gomplate with vault datasource panics when environment variables are unset

[drmdrew]

gomplate version 1.2.2 with vault datasources will panic in VAULT_ADDR is unset or if other auth strategy failures occur.

Example:

unset VAULT_ADDR
echo -n '{{(datasource "vault" "secret/foo").value}}' | /usr/local/Cellar/gomplate/1.2.2/bin/gomplate -d vault="vault://"

Results in a panic:

panic: runtime error: invalid memory address or nil pointer dereference [recovered]
       	panic: runtime error: invalid memory address or nil pointer dereference [recovered]
       	panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x20 pc=0xf0f0a]

[hairyhenderson]

@drmdrew I don't see a panic...

$ bin/gomplate -v
gomplate version 1.2.2
$ echo -n '{{(datasource "vault" "secret/foo").value}}' | bin/gomplate -d vault="vault://"
2016/11/21 09:19:38 Couldn't read datasource 'vault': Get /v1/secret/foo: unsupported protocol scheme ""

Now, the error message is totally lacking, but that's a different issue

[hairyhenderson]

(and that's with no VAULT_* environment variables)

$ env | grep VAULT | wc -l
0

[drmdrew]

Weird... I'm still on El Capitan... let me see how gomplate 1.2.2 reacts in a debian:jessie container.

[drmdrew]

Nope. 💥
docker run -it golang bash

Unable to find image 'golang:latest' locally
latest: Pulling from library/golang
386a066cd84a: Already exists
75ea84187083: Pull complete
88b459c9f665: Pull complete
a31e17eb9485: Pull complete
457559cc1d69: Pull complete
47fe51a74a06: Pull complete
08dacccac43c: Pull complete
Digest: sha256:340212e9c5d062f3bfe58ff02768da70234ea734bd022a357ee6be2a6d963505
Status: Downloaded newer image for golang:latest
root@e59465791a99:/go# go get github.com/hairyhenderson/gomplate
root@e59465791a99:/go# go install github.com/hairyhenderson/gomplate
root@e59465791a99:/go# gomplate -v
gomplate version 0.0.0
root@e59465791a99:/go# echo -n '{{(datasource "vault" "secret/foo").value}}' | bin/gomplate -d vault="vault://"
panic: runtime error: invalid memory address or nil pointer dereference [recovered]
       	panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x20 pc=0x4f123a]

[hairyhenderson]

OK, I can reproduce this... Only in a Docker container though (!?!)

Maybe it's a macOS Sierra thing?

[hairyhenderson]

Nope - figured it out, I had a ~/.vault-token lying around.

There's actually a few bugs here. First off is getVaultAddr() doesn't error out when the environment variable is unset or empty (https://github.com/hairyhenderson/gomplate/blob/master/vault/client.go#L39). This is because url.Parse doesn't break on an empty string (https://play.golang.org/p/Yv0RV20KB-). This particular bug would be avoided if we add a check to make sure the string is non-empty before trying to parse it.

The second bug, which is what actually caused the panic, is that getAuthStrategy() returns nil if it can't figure out which strategy to use (https://github.com/hairyhenderson/gomplate/blob/master/vault/client.go#L54). Instead, I think we should have some sort of ErrorAuthStrategy which just errors on GetToken with a good error message.

Or we could have a NoneAuthStrategy which attempts to talk to Vault with no token... But that would probably fail with more obscure errors 😉

Point is, it shouldn't return nil.