Skip to content

Fix erroneous removal of secret prefixes in SecretSource #2007

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Jun 27, 2022
Merged

Fix erroneous removal of secret prefixes in SecretSource #2007

merged 5 commits into from
Jun 27, 2022

Conversation

chriskilding
Copy link
Contributor

@chriskilding chriskilding commented Jun 23, 2022
edited by jetersen
Loading

Only remove secret prefixes when they correspond to one of the SecretSource protocol substitutors (e.g. base64:, file:). If a secret prefix is not handled by the substitutors, leave it alone.

fixes #1949

Your checklist for this pull request

🚨 Please review the guidelines for contributing to this repository.

  • Make sure you are requesting to pull a topic/feature/bugfix branch (right side) and not your master branch!
  • Ensure that the pull request title represents the desired changelog entry
  • Please describe what you did
  • Link to relevant issues in GitHub or in Jenkins JIRA
  • Link to relevant pull requests, esp. upstream and downstream changes
  • Did you provide a test-case? That demonstrates feature works or fixes the issue.

@chriskilding
Copy link
Contributor Author

This is initially WIP, with a failing test that shows the problem.

@chriskilding chriskilding mentioned this pull request Jun 23, 2022
Closed
6 tasks
@chriskilding
Copy link
Contributor Author

Digging deeper, the code flow inside StringSubstitutor (from org.apache.commons:commons-text:1.9), specifically the InterpolatorStringLookup#lookup(String) method looks like it's involved in this bug:

// if var = 'arn:aws:secretsmanager:eu-central-1:123456789012:secret:my-secret'
public String lookup(String var) {
        if (var == null) {
            return null;
        }

        final int prefixPos = var.indexOf(PREFIX_SEPARATOR);       // prefixPos = 3
        if (prefixPos >= 0) {
            final String prefix = toKey(var.substring(0, prefixPos));  // prefix = 'arn'
            final String name = var.substring(prefixPos + 1);          // name = 'aws:secretsmanager:eu-central-1:123456789012:secret:my-secret'
            final StringLookup lookup = stringLookupMap.get(prefix);   // lookup = null (because there is no CasC handler for 'arn' prefixes)
            String value = null;
            if (lookup != null) {                     // statement is skipped
                value = lookup.lookup(name);
            }

            if (value != null) {         // statement is skipped
                return value;
            }
            var = var.substring(prefixPos + 1);      // var = 'aws:secretsmanager:eu-central-1:123456789012:secret:my-secret'
        }
        if (defaultStringLookup != null) {
            return defaultStringLookup.lookup(var);   // ...and the SecretSource implementations are asked to find 'aws:secretsmanager:eu-central-1:123456789012:secret:my-secret'
        }
        return null;
    }

@jetersen
Copy link
Member

jetersen commented Jun 24, 2022
edited
Loading

The bug is located here. Yes, we could write our own string lookup.

            var = var.substring(prefixPos + 1);      // var = 'aws:secretsmanager:eu-central-1:123456789012:secret:my-secret'

@chriskilding
Copy link
Contributor Author

Do you think it's worth reporting this as a bug upstream in org.apache.commons:commons-text?

@chriskilding
Copy link
Contributor Author

(And potentially filing a PR to fix this upstream?)

@jetersen
Copy link
Member

jetersen commented Jun 27, 2022
edited
Loading

If the maintainer says it is not a bug at least a fix could also be to have lookup option to preserve prefix or remove prefix.

Though I honestly think this is a bug. This should not remove the prefix!

// if var = 'arn:aws:secretsmanager:eu-central-1:123456789012:secret:my-secret', preservePrefix = true
    public String lookup(String var, boolean preservePrefix) {
        if (var == null) {
            return null;
        }

        final int prefixPos = var.indexOf(PREFIX_SEPARATOR);       // prefixPos = 3
        if (prefixPos >= 0) {
            final String prefix = toKey(var.substring(0, prefixPos));  // prefix = 'arn'
            final String name = var.substring(prefixPos + 1);          // name = 'aws:secretsmanager:eu-central-1:123456789012:secret:my-secret'
            final StringLookup lookup = stringLookupMap.get(prefix);   // lookup = null (because there is no CasC handler for 'arn' prefixes)
            String value = null;
            if (lookup != null) {                     // statement is skipped
                value = lookup.lookup(name);
            }

            if (value != null) {         // statement is skipped
                return value;
            }
            if (preservePrefix == false) {
                var = var.substring(prefixPos + 1);      // var = 'aws:secretsmanager:eu-central-1:123456789012:secret:my-secret'
            }
        }
        if (defaultStringLookup != null) {
            return defaultStringLookup.lookup(var);   // ...and the SecretSource implementations are asked to find 'arn:aws:secretsmanager:eu-central-1:123456789012:secret:my-secret'
        }
        return null;
    }

@jetersen
Copy link
Member

jetersen commented Jun 27, 2022
edited
Loading

@chriskilding I decided to implement a fix to unblock this 😅

@jetersen
Copy link
Member

We have decent test coverage that I feel comfortable with this change.

@timja @oleg-nenashev WDYT

@jetersen jetersen marked this pull request as ready for review June 27, 2022 21:00
@jetersen jetersen requested a review from a team as a code owner June 27, 2022 21:00
@codecov
Copy link

codecov bot commented Jun 27, 2022
edited
Loading

Codecov Report

Merging #2007 (9dc0258) into master (27c8197) will decrease coverage by 0.02%.
The diff coverage is 79.16%.

@@             Coverage Diff              @@
##             master    #2007      +/-   ##
============================================
- Coverage     80.89%   80.86%   -0.03%     
- Complexity      837      844       +7     
============================================
  Files            71       72       +1     
  Lines          2465     2488      +23     
  Branches        346      351       +5     
============================================
+ Hits           1994     2012      +18     
- Misses          362      365       +3     
- Partials        109      111       +2
Impacted Files Coverage Δ
.../io/jenkins/plugins/casc/SecretSourceResolver.java 100.00% <ø> (ø)
...ns/plugins/casc/FixedInterpolatorStringLookup.java 79.16% <79.16%> (ø)

@timja timja added the bug label Jun 27, 2022
@timja timja enabled auto-merge (squash) June 27, 2022 21:42
@timja timja merged commit d8507b8 into jenkinsci:master Jun 27, 2022
@jetersen jetersen mentioned this pull request Jun 27, 2022
Closed
@chriskilding chriskilding mentioned this pull request Jul 6, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@timja timja timja approved these changes

Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Allow SecretSource implementations to access the original secret name or original secret prefix
3 participants
@chriskilding @jetersen @timja