fix: only replace data if it is in the middle of the path (#3852)

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
2024-12-14 11:57:59 +00:00 · 2024-09-02 06:53:04 +02:00 · 2024-09-02 06:53:04 +02:00 · 1309c2c41b
commit 1309c2c41b
parent a861de4f65
2 changed files with 62 additions and 1 deletions
--- a/pkg/provider/vault/client_get.go
+++ b/pkg/provider/vault/client_get.go
@ -221,7 +221,7 @@ func (c *client) buildMetadataPath(path string) (string, error) {
 			return "", errors.New(errPathInvalid)
 		}
 		if c.store.Path == nil {
-			path = strings.Replace(path, "data", "metadata", 1)
+			path = strings.Replace(path, "/data/", "/metadata/", 1)
 			url = path
 		} else {
 			url = fmt.Sprintf("%s/metadata/%s", *c.store.Path, path)
--- a/pkg/provider/vault/client_get_test.go
+++ b/pkg/provider/vault/client_get_test.go
@ -696,6 +696,67 @@ func TestGetSecretPath(t *testing.T) {
 	}
 }

+func TestGetSecretMetadataPath(t *testing.T) {
+	storeV2 := makeValidSecretStore()
+	storeV2NoPath := storeV2.DeepCopy()
+	multiPath := "secret/path"
+	storeV2.Spec.Provider.Vault.Path = &multiPath
+	storeV2NoPath.Spec.Provider.Vault.Path = nil
+
+	storeV1 := makeValidSecretStoreWithVersion(esv1beta1.VaultKVStoreV1)
+	storeV1NoPath := storeV1.DeepCopy()
+	storeV1.Spec.Provider.Vault.Path = &multiPath
+	storeV1NoPath.Spec.Provider.Vault.Path = nil
+
+	type args struct {
+		store    *esv1beta1.VaultProvider
+		path     string
+		expected string
+	}
+	cases := map[string]struct {
+		reason string
+		args   args
+	}{
+		"PathForV1": {
+			reason: "path should compose with mount point if set",
+			args: args{
+				store:    storeV1.Spec.Provider.Vault,
+				path:     "data/test",
+				expected: "secret/path/data/test",
+			},
+		},
+		"PathForV2": {
+			reason: "path should compose with mount point if set without data",
+			args: args{
+				store:    storeV2.Spec.Provider.Vault,
+				path:     "secret/path/data/test",
+				expected: "secret/path/metadata/secret/path/data/test",
+			},
+		},
+		"PathForV2WithData": {
+			reason: "if data is in the path it shouldn't be changed",
+			args: args{
+				store:    storeV2NoPath.Spec.Provider.Vault,
+				path:     "my_data/data/path",
+				expected: "my_data/metadata/path",
+			},
+		},
+	}
+
+	for name, tc := range cases {
+		t.Run(name, func(t *testing.T) {
+			vStore := &client{
+				store: tc.args.store,
+			}
+
+			want, _ := vStore.buildMetadataPath(tc.args.path)
+			if diff := cmp.Diff(want, tc.args.expected); diff != "" {
+				t.Errorf("\n%s\nvault.buildPath(...): -want expected, +got error:\n%s", tc.reason, diff)
+			}
+		})
+	}
+}
+
 func TestSecretExists(t *testing.T) {
 	secret := map[string]any{
 		"foo": "bar",