util: set defaults for Vault config before converting

When using UPPER_CASE formatting for the HashiCorp Vault KMS
configuration, a missing `VAULT_DESTROY_KEYS` will cause the option to
be set to "false". The default for the option is intended for be "true".

This is a difference in behaviour between the `vaultDestroyKeys` and
`VAULT_DESTROY_KEYS` options. Both should use a default of "true" when
the configuration does not set the option explicitly.

By setting the default options in the `standardVault` struct before
unmarshalling the configuration in it, the default values will be
retained for the missing configuration options.

Reported-by: Rachael George <rgeorge@redhat.com>
Signed-off-by: Niels de Vos <ndevos@redhat.com>
This commit is contained in:
Niels de Vos 2021-10-28 12:21:31 +02:00 committed by mergify[bot]
parent de57fa1804
commit c852f487a5
3 changed files with 23 additions and 5 deletions

View File

@ -43,7 +43,7 @@ const (
vaultDefaultRole = "csi-kubernetes" vaultDefaultRole = "csi-kubernetes"
vaultDefaultNamespace = "" vaultDefaultNamespace = ""
vaultDefaultPassphrasePath = "" vaultDefaultPassphrasePath = ""
vaultDefaultCAVerify = "true" vaultDefaultCAVerify = true
vaultDefaultDestroyKeys = "true" vaultDefaultDestroyKeys = "true"
) )
@ -208,7 +208,7 @@ func (vc *vaultConnection) initConnection(config map[string]interface{}) error {
keyContext[loss.KeyVaultNamespace] = vaultNamespace keyContext[loss.KeyVaultNamespace] = vaultNamespace
} }
verifyCA := vaultDefaultCAVerify // optional verifyCA := strconv.FormatBool(vaultDefaultCAVerify) // optional
err = setConfigString(&verifyCA, config, "vaultCAVerify") err = setConfigString(&verifyCA, config, "vaultCAVerify")
if errors.Is(err, errConfigOptionInvalid) { if errors.Is(err, errConfigOptionInvalid) {
return err return err

View File

@ -101,7 +101,6 @@ func (v *vaultTokenConf) convertStdVaultToCSIConfig(s *standardVault) {
// by default the CA should get verified, only when VaultSkipVerify is // by default the CA should get verified, only when VaultSkipVerify is
// set, verification should be disabled // set, verification should be disabled
v.VaultCAVerify = vaultDefaultCAVerify
verify, err := strconv.ParseBool(s.VaultSkipVerify) verify, err := strconv.ParseBool(s.VaultSkipVerify)
if err == nil { if err == nil {
v.VaultCAVerify = strconv.FormatBool(!verify) v.VaultCAVerify = strconv.FormatBool(!verify)
@ -124,8 +123,14 @@ func transformConfig(svMap map[string]interface{}) (map[string]interface{}, erro
return nil, fmt.Errorf("failed to convert config %T to JSON: %w", svMap, err) return nil, fmt.Errorf("failed to convert config %T to JSON: %w", svMap, err)
} }
// convert the JSON back to a standardVault struct // convert the JSON back to a standardVault struct, default values are
sv := &standardVault{} // set in case the configuration does not provide all options
sv := &standardVault{
VaultDestroyKeys: vaultDefaultDestroyKeys,
VaultNamespace: vaultDefaultNamespace,
VaultSkipVerify: strconv.FormatBool(!vaultDefaultCAVerify),
}
err = json.Unmarshal(data, sv) err = json.Unmarshal(data, sv)
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to Unmarshal the vault configuration: %w", err) return nil, fmt.Errorf("failed to Unmarshal the vault configuration: %w", err)

View File

@ -19,6 +19,7 @@ package kms
import ( import (
"encoding/json" "encoding/json"
"errors" "errors"
"strconv"
"strings" "strings"
"testing" "testing"
@ -208,6 +209,18 @@ func TestTransformConfig(t *testing.T) {
assert.Equal(t, config["vaultCAVerify"], "false") assert.Equal(t, config["vaultCAVerify"], "false")
} }
func TestTransformConfigDefaults(t *testing.T) {
t.Parallel()
cm := make(map[string]interface{})
cm["KMS_PROVIDER"] = kmsTypeVaultTokens
config, err := transformConfig(cm)
require.NoError(t, err)
assert.Equal(t, config["encryptionKMSType"], cm["KMS_PROVIDER"])
assert.Equal(t, config["vaultDestroyKeys"], vaultDefaultDestroyKeys)
assert.Equal(t, config["vaultCAVerify"], strconv.FormatBool(vaultDefaultCAVerify))
}
func TestVaultTokensKMSRegistered(t *testing.T) { func TestVaultTokensKMSRegistered(t *testing.T) {
t.Parallel() t.Parallel()
_, ok := kmsManager.providers[kmsTypeVaultTokens] _, ok := kmsManager.providers[kmsTypeVaultTokens]