Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

VAULT-528 Fix issue with consul-template not rendering secrets with delete_version_after set on them #1879

Merged
merged 3 commits into from
Feb 13, 2024
Merged

VAULT-528 Fix issue with consul-template not rendering secrets with delete_version_after set on them #1879

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
34ba1bd
VAULT-528 Fix issue with consul-template not rendering secrets with d…
VioletHynes Feb 12, 2024
31622a1
VAULT-528 Improve comment
VioletHynes Feb 13, 2024
072b596
VAULT-528 two extra edge cases
VioletHynes Feb 13, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ NEW FEATURES:

BUG FIXES:
* Fetch services query not overriding opts correctly [NET-7571](https://hashicorp.atlassian.net/browse/NET-7571)
* Consul-template now correctly renders KVv2 secrets with `delete_version_after` set [NET-3777](https://hashicorp.atlassian.net/browse/NET-3777)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I spotted this as part of researching the bug. I've been doing the work under VAULT-528, but I'm happy to close NET-3777 as a duplicate or something once I merge this. However you folks want to handle it and whatever best fits your process!

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please do close NET-3777, this essentially fixes what has been reported.


## v0.36.0 (January 3, 2024)

Expand Down
15 changes: 14 additions & 1 deletion dependency/vault_read.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -176,7 +176,20 @@ func (d *VaultReadQuery) readSecret(clients *ClientSet) (*api.Secret, error) {
func deletedKVv2(s *api.Secret) bool {
switch md := s.Data["metadata"].(type) {
case map[string]interface{}:
return md["deletion_time"] != ""
deletionTime, ok := md["deletion_time"].(string)
if !ok {
// Not a string, end early
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// Not a string, end early
// key not present, end early

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since we're casting to a string, we'll only go down the !ok codepath will only be gone down if the key isn't present or the value isn't a string. I'll improve the comment to show that it could be both :)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated! Please let me know if there's anything else you'd need before approving :)

return false
}
t, err := time.Parse(time.RFC3339, deletionTime)
if err != nil {
// Deletion time is either empty, or not a valid string.
return false
}

// If now is 'after' the deletion time, then the secret
// should be deleted.
return time.Now().After(t)
}
return false
}
Expand Down
60 changes: 60 additions & 0 deletions dependency/vault_read_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -711,3 +711,63 @@ func TestShimKVv2Path(t *testing.T) {
})
}
}

// TestDeletedKVv2 tests that deletedKVv2 returns true and false
// in the correct scenarios.
func TestDeletedKVv2(t *testing.T) {
// Intentionally using string literals here since they are taken
// directly from Vault's API.
assert.True(t, deletedKVv2(&api.Secret{
Data: map[string]interface{}{
"metadata": map[string]interface{}{
"deletion_time": "2022-06-15T20:23:40.067093Z",
},
},
}))
assert.True(t, deletedKVv2(&api.Secret{
Data: map[string]interface{}{
"metadata": map[string]interface{}{
"deletion_time": "2019-06-19T20:56:35.662563Z",
},
},
}))

// It should work with any RFC3339 formatted string
assert.True(t, deletedKVv2(&api.Secret{
Data: map[string]interface{}{
"metadata": map[string]interface{}{
"deletion_time": time.Now().Add(-1 * time.Hour).Format(time.RFC3339),
},
},
}))

assert.False(t, deletedKVv2(&api.Secret{
Data: map[string]interface{}{
"metadata": map[string]interface{}{
"deletion_time": time.Now().Add(time.Hour).String(),
},
},
}))

// Edge cases:
assert.False(t, deletedKVv2(&api.Secret{}))
assert.False(t, deletedKVv2(&api.Secret{
Data: map[string]interface{}{
"metadata": map[string]interface{}{},
},
}))
assert.False(t, deletedKVv2(&api.Secret{
Data: map[string]interface{}{
"metadata": map[string]interface{}{
"deletion_time": "",
},
},
}))
assert.False(t, deletedKVv2(&api.Secret{
Data: map[string]interface{}{
"metadata": map[string]interface{}{
"deletion_time": "foo",
},
},
}))
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd add two more tests that confirm:

  1. that if metadata is missing, false is returned from deletedKVv2
  2. that if metadata's type is something other than map[string]interface{}, false is returned from deletedKVv2

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you! Added both :)

}
Loading