hairyhenderson/gomplate

bug: can't retrieve from Vault KVv2 mounts with slashes in the name

Closed this issue ยท 6 comments

Describe the bug:

In gomplate v4, the automatic injection of the /data segment after the mount point for Vault KV v2 is causing data retrieval failures. This behavior does not honor the current workaround of manually including the /data segment after the mount point, which worked in gomplate v3.11.8. The resulting URL construction by gomplate v4 is incorrect and leads to permission denied errors.

Specifically, when the path is provided as ui/secrets/data/rest/of/the/path, gomplate v4 incorrectly transforms it to ui/data/secrets/data/rest/of/the/path.

Example error:
failed with: GET https://vault.example.com:8200/v1/ui/data/secrets/data/path/to/secret - 403, details: 1 error occurred: permission denied : file does not exist

Furthermore, the policies defined in Vault do not recognize this new path structure (ui/data/secrets/data/rest/of/the/path), leading to permission issues. This would require rewriting all the policies to accommodate the new path.

Expected behaviour:

gomplate should correctly handle the Vault KV v2 paths by either:

  1. Not injecting an additional /data segment if it's already included in the provided path.
  2. Allowing users to disable this automatic behavior through a configuration option.

Steps to reproduce the bug:

  1. Create a secret at ui/secrets/data/rest/of/the/path.
  2. Define a policy that grants read access to ui/secrets/data/rest/of/the/path.
  3. Use gomplate v4 to retrieve the secret with a URL that includes the /data segment:
    secrets: "{{ (datasource "vault" "ui/secrets/data/rest/of/the/patht").data.value }}"
  4. Run gomplate with the correct Vault address:
    gomplate --datasource vault=vault://vault.example.com:8200 -f config.yaml
  5. Observe the 403 Permission Denied error due to incorrect URL construction.

Anything else we need to know?:

  • The same setup works correctly with gomplate v3.11.8.

/kind bug

Hi @nedal87, thanks for reporting this and sorry you ran into it!

I never intended the workaround to be necessary in v4, because v4 properly supports the Vault KV v2 API. But I see I failed to update the documentation!

Can you clarify a few things for me?

  1. what is your mount-point in this case? is it ui? or ui/secrets? I didn't think mount-points could have slashes in them, but apparently this is possible
  2. does it work if you remove data from your path?

Hi, thanks for your feedback ๐Ÿ˜€

  • The mount-point is exactly ui/secrets and it contains more than one slash in most cases
  • Gomplate fails even without /data/ in the path

yeah ok, this is a bug in go-fsimpl where the mount point is assumed to not contain slashes:

https://github.com/hairyhenderson/go-fsimpl/blob/fb09b87452605bbd704d15aa92b532284634e6e1/vaultfs/vault.go#L257

@tewfik-ghariani/@nedal87 just to be sure, can you test with a mount point that doesn't have any slashes and confirm that it's working correctly for you?

I've filed hairyhenderson/go-fsimpl#730 to track the bug in go-fsimpl but will keep this one open since I'll need to update gomplate too once it's fixed, and add some additional integration tests to account for it.

(also I've updated the title to reflect the underlying bug and to help make it a bit more discoverable)

FYI I've got a potential fix up here: hairyhenderson/go-fsimpl#738