diff --git a/CHANGELOG.md b/CHANGELOG.md index 56b6a35829..8920ec6a3c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,10 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. - When a user checks permissions of a non-existing role or a non-existing resource, Conjur now audits a failure message. [cyberark/conjur#2059](https://github.com/cyberark/conjur/issues/2059) +### Changed +- The secrets batch retrieval endpoint now refers to the `Accept-Encoding` header rather than `Accept` to determine the response encoding + [cyberark/conjur#2065](https://github.com/cyberark/conjur/pull/2065) + ## [1.11.4] - 2021-03-09 ### Security diff --git a/app/controllers/secrets_controller.rb b/app/controllers/secrets_controller.rb index 15ff9c3ba0..c1944a2f9b 100644 --- a/app/controllers/secrets_controller.rb +++ b/app/controllers/secrets_controller.rb @@ -78,8 +78,13 @@ def get_secret_from_variable(variable) raise Exceptions::RecordNotFound, variable.resource_id unless secret secret_value = secret.value - accepts_base64 = String(request.headers['Accept']).casecmp?('base64') - accepts_base64 ? Base64.encode64(secret_value) : secret_value + accepts_base64 = String(request.headers['Accept-Encoding']).casecmp?('base64') + if accepts_base64 + response.set_header("Content-Encoding", "base64") + Base64.encode64(secret_value) + else + secret_value + end end def audit_fetch resource, version: nil diff --git a/cucumber/api/features/secrets_batch.feature b/cucumber/api/features/secrets_batch.feature index 19882b7c88..62465d56e2 100644 --- a/cucumber/api/features/secrets_batch.feature +++ b/cucumber/api/features/secrets_batch.feature @@ -94,13 +94,14 @@ Feature: Batch retrieval of secrets Scenario: Returns the correct result for binary secrets Given I create a binary secret value for resource "cucumber:variable:secret3" And I add the secret value "v2" to the resource "cucumber:variable:secret2" - And I set the "Accept" header to "base64" + And I set the "Accept-Encoding" header to "base64" When I GET "/secrets?variable_ids=cucumber:variable:secret3,cucumber:variable:secret2" Then the binary data is preserved for "cucumber:variable:secret3" + And the content encoding is "base64" Scenario: Returns the correct result for binary secrets Given I create a binary secret value for resource "cucumber:variable:secret3" - And I set the "Accept" header to "Base64" + And I set the "Accept-Encoding" header to "Base64" When I GET "/secrets?variable_ids=cucumber:variable:secret3" Then the binary data is preserved for "cucumber:variable:secret3" @@ -115,7 +116,7 @@ Feature: Batch retrieval of secrets When I GET "/secrets?variable_ids=cucumber:variable:secret3,cucumber:variable:secret2" Then the HTTP response status code is 500 - Scenario: Omit the Accept header entirely from batch secrets request + Scenario: Omit the Accept-Encoding header entirely from batch secrets request Given I add the secret value "v2" to the resource "cucumber:variable:secret2" When I GET "/secrets?variable_ids=cucumber:variable:secret2" with no default headers Then the JSON should be: diff --git a/cucumber/api/features/step_definitions/response_steps.rb b/cucumber/api/features/step_definitions/response_steps.rb index ee55d229c9..1bcf41f82f 100644 --- a/cucumber/api/features/step_definitions/response_steps.rb +++ b/cucumber/api/features/step_definitions/response_steps.rb @@ -58,6 +58,10 @@ expect(@result).to eq(@value) end +Then(/^the content encoding is "([^"]*)"/) do |encoding| + expect(@content_encoding).to eq(encoding) +end + Then(/^the binary data is preserved for "([^"]*)"$/) do |resource_id| data = Base64.decode64(@result[resource_id]) expect(data).to eq(@value) diff --git a/cucumber/api/features/support/rest_helpers.rb b/cucumber/api/features/support/rest_helpers.rb index 1872bc204f..d892fe8797 100644 --- a/cucumber/api/features/support/rest_helpers.rb +++ b/cucumber/api/features/support/rest_helpers.rb @@ -129,6 +129,7 @@ def set_result result @http_status = result.code @content_type = result.headers[:content_type] + @content_encoding = result.headers[:content_encoding] if /^application\/json/.match?(@content_type) @result = JSON.parse(result) @response_api_key = @result['api_key'] if @result.is_a?(Hash)