PathSplitPrefix helper fails to properly handle engine mounts with '/' characters

Question

PathSplitPrefix helper fails to properly handle engine mounts with '/' characters

vanveele opened this issue 3 years ago · comments

The method used to predict the secret engine mountpath in PathSplitPrefix fails to handle cases where the mount path includes one or more '/' characters.
eg.

$ vault secrets list 
Path                         Type         Accessor              Description
----                         ----         --------              -----------
cubbyhole/                   cubbyhole    cubbyhole_9bb160ea    per-token private secret storage
identity/                    identity     identity_0e3746c2     identity store
non-prod/staging/secrets/    kv           kv_a914dea7           n/a
prod/secrets/                kv           kv_55c5c07c           n/a
sys/                         system       system_11cdf9da       system endpoints used for control, policy and debugging

For example, the k/v v2 mount path 'prod/secrets' or 'non-prod/staging/secrets', which are valid and permitted by Vault, may contain the following secrets:

prod/secrets
├── appA
│   └── creds
└── appB
    ├── creds
    └── tls
non-prod/staging/secrets
├── appA
│   └── creds
└── appB
    ├── creds
    └── tls

when importing or exporting using medusa the path prod/secrets/appB/tls will be broken into:
{ "engine": "prod", "prefix": "secrets/appB/tls" }

which causes the client api request (for k/v v2) to target https://vault.example.com:8200/v1/prod/data/secrets/appB/tls which fails.

The correct split would result in:
{ "engine": "prod/secrets", "prefix": "appB/tls" }

and the api url: https://vault.example.com:8200/v1/prod/secrets/data/appB/tls.

I have confirmed a workaround that borrows heavily from Vault clitool's own method of splitting the mountpath from the secret path which I can include here unless you prefer a cleanroom implementation.

Jonas Vinther · Answer 1 · Thu Oct 28 2021 01:33:01 GMT+0800 (China Standard Time)

Hi @vanveele
Thank you for posting this issue. I have obviously never thought about having a slash in the engine name. But you are totally right that this is breaking medusa. I'm not sure about how to handle this without splitting the path into two separated parameters in medusa. And I don't really like that solution.
I would love to see your workaround. So sure you can post it here. That would be awesome, and maybe we can come up with a good solution together!

vanveele · Answer 2 · Wed Nov 03 2021 05:21:23 GMT+0800 (China Standard Time)

I'd like to add some tests for the provided PR but wanted to provide my current workaround for comments.

Jonas Vinther · Answer 3 · Fri Nov 05 2021 04:53:15 GMT+0800 (China Standard Time)

It looks good. And it is passing my current tests. Will add some more when I get time. For now it's merged to master.
Thank you for your contribution and remember to ⭐ the project if you feel for it :)