Skip to content

Commit

Permalink
fix(vault): reference ending with slash when parsed should not return…
Browse files Browse the repository at this point in the history
… a key

### Summary

Our docs state here:
https://docs.konghq.com/gateway/latest/kong-enterprise/secrets-management/reference-format/#secret-key

> If secret key ends with /, then it is not considered as a Secret Key but as a part of Secret Id.
> The difference between Secret Key and Secret Id is that only the Secret Id is sent to vault API,
> and the Secret Key is only used when processing

The logic was not working correctly because it was incorrectly assuming what
`require("socket.url").parse_path` did, that is:

```lua
parse_path("/a")
-- { "a", is_absolute = 1 }
```
```lua
parse_path("/a/")
-- { "a", is_absolute = 1, is_directory = 1 }
```
```lua
parse_path("/a/b")
-- { "a", "b", is_absolute = 1 }
```
```lua
> parse_path("/a/b/")
-- { "a", "b", is_absolute = 1, is_directory = 1}
```

This fixes it.

Signed-off-by: Aapo Talvensaari <[email protected]>
  • Loading branch information
bungle authored and pull[bot] committed Aug 29, 2024
1 parent c00af1b commit 6135d0e
Show file tree
Hide file tree
Showing 3 changed files with 64 additions and 9 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
message: |
**Vault**: Reference ending with slash when parsed should not return a key.
type: bugfix
scope: PDK
15 changes: 6 additions & 9 deletions kong/pdk/vault.lua
Original file line number Diff line number Diff line change
Expand Up @@ -146,18 +146,15 @@ local function parse_reference(reference)
local key
local parts = parse_path(resource)
local count = #parts
if count == 1 then
if count == 0 then
return nil, fmt("reference url has invalid path [%s]", reference)
elseif count == 1 then
resource = unescape_uri(parts[1])

elseif parts.is_directory then
resource = unescape_uri(concat(parts, "/", 1, count))
else
resource = unescape_uri(concat(parts, "/", 1, count - 1))
if parts[count] ~= "" then
key = unescape_uri(parts[count])
end
end

if resource == "" then
return nil, fmt("reference url has invalid path [%s]", reference)
key = unescape_uri(parts[count])
end

local config
Expand Down
54 changes: 54 additions & 0 deletions spec/01-unit/23-vaults_spec.lua
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,20 @@ describe("Vault PDK", function()
assert.is_nil(res.version)
end)

it("test init path with only slashes does not work", function()
local res, err = parse_reference("{vault://env}")
assert.is_nil(res)
assert.equal("reference url is missing path [{vault://env}]", err)

local res, err = parse_reference("{vault://env/}")
assert.is_nil(res)
assert.equal("reference url has empty path [{vault://env/}]", err)

local res, err = parse_reference("{vault://env/////}")
assert.is_nil(res)
assert.equal("reference url has invalid path [{vault://env/////}]", err)
end)

it("test init nested/path", function()
local res, err = parse_reference("{vault://env/test-secret/test-key}")
assert.is_nil(err)
Expand All @@ -80,6 +94,46 @@ describe("Vault PDK", function()
assert.is_nil(res.version)
end)

it("test init nested/path is url decoded", function()
local res, err = parse_reference("{vault://env/test%3Asecret/test%3Akey}")
assert.is_nil(err)
assert.is_nil(res.config)
assert.is_equal("env", res.name)
assert.is_equal("test:secret", res.resource)
assert.is_equal("test:key", res.key)
assert.is_nil(res.version)
end)

it("test init nested/path ignores consecutive slashes", function()
local res, err = parse_reference("{vault://env//////test-secret//////test-key}")
assert.is_nil(err)
assert.is_nil(res.config)
assert.is_equal("env", res.name)
assert.is_equal("test-secret", res.resource)
assert.is_equal("test-key", res.key)
assert.is_nil(res.version)
end)

it("test init nested/path ending with slash", function()
local res, err = parse_reference("{vault://env/test-secret/test-key/}")
assert.is_nil(err)
assert.is_nil(res.config)
assert.is_equal("env", res.name)
assert.is_equal("test-secret/test-key", res.resource)
assert.is_nil(res.key)
assert.is_nil(res.version)
end)

it("test init nested/path ending with slash ignores consecutive slashes", function()
local res, err = parse_reference("{vault://env//////test-secret//////test-key//////}")
assert.is_nil(err)
assert.is_nil(res.config)
assert.is_equal("env", res.name)
assert.is_equal("test-secret/test-key", res.resource)
assert.is_nil(res.key)
assert.is_nil(res.version)
end)

it("test init opts", function()
local res, err = parse_reference("{vault://env/test?opt1=val1}")
assert.is_nil(err)
Expand Down

0 comments on commit 6135d0e

Please sign in to comment.