From 9c027b92b69abe6effa32b4c44ef1f48ef2ec0fa Mon Sep 17 00:00:00 2001 From: John ODonnell Date: Mon, 13 Feb 2023 10:50:31 -0500 Subject: [PATCH] Enable SP to retrieve and provide German umlaut chars Uses the Go API function client.RetrieveBatchSecretsSafe, which requests base64 encoded secrets from Conjur, and returns a map of variable IDs to decoded values. Secrets Provider can now inject binary secret values, including strings with special characters. --- CHANGELOG.md | 6 +++ deploy/config/k8s/k8s-secret.yml | 1 + .../config/k8s/test-env-k8s-rotation.sh.yml | 5 +++ deploy/config/k8s/test-env.sh.yml | 5 +++ deploy/config/openshift/k8s-secret.yml | 1 + deploy/config/openshift/test-env.sh.yml | 5 +++ .../secrets-provider-init-container.sh.yml | 5 +++ .../k8s/secrets-provider-k8s-rotation.sh.yml | 5 +++ deploy/policy/load_policies.sh | 1 + .../templates/conjur-secrets.template.sh.yml | 1 + ...riables_with_german_umlaut_successfully.sh | 8 ++++ pkg/secrets/clients/conjur/conjur_client.go | 8 ++-- .../conjur/conjur_secrets_retriever.go | 2 +- .../provide_conjur_secrets_test.go | 38 +++++++++++++++++++ 14 files changed, 86 insertions(+), 5 deletions(-) create mode 100755 deploy/test/test_cases/TEST_ID_1.5_providing_variables_with_german_umlaut_successfully.sh diff --git a/CHANGELOG.md b/CHANGELOG.md index 10531273..4860a8c4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,12 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. ## [Unreleased] +## [1.5.0] - 2023-02-13 + +### Added +- Adds support for binary secret values and values with special characters. + [cyberark/secrets-provider-for-k8s#500](https://github.com/cyberark/secrets-provider-for-k8s/pull/500) + ## [1.4.6] - 2023-01-26 ### Security diff --git a/deploy/config/k8s/k8s-secret.yml b/deploy/config/k8s/k8s-secret.yml index 1cbce6c6..86b0b315 100644 --- a/deploy/config/k8s/k8s-secret.yml +++ b/deploy/config/k8s/k8s-secret.yml @@ -8,4 +8,5 @@ stringData: secret: secrets/test_secret var_with_spaces: secrets/var with spaces var_with_pluses: secrets/var+with+pluses + var_with_umlaut: secrets/umlaut non-conjur-key: some-value diff --git a/deploy/config/k8s/test-env-k8s-rotation.sh.yml b/deploy/config/k8s/test-env-k8s-rotation.sh.yml index 466a3e66..2f66ead1 100755 --- a/deploy/config/k8s/test-env-k8s-rotation.sh.yml +++ b/deploy/config/k8s/test-env-k8s-rotation.sh.yml @@ -64,6 +64,11 @@ spec: secretKeyRef: name: test-k8s-secret key: var_with_pluses + - name: VARIABLE_WITH_UMLAUT_SECRET + valueFrom: + secretKeyRef: + name: test-k8s-secret + key: var_with_umlaut - name: NON_CONJUR_SECRET valueFrom: secretKeyRef: diff --git a/deploy/config/k8s/test-env.sh.yml b/deploy/config/k8s/test-env.sh.yml index 8e067b20..4855d526 100755 --- a/deploy/config/k8s/test-env.sh.yml +++ b/deploy/config/k8s/test-env.sh.yml @@ -51,6 +51,11 @@ spec: secretKeyRef: name: test-k8s-secret key: var_with_pluses + - name: VARIABLE_WITH_UMLAUT_SECRET + valueFrom: + secretKeyRef: + name: test-k8s-secret + key: var_with_umlaut - name: NON_CONJUR_SECRET valueFrom: secretKeyRef: diff --git a/deploy/config/openshift/k8s-secret.yml b/deploy/config/openshift/k8s-secret.yml index 1cbce6c6..86b0b315 100644 --- a/deploy/config/openshift/k8s-secret.yml +++ b/deploy/config/openshift/k8s-secret.yml @@ -8,4 +8,5 @@ stringData: secret: secrets/test_secret var_with_spaces: secrets/var with spaces var_with_pluses: secrets/var+with+pluses + var_with_umlaut: secrets/umlaut non-conjur-key: some-value diff --git a/deploy/config/openshift/test-env.sh.yml b/deploy/config/openshift/test-env.sh.yml index cf6f38af..2f177792 100755 --- a/deploy/config/openshift/test-env.sh.yml +++ b/deploy/config/openshift/test-env.sh.yml @@ -50,6 +50,11 @@ spec: secretKeyRef: name: test-k8s-secret key: var_with_pluses + - name: VARIABLE_WITH_UMLAUT_SECRET + valueFrom: + secretKeyRef: + name: test-k8s-secret + key: var_with_umlaut - name: NON_CONJUR_SECRET valueFrom: secretKeyRef: diff --git a/deploy/dev/config/k8s/secrets-provider-init-container.sh.yml b/deploy/dev/config/k8s/secrets-provider-init-container.sh.yml index cd2b0bcd..10a8876b 100755 --- a/deploy/dev/config/k8s/secrets-provider-init-container.sh.yml +++ b/deploy/dev/config/k8s/secrets-provider-init-container.sh.yml @@ -41,6 +41,11 @@ spec: secretKeyRef: name: test-k8s-secret key: var_with_pluses + - name: VARIABLE_WITH_UMLAUT_SECRET + valueFrom: + secretKeyRef: + name: test-k8s-secret + key: var_with_umlaut - name: NON_CONJUR_SECRET valueFrom: secretKeyRef: diff --git a/deploy/dev/config/k8s/secrets-provider-k8s-rotation.sh.yml b/deploy/dev/config/k8s/secrets-provider-k8s-rotation.sh.yml index 3c576354..aa73be79 100755 --- a/deploy/dev/config/k8s/secrets-provider-k8s-rotation.sh.yml +++ b/deploy/dev/config/k8s/secrets-provider-k8s-rotation.sh.yml @@ -64,6 +64,11 @@ spec: secretKeyRef: name: test-k8s-secret key: var_with_pluses + - name: VARIABLE_WITH_UMLAUT_SECRET + valueFrom: + secretKeyRef: + name: test-k8s-secret + key: var_with_umlaut - name: NON_CONJUR_SECRET valueFrom: secretKeyRef: diff --git a/deploy/policy/load_policies.sh b/deploy/policy/load_policies.sh index 4a83d1ea..f6715c7b 100755 --- a/deploy/policy/load_policies.sh +++ b/deploy/policy/load_policies.sh @@ -35,6 +35,7 @@ done conjur variable values add secrets/test_secret "some-secret" conjur variable values add "secrets/var with spaces" "some-secret" conjur variable values add "secrets/var+with+pluses" "some-secret" +conjur variable values add "secrets/umlaut" "some-secret" conjur variable values add secrets/url "postgresql://test-app-backend.app-test.svc.cluster.local:5432" conjur variable values add secrets/username "some-user" conjur variable values add secrets/password "7H1SiSmYp@5Sw0rd" diff --git a/deploy/policy/templates/conjur-secrets.template.sh.yml b/deploy/policy/templates/conjur-secrets.template.sh.yml index bde1c1dd..f76552e0 100755 --- a/deploy/policy/templates/conjur-secrets.template.sh.yml +++ b/deploy/policy/templates/conjur-secrets.template.sh.yml @@ -11,6 +11,7 @@ cat << EOL - !variable another_test_secret - !variable var with spaces - !variable var+with+pluses + - !variable umlaut - !variable url - !variable username - !variable password diff --git a/deploy/test/test_cases/TEST_ID_1.5_providing_variables_with_german_umlaut_successfully.sh b/deploy/test/test_cases/TEST_ID_1.5_providing_variables_with_german_umlaut_successfully.sh new file mode 100755 index 00000000..766fb65e --- /dev/null +++ b/deploy/test/test_cases/TEST_ID_1.5_providing_variables_with_german_umlaut_successfully.sh @@ -0,0 +1,8 @@ +#!