diff --git a/Cargo.lock b/Cargo.lock index 30537aabbffb5..8558be7f4643b 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -3950,12 +3950,12 @@ dependencies = [ [[package]] name = "evmap" -version = "11.0.0" +version = "10.0.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1b8874945f036109c72242964c1174cf99434e30cfa45bf45fedc983f50046f8" +checksum = "6e3ea06a83f97d3dc2eb06e51e7a729b418f0717a5558a5c870e3d5156dc558d" dependencies = [ "hashbag", - "left-right", + "slab", "smallvec", ] @@ -4394,21 +4394,6 @@ dependencies = [ "tokio-io", ] -[[package]] -name = "generator" -version = "0.8.8" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "52f04ae4152da20c76fe800fa48659201d5cf627c5149ca0b707b69d7eef6cf9" -dependencies = [ - "cc", - "cfg-if", - "libc", - "log", - "rustversion", - "windows-link 0.2.0", - "windows-result", -] - [[package]] name = "generic-array" version = "0.14.7" @@ -4507,7 +4492,7 @@ dependencies = [ "serde_derive", "serde_json", "simpl", - "smpl_jwt 0.8.0", + "smpl_jwt", "time", "tokio", ] @@ -6194,17 +6179,6 @@ dependencies = [ "spin 0.5.2", ] -[[package]] -name = "left-right" -version = "0.11.7" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0f0c21e4c8ff95f487fb34e6f9182875f42c84cef966d29216bf115d9bba835a" -dependencies = [ - "crossbeam-utils", - "loom", - "slab", -] - [[package]] name = "lexical-core" version = "1.0.6" @@ -6464,19 +6438,6 @@ dependencies = [ "prost-types 0.12.6", ] -[[package]] -name = "loom" -version = "0.7.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "419e0dc8046cb947daa77eb95ae174acfbddb7673b4151f56d1eed8e93fbfaca" -dependencies = [ - "cfg-if", - "generator", - "scoped-tls", - "tracing 0.1.44", - "tracing-subscriber", -] - [[package]] name = "lru" version = "0.12.5" @@ -10478,22 +10439,6 @@ dependencies = [ "time", ] -[[package]] -name = "smpl_jwt" -version = "0.9.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a45432dc6b645c982d4ef68966b4507fb57d98ca67289df780cd7ca4a4369f5e" -dependencies = [ - "base64 0.22.1", - "log", - "openssl", - "serde", - "serde_derive", - "serde_json", - "simpl", - "time", -] - [[package]] name = "snafu" version = "0.7.5" @@ -12688,7 +12633,7 @@ dependencies = [ "serial_test", "similar-asserts", "smallvec", - "smpl_jwt 0.9.0", + "smpl_jwt", "snafu 0.8.9", "snap", "socket2 0.5.10", diff --git a/changelog.d/24780_secret_resolution_with_path_separators.fix.md b/changelog.d/24780_secret_resolution_with_path_separators.fix.md new file mode 100644 index 0000000000000..698cebec3391f --- /dev/null +++ b/changelog.d/24780_secret_resolution_with_path_separators.fix.md @@ -0,0 +1,4 @@ +Fixed an issue where directory secret backends failed to resolve secrets organized in subdirectories +(e.g., Kubernetes mounted secrets at paths like: `/secrets/my-secrets/username`) + +authors: pront vparfonov diff --git a/src/config/loading/secret.rs b/src/config/loading/secret.rs index a7e27901b3811..8877c3d1f5494 100644 --- a/src/config/loading/secret.rs +++ b/src/config/loading/secret.rs @@ -25,10 +25,11 @@ use crate::{ // - "SECRET[backend.secret_name]" will match and capture "backend" and "secret_name" // - "SECRET[backend.secret.name]" will match and capture "backend" and "secret.name" // - "SECRET[backend..secret.name]" will match and capture "backend" and ".secret.name" +// - "SECRET[backend.path/to/secret]" will match and capture "backend" and "path/to/secret" // - "SECRET[secret_name]" will not match // - "SECRET[.secret.name]" will not match pub static COLLECTOR: LazyLock = - LazyLock::new(|| Regex::new(r"SECRET\[([[:word:]]+)\.