OCPBUGS-70273: Prevent binary secret data corruption when editing

[TheRealJon]

Summary

• Fixes corruption of binary secret data when editing text fields in the same secret
• Binary data was being decoded as UTF-8 text, which inserted replacement characters for non-printable bytes

Changes

• Pass base64 data directly to DroppableFileInput for binary entries instead of decoding as UTF-8
• Add isBase64Input prop to handle base64-encoded input properly
• Preserve original binary values when form updates using immutable reducer pattern
• Use useMemo for derived binaryData value instead of useState
• Add Cypress regression test to verify editing text fields doesn't corrupt binary data

Test plan

• Run Cypress test: yarn run test-cypress-headless --spec packages/integration-tests-cypress/tests/crud/secrets/key-value.cy.ts
• Verify test "Validate editing text field does not corrupt binary data (OCPBUGS-70273)" passes
• Manually test: Create secret with binary file, edit text field, verify binary unchanged

🤖 Generated with Claude Code

Summary by CodeRabbit

• Bug Fixes

  • Fixed an issue where editing text fields in secrets could corrupt binary data. Binary files now remain unmodified when users update only text content in mixed secrets.

• Tests

  • Added test coverage validating binary data integrity during secret editing.

[openshift-ci-robot]

@TheRealJon: This pull request references Jira Issue OCPBUGS-70273, which is invalid:

• expected the bug to target the "4.22.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Summary

• Fixes corruption of binary secret data (JAR, JCEKS files) when editing text fields in the same secret
• Binary data was being decoded as UTF-8 text, which inserted replacement characters for non-printable bytes

Changes

• Pass base64 data directly to DroppableFileInput for binary entries instead of decoding as UTF-8
• Add isBase64Input prop to handle base64-encoded input properly
• Preserve original binary values when form updates using immutable reducer pattern
• Use useMemo for derived binaryData value instead of useState
• Add Cypress regression test to verify editing text fields doesn't corrupt binary data

Test plan

• Run Cypress test: yarn run test-cypress-headless --spec packages/integration-tests-cypress/tests/crud/secrets/key-value.cy.ts
• Verify test "Validate editing text field does not corrupt binary data (OCPBUGS-70273)" passes
• Manually test: Create secret with binary file, edit text field, verify binary unchanged

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

📝 Walkthrough

Walkthrough

This change addresses a bug where editing text fields in mixed secrets corrupted binary data. The fix introduces a new isBase64Input prop to the DroppableFileInput component to distinguish between base64-encoded and binary data. SecretFormWrapper now uses memoization to preserve binary fields during text edits, merging them with updated base64 data rather than replacing them entirely. OpaqueSecretFormEntry conditionally passes decoded or raw data based on the binary flag. A Cypress test validates the fix by confirming binary data remains intact after text-field edits.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically summarizes the main change: preventing binary secret data corruption when editing. It references the bug ticket and accurately reflects the core problem being fixed across all modified files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

CodeRabbit can scan for known vulnerabilities in your dependencies using OSV Scanner.

OSV Scanner will automatically detect and report security vulnerabilities in your project's dependencies. No additional configuration is required.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

frontend/packages/integration-tests-cypress/tests/crud/secrets/key-value.cy.ts (1)

161-215: Make mixed-secret cleanup resilient to mid-test failures.

Cleanup happens only at the end of the test body, so any earlier failure leaves the mixed secret behind. Consider moving that deletion into afterEach alongside other secret cleanup.

♻️ Suggested refactor

-  const tlsSecretName = `key-value-tls-secret-${testName}`;
+  const tlsSecretName = `key-value-tls-secret-${testName}`;
+  const mixedSecretName = `key-value-mixed-secret-${testName}`;
@@
-    cy.exec(
-      `oc delete secret -n ${testName} ${binarySecretName} ${asciiSecretName} ${unicodeSecretName}`,
+    cy.exec(
+      `oc delete secret -n ${testName} ${binarySecretName} ${asciiSecretName} ${unicodeSecretName} ${mixedSecretName}`,
       {
         failOnNonZeroExit: false,
       },
     );
@@
-    const mixedSecretName = `key-value-mixed-secret-${testName}`;
@@
-      // Cleanup
-      cy.exec(`oc delete secret -n ${testName} ${mixedSecretName}`, {
-        failOnNonZeroExit: false,
-      });

