fix(import): dont overwrite existing secrets during import

FalcoSuessgott · Jul 20, 2024 · c02b8d5 · c02b8d5
1 parent a78f7a4
commit c02b8d5
Show file tree

Hide file tree

Showing 7 changed files with 40 additions and 51 deletions.
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -30,7 +30,7 @@ jobs:
       - name: golangci-lint
         uses: golangci/golangci-lint-action@v6
         with:
-          version: v1.54.2
+          version: v1.59.1
           args: -c .golang-ci.yml -v --timeout=5m
         env:
           GO111MODULES: off
diff --git a/.golang-ci.yml b/.golang-ci.yml
@@ -5,15 +5,10 @@ linters-settings:
 linters:
   enable-all: true
   disable:
-    - scopelint
-    - maligned
-    - interfacer
-    - golint
     - testpackage
     - forbidigo
     - paralleltest
-    - exhaustivestruct
-    - goerr113
+    - err113
     - wrapcheck
     - gochecknoglobals
     - varnamelen
@@ -22,13 +17,9 @@ linters:
     - containedctx
     - ireturn
     - exhaustruct
-    - varcheck
-    - deadcode
-    - structcheck
-    - nosnakecase
-    - ifshort
     - nolintlint
     - maintidx
+    - mnd
     - dupl
     - goimports
     - gci

diff --git a/cmd/export.go b/cmd/export.go
@@ -74,7 +74,12 @@ func NewExportCmd() *cobra.Command {
 				return err
 			}
 
-			result := utils.UnflattenMap(utils.NormalizePath(path.Join(enginePath, subPath)), utils.ToMapStringInterface(secrets), o.EnginePath)
+			p := path.Join(enginePath, subPath)
+			if subPath == "" {
+				p = utils.NormalizePath(p)
+			}
+
+			result := utils.UnflattenMap(p, utils.ToMapStringInterface(secrets), o.EnginePath)
 
 			if err := printer.Out(result); err != nil {
 				return err

diff --git a/cmd/import.go b/cmd/import.go
@@ -87,7 +87,6 @@ func NewImportCmd() *cobra.Command {
 				prt.WithWriter(writer),
 				prt.ShowVersion(true),
 				prt.ShowMetadata(true),
-				prt.ShowVersion(false),
 				prt.WithEnginePath(utils.NormalizePath(rootPath)),
 			)
 
@@ -99,7 +98,7 @@ func NewImportCmd() *cobra.Command {
 					secretsWithNewPath = utils.UnflattenMap(utils.NormalizePath(path.Join(rootPath, subPath)), utils.ToMapStringInterface(v), o.EnginePath)
 				}
 
-				return o.dryRun(rootPath, subPath, secretsWithNewPath)
+				return o.dryRun(rootPath, secretsWithNewPath)
 			}
 
 			// enable kv engine, error if already enabled, unless force is used
@@ -114,7 +113,7 @@ func NewImportCmd() *cobra.Command {
 
 			// show result if not silence mode
 			if !o.Silent {
-				result, err := o.printResult(rootPath, subPath)
+				result, err := o.printResult(rootPath)
 				if err != nil {
 					return err
 				}
@@ -236,19 +235,19 @@ func (o *importOptions) writeSecrets(rootPath, subPath string, secrets map[strin
 	return nil
 }
 
-func (o *importOptions) dryRun(rootPath, subPath string, secrets map[string]interface{}) error {
-	fmt.Printf("fetching KV secrets from \"%s\" (if any)\n", utils.NormalizePath(path.Join(rootPath, subPath)))
+func (o *importOptions) dryRun(rootPath string, secrets map[string]interface{}) error {
+	fmt.Printf("fetching any existing KV secrets from \"%s\" (if any)\n", utils.NormalizePath(rootPath))
 
-	tmp, err := vaultClient.ListRecursive(rootPath, subPath, true)
+	tmp, err := vaultClient.ListRecursive(rootPath, "", true)
 	if err != nil {
-		return fmt.Errorf("error listing secrets from \"%s/%s\": %w", rootPath, subPath, err)
+		return fmt.Errorf("error listing secrets from \"%s/\": %w", rootPath, err)
 	}
 
 	if len(utils.ToMapStringInterface(tmp)) == 0 {
 		fmt.Println("no secrets found - nothing to compare with")
 	}
 
-	existingSecrets := utils.UnflattenMap(utils.NormalizePath(path.Join(rootPath, subPath)), utils.ToMapStringInterface(tmp), o.EnginePath)
+	existingSecrets := utils.UnflattenMap(utils.NormalizePath(rootPath), utils.ToMapStringInterface(tmp), o.EnginePath)
 
 	// check whether new and existing secrets are equal
 	if fmt.Sprint(secrets) == fmt.Sprint(existingSecrets) {
@@ -263,7 +262,7 @@ func (o *importOptions) dryRun(rootPath, subPath string, secrets map[string]inte
 		return nil
 	}
 
-	fmt.Fprintf(writer, "deep merging provided secrets with existing secrets read from \"%s\"\n", utils.NormalizePath(path.Join(rootPath, subPath)))
+	fmt.Fprintf(writer, "deep merging provided secrets with existing secrets read from \"%s\"\n", utils.NormalizePath(rootPath))
 	fmt.Fprintln(writer, "")
 	fmt.Fprintln(writer, "preview:")
 	fmt.Fprintln(writer, "")
@@ -278,7 +277,7 @@ func (o *importOptions) dryRun(rootPath, subPath string, secrets map[string]inte
 	return nil
 }
 