([[:word:].-]+)\]").unwrap()); + LazyLock::new(|| Regex::new(r"SECRET\[([[:word:]]+)\.([[:word:].\-/]+)\]").unwrap()); /// Helper type for specifically deserializing secrets backends. #[derive(Debug, Default, Deserialize, Serialize)] @@ -182,6 +183,8 @@ mod tests { let secrets: HashMap = vec![ ("a.secret.key".into(), "value".into()), ("a...key".into(), "a...value".into()), + ("backend.path/to/secret".into(), "secret_value".into()), + ("backend.nested/dir/file".into(), "nested_value".into()), ] .into_iter() .collect(); @@ -203,6 +206,14 @@ mod tests { Ok("a...value".into()), interpolate("SECRET[a...key]", &secrets) ); + assert_eq!( + Ok("secret_value".into()), + interpolate("SECRET[backend.path/to/secret]", &secrets) + ); + assert_eq!( + Ok("nested_value".into()), + interpolate("SECRET[backend.nested/dir/file]", &secrets) + ); assert_eq!( Ok("xxxSECRET[non_matching_syntax]yyy".into()), interpolate("xxxSECRET[non_matching_syntax]yyy", &secrets) @@ -227,6 +238,8 @@ mod tests { SECRET[second_backend.secret.key] SECRET[first_backend.a_third.secret_key] SECRET[first_backend...an_extra_secret_key] + SECRET[first_backend.path/to/secret] + SECRET[second_backend.nested/dir/secret] SECRET[non_matching_syntax] SECRET[.non.matching.syntax] "}, @@ -237,17 +250,19 @@ mod tests { assert!(keys.contains_key("second_backend")); let first_backend_keys = keys.get("first_backend").unwrap(); - assert_eq!(first_backend_keys.len(), 5); + assert_eq!(first_backend_keys.len(), 6); assert!(first_backend_keys.contains("secret_key")); assert!(first_backend_keys.contains("secret-key")); assert!(first_backend_keys.contains("another_secret_key")); assert!(first_backend_keys.contains("a_third.secret_key")); assert!(first_backend_keys.contains("..an_extra_secret_key")); + assert!(first_backend_keys.contains("path/to/secret")); let second_backend_keys = keys.get("second_backend").unwrap(); - assert_eq!(second_backend_keys.len(), 2); + assert_eq!(second_backend_keys.len(), 3); assert!(second_backend_keys.contains("secret_key")); assert!(second_backend_keys.contains("secret.key")); + assert!(second_backend_keys.contains("nested/dir/secret")); } #[test] diff --git a/tests/behavior/config/secret.toml b/tests/behavior/config/secret.toml index a4066e5ca5e3c..24432c0bf0ef4 100644 --- a/tests/behavior/config/secret.toml +++ b/tests/behavior/config/secret.toml @@ -23,6 +23,8 @@ .foobarbaz = "SECRET[exec_backend.def]" .foobarbazqux = "SECRET[file_backend.ghi]" .foobarbazquxquux = "SECRET[directory_backend.jkl]" + .nested_path_username = "SECRET[directory_backend.nested/username]" + .nested_path_password = "SECRET[directory_backend.nested/password]" ''' [[tests]] @@ -40,4 +42,6 @@ .foobarbaz == "def.retrieved" .foobarbazqux == "ghi.retrieved" .foobarbazquxquux == "jkl.retrieved" + .nested_path_username == "Gandalf" + .nested_path_password == "YouShallNotPass" ''' diff --git a/tests/data/secret-backends/directory-secrets/nested/password b/tests/data/secret-backends/directory-secrets/nested/password new file mode 100644 index 0000000000000..af0c367026544 --- /dev/null +++ b/tests/data/secret-backends/directory-secrets/nested/password @@ -0,0 +1 @@ +YouShallNotPass \ No newline at end of file diff --git a/tests/data/secret-backends/directory-secrets/nested/username b/tests/data/secret-backends/directory-secrets/nested/username new file mode 100644 index 0000000000000..9a1b235840c3c --- /dev/null +++ b/tests/data/secret-backends/directory-secrets/nested/username @@ -0,0 +1 @@ +Gandalf \ No newline at end of file