec.DestinationServiceAccounts {
-		dstServerMatched := glob.Match(item.Server, application.Spec.Destination.Server)
-		dstNamespaceMatched := glob.Match(item.Namespace, application.Spec.Destination.Namespace)
+		dstServerMatched, err := glob.MatchWithError(item.Server, application.Spec.Destination.Server)
+		if err != nil {
+			return "", err
+		}
+		dstNamespaceMatched, err := glob.MatchWithError(item.Namespace, application.Spec.Destination.Namespace)
+		if err != nil {
+			return "", err
+		}
 		if dstServerMatched && dstNamespaceMatched {
 			if item.DefaultServiceAccount == "" {
 				return "", fmt.Errorf("default service account cannot be an empty string")

pkg/apis/application/v1alpha1/app_project_types.go

@@ -8,7 +8,7 @@ import (
 
 	"github.com/argoproj/argo-cd/v2/util/git"
 	"github.com/argoproj/argo-cd/v2/util/glob"
-
+	globutil "github.com/gobwas/glob"
 	"github.com/google/go-cmp/cmp"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
@@ -275,6 +275,20 @@ func (p *AppProject) ValidateProject() error {
 			return status.Errorf(codes.InvalidArgument, "namespace has an invalid format, '!*'")
 		}
 
+		if strings.Contains(destServiceAcct.DefaultServiceAccount, "*") {
+			return status.Errorf(codes.InvalidArgument, "defaultServiceAccount does not support glob patterns")
+		}
+
+		_, err := globutil.Compile(destServiceAcct.Server)
+		if err != nil {
+			return err
+		}
+
+		_, err = globutil.Compile(destServiceAcct.Namespace)
+		if err != nil {
+			return err
+		}
+
 		key := fmt.Sprintf("%s/%s", destServiceAcct.Server, destServiceAcct.Namespace)
 		if _, ok := destServiceAccts[key]; ok {
 			return status.Errorf(codes.InvalidArgument, "destinationServiceAccount '%s' already added", key)

util/glob/glob.go

@@ -13,3 +13,11 @@ func Match(pattern, text string, separators ...rune) bool {
 	}
 	return compiledGlob.Match(text)
 }
+
+func MatchWithError(pattern, text string, separators ...rune) (bool, error) {
+	compiledGlob, err := glob.Compile(pattern, separators...)
+	if err != nil {
+		return false, err
+	}
+	return compiledGlob.Match(text), nil
+}