-func (o *importOptions) printResult(rootPath, subPath string) (map[string]interface{}, error) {
+func (o *importOptions) printResult(rootPath string) (map[string]interface{}, error) {
 	fmt.Fprintln(writer, "")
 	fmt.Fprintln(writer, "result:")
 	fmt.Fprintln(writer, "")
@@ -295,10 +294,10 @@ func (o *importOptions) printResult(rootPath, subPath string) (map[string]interf
 		prt.WithEnginePath(utils.NormalizePath(rootPath)),
 	)
 
-	secrets, err := vaultClient.ListRecursive(rootPath, subPath, false)
+	secrets, err := vaultClient.ListRecursive(rootPath, "", false)
 	if err != nil {
 		return nil, err
 	}
 
-	return utils.UnflattenMap(utils.NormalizePath(path.Join(rootPath, subPath)), utils.ToMapStringInterface(secrets), o.EnginePath), nil
+	return utils.UnflattenMap(utils.NormalizePath(rootPath), utils.ToMapStringInterface(secrets), o.EnginePath), nil
 }
diff --git a/pkg/utils/utils.go b/pkg/utils/utils.go
@@ -77,10 +77,10 @@ func SplitPath(path string) (string, string) {
 	parts := removeEmptyElements(strings.Split(path, Delimiter))
 
 	if len(parts) >= 2 {
-		return parts[0], strings.Join(parts[1:], Delimiter)
+		return NormalizePath(parts[0]), strings.Join(parts[1:], Delimiter)
 	}
 
-	return strings.Join(parts, Delimiter), ""
+	return NormalizePath(strings.Join(parts, Delimiter)), ""
 }
 
 func GetRootElement(m map[string]interface{}) (string, error) {
@@ -262,7 +262,7 @@ func DeepMergeMaps(a, b map[string]interface{}) map[string]interface{} {
 func HandleEnginePath(enginePath, path string) (string, string) {
 	// if engine path has been specified use that value as the root path and append the path
 	if enginePath != "" {
-		return enginePath, path
+		return NormalizePath(enginePath), path
 	}
 
 	return SplitPath(path)

diff --git a/pkg/utils/utils_test.go b/pkg/utils/utils_test.go
@@ -273,27 +273,21 @@ func TestSplitPath(t *testing.T) {
 		{
 			name:            "test: root path",
 			path:            "kv",
-			expectedRoot:    "kv",
+			expectedRoot:    "kv/",
 			expectedSubPath: "",
 		},
 		{
 			name:            "test: sub path",
 			path:            "kv/sub",
-			expectedRoot:    "kv",
+			expectedRoot:    "kv/",
 			expectedSubPath: "sub",
 		},
 		{
 			name:            "test: sub sub path",
 			path:            "kv/sub/sub2",
-			expectedRoot:    "kv",
+			expectedRoot:    "kv/",
 			expectedSubPath: "sub/sub2",
 		},
-		{
-			name:            "test: empty path",
-			path:            "",
-			expectedRoot:    "",
-			expectedSubPath: "",
-		},
 	}
 
 	for _, tc := range testCases {
@@ -582,26 +576,26 @@ func TestHandleEnginePath(t *testing.T) {
 		{
 			name:             "only path",
 			path:             "1/2/3/4",
-			expectedRootPath: "1",
+			expectedRootPath: "1/",
 			expectedSubPath:  "2/3/4",
 		},
 		{
 			name:             "one element path",
 			path:             "1",
-			expectedRootPath: "1",
+			expectedRootPath: "1/",
 			expectedSubPath:  "",
 		},
 		{
 			name:             "engine path and path",
 			enginePath:       "1/2/3/4",
 			path:             "5/6",
-			expectedRootPath: "1/2/3/4",
+			expectedRootPath: "1/2/3/4/",
 			expectedSubPath:  "5/6",
 		},
 		{
 			name:             "only engine path",
-			enginePath:       "1/2/3/4",
-			expectedRootPath: "1/2/3/4",
+			enginePath:       "1/2/3/4/",
+			expectedRootPath: "1/2/3/4/",
 		},
 	}
 

diff --git a/pkg/vault/engine.go b/pkg/vault/engine.go
@@ -121,15 +121,15 @@ func (v *Vault) EnableKV2EngineErrorIfNotForced(force bool, path string) error {
 		return fmt.Errorf("a secret engine under \"%s\" is already enabled. Use --force for overwriting", path)
 	}
 
-	// force flag is used, so we disable the engine
-	if err := v.DisableKV2Engine(path); err != nil {
-		return fmt.Errorf("error disabling secret engine \"%s\": %w", path, err)
-	}
-
-	// enable the engine
-	if err := v.EnableKV2Engine(path); err != nil {
-		return fmt.Errorf("error enabling secret engine \"%s\": %w", path, err)
-	}
+	// // force flag is used, so we disable the engine
+	// if err := v.DisableKV2Engine(path); err != nil {
+	// 	return fmt.Errorf("error disabling secret engine \"%s\": %w", path, err)
+	// }
+
+	// // enable the engine
+	// if err := v.EnableKV2Engine(path); err != nil {
+	// 	return fmt.Errorf("error enabling secret engine \"%s\": %w", path, err)
+	// }
 
 	return nil
 }