Error parsing HashiCorp Vault policies

[Dziubey]

We have recently discovered that some of our users have been deploying Vault policies formatted like below, where the opening curly bracket is placed below the line:

path "secretspath/*"
{
  capabilities = ["create", "read", "update", "delete", "list"]
}

However, Vault accepts that as a valid HCL whether you use CLI, UI or Terraform for the deployment. When parsing this to hcl2, it throws the following error:

lark.exceptions.UnexpectedToken: Unexpected token Token('__ANON_0', '\n') at line 1, column 20.
Expected one of: 
        * LBRACE
        * __ANON_3
        * STRING_LIT

We are using python-hcl2 to create a policy object and then lookup its capabilities. This works very well for most of the policies, but there are some formatted like above that can't be properly parsed. Is there a way to fix this. or an easy workaround other than manipulating the policy with some regex before pushing to hcl2?

[rout39574]

I can duplicate this, though I currently see a slightly different exception.

path "sys/auth" {
  capabilities = ["read"]
}

parses;

path "sys/auth" 
{
  capabilities = ["read"]
}

generates an exception.

raise UnexpectedCharacters(lex_state.text, line_ctr.char_pos, line_ctr.line, line_ctr.column,

lark.exceptions.UnexpectedCharacters: <exception str() failed>

[rout39574]

This appears to fix the problem:

--- a/hcl2/hcl2.lark
+++ b/hcl2/hcl2.lark
@@ -1,7 +1,7 @@
 start : body
 body : (new_line_or_comment? (attribute | block))* new_line_or_comment?
 attribute : identifier "=" expression
-block : identifier (identifier | STRING_LIT)* "{" body "}"
+block : identifier (identifier | STRING_LIT)* new_line_or_comment? "{" body "}"
 new_line_and_or_comma: new_line_or_comment | "," | "," new_line_or_comment
 new_line_or_comment: ( /\n/ | /#.*\n/ | /\/\/.*\n/ )+