/bin/bash +set -euxo pipefail + +create_secret_access_role + +create_secret_access_role_binding + +test_secret_is_provided "ÄäÖöÜü" "secrets/umlaut" "VARIABLE_WITH_UMLAUT_SECRET" diff --git a/pkg/secrets/clients/conjur/conjur_client.go b/pkg/secrets/clients/conjur/conjur_client.go index ba48c451..d9da0c64 100644 --- a/pkg/secrets/clients/conjur/conjur_client.go +++ b/pkg/secrets/clients/conjur/conjur_client.go @@ -8,13 +8,13 @@ import ( ) /* - Client for communication with Conjur. In this project it is used only for - batch secrets retrieval so we expose only this method of the client. +Client for communication with Conjur. In this project it is used only for +batch secrets retrieval so we expose only this method of the client. - The name ConjurClient also improves readability as Client can be ambiguous. +The name ConjurClient also improves readability as Client can be ambiguous. */ type ConjurClient interface { - RetrieveBatchSecrets([]string) (map[string][]byte, error) + RetrieveBatchSecretsSafe([]string) (map[string][]byte, error) } func NewConjurClient(tokenData []byte) (ConjurClient, error) { diff --git a/pkg/secrets/clients/conjur/conjur_secrets_retriever.go b/pkg/secrets/clients/conjur/conjur_secrets_retriever.go index 5a42cb3e..3ffeca3a 100644 --- a/pkg/secrets/clients/conjur/conjur_secrets_retriever.go +++ b/pkg/secrets/clients/conjur/conjur_secrets_retriever.go @@ -83,7 +83,7 @@ func retrieveConjurSecrets(accessToken []byte, variableIDs []string) (map[string return nil, log.RecordedError(messages.CSPFK033E) } - retrievedSecretsByFullIDs, err := conjurClient.RetrieveBatchSecrets(variableIDs) + retrievedSecretsByFullIDs, err := conjurClient.RetrieveBatchSecretsSafe(variableIDs) if err != nil { return nil, err } diff --git a/pkg/secrets/k8s_secrets_storage/provide_conjur_secrets_test.go b/pkg/secrets/k8s_secrets_storage/provide_conjur_secrets_test.go index 661831ea..58175baa 100644 --- a/pkg/secrets/k8s_secrets_storage/provide_conjur_secrets_test.go +++ b/pkg/secrets/k8s_secrets_storage/provide_conjur_secrets_test.go @@ -18,6 +18,8 @@ var testConjurSecrets = map[string]string{ "conjur/var/path2": "secret-value2", "conjur/var/path3": "secret-value3", "conjur/var/path4": "secret-value4", + "conjur/var/umlaut": "ÄäÖöÜü", + "conjur/var/binary": "\xf0\xff\x4a\xc3", "conjur/var/empty-secret": "", } @@ -287,6 +289,42 @@ func TestProvide(t *testing.T) { ), }, }, + { + desc: "Happy path, secret with umlaut characters", + k8sSecrets: k8sStorageMocks.K8sSecrets{ + "k8s-secret1": { + "conjur-map": {"secret1": "conjur/var/umlaut"}, + }, + }, + requiredSecrets: []string{"k8s-secret1"}, + asserts: []assertFunc{ + assertSecretsUpdated( + expectedK8sSecrets{ + "k8s-secret1": {"secret1": "ÄäÖöÜü"}, + }, + expectedMissingValues{}, + false, + ), + }, + }, + { + desc: "Happy path, binary secret", + k8sSecrets: k8sStorageMocks.K8sSecrets{ + "k8s-secret1": { + "conjur-map": {"secret1": "conjur/var/binary"}, + }, + }, + requiredSecrets: []string{"k8s-secret1"}, + asserts: []assertFunc{ + assertSecretsUpdated( + expectedK8sSecrets{ + "k8s-secret1": {"secret1": "\xf0\xff\x4a\xc3"}, + }, + expectedMissingValues{}, + false, + ), + }, + }, { desc: "K8s Secrets maps to a non-existent Conjur secret", k8sSecrets: k8sStorageMocks.K8sSecrets{