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@frontend/packages/integration-tests-cypress/tests/crud/secrets/key-value.cy.ts`
around lines 161 - 215, The test currently only deletes mixedSecretName at the
end of the test body, leaving the secret if the test fails mid-run; fix by
declaring mixedSecretName (and any related keys) in the outer scope (e.g., let
mixedSecretName = ``) so it is accessible to hooks, assign it inside the it(...)
block, and add an afterEach hook that runs cy.exec(`oc delete secret -n
${testName} ${mixedSecretName}`, { failOnNonZeroExit: false }) to reliably clean
up the secret regardless of test outcome; ensure the afterEach uses the same
mixedSecretName symbol and keeps failOnNonZeroExit: false for idempotent
deletion.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@frontend/public/components/secrets/create-secret/SecretFormWrapper.tsx`:
- Around line 87-101: The merge in onDataChanged currently overwrites edited
binary entries by replacing keys present in secretsData?.base64StringData with
values from binaryData; change the merge so it only backfills missing keys:
iterate binaryData entries and for each [key,value] if acc[key] is undefined (or
not present) then set acc[key]=value, otherwise keep the existing acc[key]; then
call setBase64StringData with that merged result. Reference onDataChanged,
setStringData, binaryData, secretsData?.base64StringData, mergedData, and
setBase64StringData to locate and update the logic.

---

Nitpick comments:
In
`@frontend/packages/integration-tests-cypress/tests/crud/secrets/key-value.cy.ts`:
- Around line 161-215: The test currently only deletes mixedSecretName at the
end of the test body, leaving the secret if the test fails mid-run; fix by
declaring mixedSecretName (and any related keys) in the outer scope (e.g., let
mixedSecretName = ``) so it is accessible to hooks, assign it inside the it(...)
block, and add an afterEach hook that runs cy.exec(`oc delete secret -n
${testName} ${mixedSecretName}`, { failOnNonZeroExit: false }) to reliably clean
up the secret regardless of test outcome; ensure the afterEach uses the same
mixedSecretName symbol and keeps failOnNonZeroExit: false for idempotent
deletion.

---

ℹ️ Review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between c305cad and dbbd532.

📒 Files selected for processing (4)

• frontend/packages/integration-tests-cypress/tests/crud/secrets/key-value.cy.ts
• frontend/public/components/secrets/create-secret/OpaqueSecretFormEntry.tsx
• frontend/public/components/secrets/create-secret/SecretFormWrapper.tsx
• frontend/public/components/utils/file-input.tsx

[TheRealJon]

/retest

timed out

[TheRealJon]

/retest

[TheRealJon]

/jira refresh

[openshift-ci-robot]

@TheRealJon: This pull request references Jira Issue OCPBUGS-70273, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.22.0) matches configured target version for branch (4.22.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @yapei

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[jhadvig]

/lgtm

/cherry-pick release-4.21

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jhadvig, TheRealJon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• frontend/OWNERS [TheRealJon,jhadvig]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

New changes are detected. LGTM label has been removed.

[openshift-ci-robot]

@TheRealJon: This pull request references Jira Issue OCPBUGS-70273, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.22.0) matches configured target version for branch (4.22.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @yapei

Details

In response to this:

Summary

• Fixes corruption of binary secret data when editing text fields in the same secret
• Binary data was being decoded as UTF-8 text, which inserted replacement characters for non-printable bytes

Changes

• Pass base64 data directly to DroppableFileInput for binary entries instead of decoding as UTF-8
• Add isBase64Input prop to handle base64-encoded input properly
• Preserve original binary values when form updates using immutable reducer pattern
• Use useMemo for derived binaryData value instead of useState
• Add Cypress regression test to verify editing text fields doesn't corrupt binary data

Test plan

• Run Cypress test: yarn run test-cypress-headless --spec packages/integration-tests-cypress/tests/crud/secrets/key-value.cy.ts
• Verify test "Validate editing text field does not corrupt binary data (OCPBUGS-70273)" passes
• Manually test: Create secret with binary file, edit text field, verify binary unchanged

🤖 Generated with Claude Code

Summary by CodeRabbit

• Bug Fixes

• Fixed an issue where editing text fields in secrets could corrupt binary data. Binary files now remain unmodified when users update only text content in mixed secrets.

• Tests

• Added test coverage validating binary data integrity during secret editing.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[TheRealJon]

/retest

[TheRealJon]

/retest

[openshift-ci]

@TheRealJon: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.