From a69bb645210bd335e2ce3cece1b54af3a286db7a Mon Sep 17 00:00:00 2001 From: Dave Henderson Date: Mon, 16 Dec 2024 14:01:49 -0500 Subject: [PATCH] fix(datasources): Fix aws+sm bug when reading secrets not starting with slash (#2284) Signed-off-by: Dave Henderson --- internal/datafs/fsurl.go | 9 +++++++++ internal/datafs/fsurl_test.go | 20 ++++++++++++++++++++ internal/datafs/fsys.go | 2 ++ internal/datafs/reader.go | 4 ++-- 4 files changed, 33 insertions(+), 2 deletions(-) diff --git a/internal/datafs/fsurl.go b/internal/datafs/fsurl.go index a1cf5cbca..f34324a0c 100644 --- a/internal/datafs/fsurl.go +++ b/internal/datafs/fsurl.go @@ -21,6 +21,15 @@ func SplitFSMuxURL(in *url.URL) (*url.URL, string) { } return &u, base + case "aws+sm": + // An aws+sm URL can either be opaque or have a path with a leading + // slash. If it's opaque, the URL must not contain a leading slash. If + // it has a path, the URL must begin with a slash. + if u.Opaque != "" { + return &url.URL{Scheme: u.Scheme}, u.Opaque + } else { + return &url.URL{Scheme: u.Scheme, Path: "/"}, strings.TrimLeft(u.Path, "/") + } } // trim leading and trailing slashes - they are not part of a valid path diff --git a/internal/datafs/fsurl_test.go b/internal/datafs/fsurl_test.go index 00bba69b0..bcfa3c862 100644 --- a/internal/datafs/fsurl_test.go +++ b/internal/datafs/fsurl_test.go @@ -95,6 +95,26 @@ func TestSplitFSMuxURL(t *testing.T) { "merge:///", "vault:///foo/bar|foo|git+ssh://git@github.com/hairyhenderson/go-which.git//a/b/c/d", }, + { + "aws+sm:foo", + "aws+sm:", + "foo", + }, + { + "aws+sm:foo/bar", + "aws+sm:", + "foo/bar", + }, + { + "aws+sm:/foo/bar", + "aws+sm:///", + "foo/bar", + }, + { + "aws+sm:/foo", + "aws+sm:///", + "foo", + }, } for _, d := range testdata { diff --git a/internal/datafs/fsys.go b/internal/datafs/fsys.go index 03abdf6d6..1102fb8a2 100644 --- a/internal/datafs/fsys.go +++ b/internal/datafs/fsys.go @@ -55,6 +55,8 @@ func FSysForPath(ctx context.Context, path string) (fs.FS, error) { switch u.Scheme { case "git+http", "git+https", "git+ssh", "git": // no-op, these are handled + case "aws+sm": + // An aws+sm URL can be opaque, best not disturb it case "", "file", "git+file": // default to "/" so we have a rooted filesystem for all schemes, but also // support volumes on Windows diff --git a/internal/datafs/reader.go b/internal/datafs/reader.go index 68d5d37f7..52ebefe1c 100644 --- a/internal/datafs/reader.go +++ b/internal/datafs/reader.go @@ -122,13 +122,13 @@ func (d *dsReader) readFileContent(ctx context.Context, u *url.URL, hdr http.Hea // leaking into the filesystem layer u = removeQueryParam(u, overrideType) + u, fname := SplitFSMuxURL(u) + fsys, err := FSysForPath(ctx, u.String()) if err != nil { return nil, fmt.Errorf("fsys for path %v: %w", u, err) } - u, fname := SplitFSMuxURL(u) - // need to support absolute paths on local filesystem too // TODO: this is a hack, probably fix this? if u.Scheme == "file" && runtime.GOOS != "windows" {