PathSplitPrefix helper fails to properly handle engine mounts with '/' characters
vanveele opened this issue · comments
The method used to predict the secret engine mountpath in PathSplitPrefix fails to handle cases where the mount path includes one or more '/' characters.
eg.
$ vault secrets list
Path Type Accessor Description
---- ---- -------- -----------
cubbyhole/ cubbyhole cubbyhole_9bb160ea per-token private secret storage
identity/ identity identity_0e3746c2 identity store
non-prod/staging/secrets/ kv kv_a914dea7 n/a
prod/secrets/ kv kv_55c5c07c n/a
sys/ system system_11cdf9da system endpoints used for control, policy and debugging
For example, the k/v v2 mount path 'prod/secrets' or 'non-prod/staging/secrets', which are valid and permitted by Vault, may contain the following secrets:
prod/secrets
├── appA
│ └── creds
└── appB
├── creds
└── tls
non-prod/staging/secrets
├── appA
│ └── creds
└── appB
├── creds
└── tls
when importing or exporting using medusa the path prod/secrets/appB/tls
will be broken into:
{ "engine": "prod", "prefix": "secrets/appB/tls" }
which causes the client api request (for k/v v2) to target https://vault.example.com:8200/v1/prod/data/secrets/appB/tls
which fails.
The correct split would result in:
{ "engine": "prod/secrets", "prefix": "appB/tls" }
and the api url: https://vault.example.com:8200/v1/prod/secrets/data/appB/tls
.
I have confirmed a workaround that borrows heavily from Vault clitool's own method of splitting the mountpath from the secret path which I can include here unless you prefer a cleanroom implementation.
Hi @vanveele
Thank you for posting this issue. I have obviously never thought about having a slash in the engine name. But you are totally right that this is breaking medusa. I'm not sure about how to handle this without splitting the path into two separated parameters in medusa. And I don't really like that solution.
I would love to see your workaround. So sure you can post it here. That would be awesome, and maybe we can come up with a good solution together!
I'd like to add some tests for the provided PR but wanted to provide my current workaround for comments.
It looks good. And it is passing my current tests. Will add some more when I get time. For now it's merged to master.
Thank you for your contribution and remember to ⭐ the project if you feel for it :)