From 84f9ebb9f1a0deabade0d2fd01f28bb49c3f349f Mon Sep 17 00:00:00 2001 From: Friedrich Gonzalez <1517449+friedrichg@users.noreply.github.com> Date: Thu, 6 Nov 2025 15:57:06 -0800 Subject: [PATCH 1/4] Test invalid configs Signed-off-by: Friedrich Gonzalez <1517449+friedrichg@users.noreply.github.com> --- pkg/alertmanager/api.go | 2 ++ pkg/alertmanager/api_test.go | 29 +++++++++++++++++++++++++++++ 2 files changed, 31 insertions(+) diff --git a/pkg/alertmanager/api.go b/pkg/alertmanager/api.go index cbac5bd89c9..8ad361125cd 100644 --- a/pkg/alertmanager/api.go +++ b/pkg/alertmanager/api.go @@ -56,6 +56,8 @@ var ( errMSTeamsV2WebhookUrlFileNotAllowed = errors.New("setting MSTeamsV2 webhook_url_file is not allowed") errRocketChatTokenIdFileNotAllowed = errors.New("setting RocketChat token_id_file is not allowed") errRocketChatTokenFileNotAllowed = errors.New("setting RocketChat token_file is not allowed") + errDiscordWebhookUrlFileNotAllowed = errors.New("setting Discord webhook_url_file is not allowed") + errEmailAuthPasswordFileNotAllowed = errors.New("setting Email auth_password_file is not allowed") ) // UserConfig is used to communicate a users alertmanager configs diff --git a/pkg/alertmanager/api_test.go b/pkg/alertmanager/api_test.go index 8c0a097d84c..8dbc71b4bee 100644 --- a/pkg/alertmanager/api_test.go +++ b/pkg/alertmanager/api_test.go @@ -703,6 +703,35 @@ alertmanager_config: | `, err: errors.Wrap(errRocketChatTokenFileNotAllowed, "error validating Alertmanager config"), }, + { + name: "Should return error if Discord webhook_url_file is set", + cfg: ` +alertmanager_config: | + receivers: + - name: default-receiver + discord_configs: + - webhook_url_file: /tokenFile + route: + receiver: 'default-receiver' +`, + err: errors.Wrap(errDiscordWebhookUrlFileNotAllowed, "error validating Alertmanager config"), + }, + { + name: "Should return error if Email auth_password_file is set", + cfg: ` +alertmanager_config: | + receivers: + - name: default-receiver + email_configs: + - to: user@example.com + from: admin@example.com + smarthost: example.com:25 + auth_password_file: /tokenFile + route: + receiver: 'default-receiver' +`, + err: errors.Wrap(errEmailAuthPasswordFileNotAllowed, "error validating Alertmanager config"), + }, } limits := &mockAlertManagerLimits{} From 626846ec5a0223868929f2dd085a42c4fa219f67 Mon Sep 17 00:00:00 2001 From: Friedrich Gonzalez <1517449+friedrichg@users.noreply.github.com> Date: Thu, 6 Nov 2025 16:11:43 -0800 Subject: [PATCH 2/4] Implement validation Signed-off-by: Friedrich Gonzalez <1517449+friedrichg@users.noreply.github.com> --- CHANGELOG.md | 1 + pkg/alertmanager/api.go | 26 ++++++++++++++++++++++++++ 2 files changed, 27 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index dbaa55e340b..b124f70faab 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,7 @@ * [BUGFIX] Compactor: Avoid race condition which allow a grouper to not compact all partitions. #7082 * [BUGFIX] Fix bug where validating metric names uses the wrong validation logic. #7086 * [BUGFIX] Ring: Change DynamoDB KV to retry indefinetly for WatchKey. #7088 +* [BUGFIX] Add alertmanager receiver validation for discord and email. #7097 ## 1.20.0 in progress diff --git a/pkg/alertmanager/api.go b/pkg/alertmanager/api.go index 8ad361125cd..64c68d7e509 100644 --- a/pkg/alertmanager/api.go +++ b/pkg/alertmanager/api.go @@ -401,6 +401,14 @@ func validateAlertmanagerConfig(cfg any) error { if err := validateRocketChatConfig(v.Interface().(config.RocketchatConfig)); err != nil { return err } + case reflect.TypeOf(config.DiscordConfig{}): + if err := validateDiscordConfig(v.Interface().(config.DiscordConfig)); err != nil { + return err + } + case reflect.TypeOf(config.EmailConfig{}): + if err := validateEmailConfig(v.Interface().(config.EmailConfig)); err != nil { + return err + } } // If the input config is a struct, recursively iterate on all fields. @@ -590,3 +598,21 @@ func validateRocketChatConfig(cfg config.RocketchatConfig) error { return nil } + +// validateDiscordConfig validates the Discord Config and returns an error if it contains +// settings not allowed by Cortex. +func validateDiscordConfig(cfg config.DiscordConfig) error { + if cfg.WebhookURLFile != "" { + return errDiscordWebhookUrlFileNotAllowed + } + return nil +} + +// validateEmailConfig validates the Email Config and returns an error if it contains +// settings not allowed by Cortex. +func validateEmailConfig(cfg config.EmailConfig) error { + if cfg.AuthPasswordFile != "" { + return errEmailAuthPasswordFileNotAllowed + } + return nil +} From eb05bdc2a6f6274fbde89dfd7a0b3fe64220c5f0 Mon Sep 17 00:00:00 2001 From: Friedrich Gonzalez <1517449+friedrichg@users.noreply.github.com> Date: Thu, 6 Nov 2025 17:48:12 -0800 Subject: [PATCH 3/4] use passwordFile Signed-off-by: Friedrich Gonzalez <1517449+friedrichg@users.noreply.github.com> --- pkg/alertmanager/api_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/alertmanager/api_test.go b/pkg/alertmanager/api_test.go index 8dbc71b4bee..9029ef33204 100644 --- a/pkg/alertmanager/api_test.go +++ b/pkg/alertmanager/api_test.go @@ -726,7 +726,7 @@ alertmanager_config: | - to: user@example.com from: admin@example.com smarthost: example.com:25 - auth_password_file: /tokenFile + auth_password_file: /passwordFile route: receiver: 'default-receiver' `, From 771c4559b4b0ea68fb92d6d6c7e56f8545e1d5a2 Mon Sep 17 00:00:00 2001 From: Friedrich Gonzalez <1517449+friedrichg@users.noreply.github.com> Date: Thu, 6 Nov 2025 18:04:32 -0800 Subject: [PATCH 4/4] Update api_test.go Co-authored-by: SungJin1212 Signed-off-by: Friedrich Gonzalez <1517449+friedrichg@users.noreply.github.com> --- pkg/alertmanager/api_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/alertmanager/api_test.go b/pkg/alertmanager/api_test.go index 9029ef33204..12a52895cb0 100644 --- a/pkg/alertmanager/api_test.go +++ b/pkg/alertmanager/api_test.go @@ -710,7 +710,7 @@ alertmanager_config: | receivers: - name: default-receiver discord_configs: - - webhook_url_file: /tokenFile + - webhook_url_file: /urlFile route: receiver: 'default-receiver' `,