fix: handles key vault name with double quotes. (#102)

nilekhc · web-flow · commit 3012412996cb · 2021-05-27T12:37:04.000-07:00
* fix: handles vault name with double quotes.

Signed-off-by: Nilekh Chaudhari &lt;1626598+nilekhc@users.noreply.github.com&gt;

* ping

* chore: gofmt

* fix: adds sanitize util method

* fix: updates tests
diff --git a/docs/manual-install.md b/docs/manual-install.md
@@ -73,7 +73,7 @@ This guide demonstrates steps required to enable the KMS Plugin for Key Vault in
         imagePullPolicy: IfNotPresent
         args:
           - --listen-addr=unix:///opt/azurekms.socket             # [OPTIONAL] gRPC listen address. Default is unix:///opt/azurekms.socket
-          - --keyvault-name=${KV_NAME}                            # [REQUIRED] Name of the keyvault
+          - --keyvault-name=${KV_NAME}                            # [REQUIRED] Name of the keyvault. Must match criteria specified at https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#vault-name-and-object-name
           - --key-name=${KEY_NAME}                                # [REQUIRED] Name of the keyvault key used for encrypt/decrypt
           - --key-version=${KEY_VERSION}                          # [REQUIRED] Version of the key to use
           - --log-format-json=false                               # [OPTIONAL] Set log formatter to json. Default is false.
diff --git a/pkg/plugin/keyvault.go b/pkg/plugin/keyvault.go
@@ -13,6 +13,7 @@ import (
 
 	"github.com/Azure/kubernetes-kms/pkg/auth"
 	"github.com/Azure/kubernetes-kms/pkg/config"
+	"github.com/Azure/kubernetes-kms/pkg/utils"
 	"github.com/Azure/kubernetes-kms/pkg/version"
 
 	kv "github.com/Azure/azure-sdk-for-go/services/keyvault/2016-10-01/keyvault"
@@ -38,6 +39,11 @@ type keyVaultClient struct {
 
 // NewKeyVaultClient returns a new key vault client to use for kms operations
 func newKeyVaultClient(config *config.AzureConfig, vaultName, keyName, keyVersion string) (*keyVaultClient, error) {
+	//Sanitize vaultName, keyName, keyVersion. (https://github.com/Azure/kubernetes-kms/issues/85)
+	vaultName = utils.SanitizeString(vaultName)
+	keyName = utils.SanitizeString(keyName)
+	keyVersion = utils.SanitizeString(keyVersion)
+
 	// this should be the case for bring your own key, clusters bootstrapped with
 	// aks-engine or aks and standalone kms plugin deployments
 	if len(vaultName) == 0 || len(keyName) == 0 || len(keyVersion) == 0 {
@@ -115,6 +121,7 @@ func getVaultURL(vaultName string, azureEnvironment *azure.Environment) (vaultUR
 	if len(vaultName) < 3 || len(vaultName) > 24 {
 		return nil, fmt.Errorf("invalid vault name: %q, must be between 3 and 24 chars", vaultName)
 	}
+
 	// See docs for validation spec: https://docs.microsoft.com/en-us/azure/key-vault/about-keys-secrets-and-certificates#objects-identifiers-and-versioning
 	isValid := regexp.MustCompile(`^[-A-Za-z0-9]+$`).MatchString
 	if !isValid(vaultName) {
diff --git a/pkg/plugin/keyvault_test.go b/pkg/plugin/keyvault_test.go
@@ -57,6 +57,14 @@ func TestNewKeyVaultClient(t *testing.T) {
 			keyVersion:  "262067a9e8ba401aa8a746c5f1a7e147",
 			expectedErr: false,
 		},
+		{
+			desc:        "no error with double quotes",
+			config:      &config.AzureConfig{ClientID: "clientid", ClientSecret: "clientsecret"},
+			vaultName:   "\"testkv\"",
+			keyName:     "\"key1\"",
+			keyVersion:  "\"262067a9e8ba401aa8a746c5f1a7e147\"",
+			expectedErr: false,
+		},
 	}
 
 	for _, test := range tests {
@@ -118,7 +126,7 @@ func TestGetVaultURL(t *testing.T) {
 			if test.expectedErr && err == nil || !test.expectedErr && err != nil {
 				t.Fatalf("expected error: %v, got error: %v", test.expectedErr, err)
 			}
-			expectedURL := "https://" + test.vaultName + "." + vaultDNSSuffix[idx] + "/"
+			expectedURL := "https://" + strings.Trim(test.vaultName, "\"") + "." + vaultDNSSuffix[idx] + "/"
 			if !test.expectedErr && expectedURL != *vaultURL {
 				t.Fatalf("expected vault url: %s, got: %s", expectedURL, *vaultURL)
 			}
diff --git a/pkg/utils/sanitize.go b/pkg/utils/sanitize.go
@@ -0,0 +1,8 @@
+package utils
+
+import "strings"
+
+// SanitizeString returns a string that does not have white spaces and double quotes
+func SanitizeString(s string) string {
+	return strings.TrimSpace(strings.Trim(strings.TrimSpace(s), "\""))
+}
diff --git a/pkg/utils/sanitize_test.go b/pkg/utils/sanitize_test.go
@@ -0,0 +1,42 @@
+package utils
+
+import "testing"
+
+func TestSanitizeString(t *testing.T) {
+	testCases := []struct {
+		name           string
+		input          string
+		expectedOutput string
+	}{
+		{
+			name:           "With_White_Spaces",
+			input:          " hello ",
+			expectedOutput: "hello",
+		},
+		{
+			name:           "With_Double_Quotes",
+			input:          "\"hello\"",
+			expectedOutput: "hello",
+		},
+		{
+			name:           "With_White_Spaces_And_Double_Quotes",
+			input:          " \"hello\" ",
+			expectedOutput: "hello",
+		},
+		{
+			name:           "With_Double_Quotes_And_White_Spaces",
+			input:          "\" hello \"",
+			expectedOutput: "hello",
+		},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(testCase.name, func(t *testing.T) {
+			sanitizedString := SanitizeString(testCase.input)
+
+			if sanitizedString != testCase.expectedOutput {
+				t.Fatalf("expected output: '%s', found: '%s'", testCase.expectedOutput, sanitizedString)
+			}
+		})
+	}
+}
