Error parsing HashiCorp Vault policies
Dziubey opened this issue · comments
We have recently discovered that some of our users have been deploying Vault policies formatted like below, where the opening curly bracket is placed below the line:
path "secretspath/*"
{
capabilities = ["create", "read", "update", "delete", "list"]
}
However, Vault accepts that as a valid HCL whether you use CLI, UI or Terraform for the deployment. When parsing this to hcl2, it throws the following error:
lark.exceptions.UnexpectedToken: Unexpected token Token('__ANON_0', '\n') at line 1, column 20.
Expected one of:
* LBRACE
* __ANON_3
* STRING_LIT
We are using python-hcl2 to create a policy object and then lookup its capabilities. This works very well for most of the policies, but there are some formatted like above that can't be properly parsed. Is there a way to fix this. or an easy workaround other than manipulating the policy with some regex before pushing to hcl2?
I can duplicate this, though I currently see a slightly different exception.
path "sys/auth" {
capabilities = ["read"]
}
parses;
path "sys/auth"
{
capabilities = ["read"]
}
generates an exception.
raise UnexpectedCharacters(lex_state.text, line_ctr.char_pos, line_ctr.line, line_ctr.column,
lark.exceptions.UnexpectedCharacters: <exception str() failed>
This appears to fix the problem:
--- a/hcl2/hcl2.lark
+++ b/hcl2/hcl2.lark
@@ -1,7 +1,7 @@
start : body
body : (new_line_or_comment? (attribute | block))* new_line_or_comment?
attribute : identifier "=" expression
-block : identifier (identifier | STRING_LIT)* "{" body "}"
+block : identifier (identifier | STRING_LIT)* new_line_or_comment? "{" body "}"
new_line_and_or_comma: new_line_or_comment | "," | "," new_line_or_comment
new_line_or_comment: ( /\n/ | /#.*\n/ | /\/\/.*\n/ )+