Hashicorp Vault - validate underscore paths

Author: vitalie

lib/travis/build/addons.rb

@@ -1,4 +1,4 @@
-require 'active_support/core_ext/string/inflections.rb'
+require 'active_support/core_ext/string/inflections'
 require 'travis/build/addons/apt'
 require 'travis/build/addons/apt_packages'
 require 'travis/build/addons/apt_retries'

lib/travis/build/appliances/vault_keys.rb

@@ -1,3 +1,4 @@
+require 'active_support/core_ext/object/blank'
 require 'travis/build/appliances/base'
 require 'travis/services/vault'
 

lib/travis/services/vault/keys/resolver.rb

@@ -1,7 +1,12 @@
+require 'active_support/core_ext/object/blank'
+require 'active_support/core_ext/string/inflections'
+
 module Travis
   module Vault
     class Keys
       class Resolver
+        ENV_NAME_REGEX = /^[a-zA-Z_][a-zA-Z0-9_]*$/.freeze
+
         attr_reader :paths, :version, :appliance
 
         delegate :data, to: :appliance
@@ -27,11 +32,15 @@ def call
                 env_name = key
                 env_name = [secret_name, env_name].join('_') if true # To-Do: Make the prepend customizable from .travis.yml
                 env_name = (path.split('/') << env_name).join('_') if false # To-Do: Make the prepend customizable from .travis.yml
-                export(env_name.upcase, %("#{value}"), echo: false, secure: true)
-                vault_secrets << value
+                if env_name.match?(ENV_NAME_REGEX)
+                  export(env_name.upcase, %("#{value}"), echo: false, secure: true)
+                  vault_secrets << value
+                else
+                  echo *warn_message("The env name #{env_name} is invalid. Valid chars: a-z, A-Z, 0-9 and _. May NOT begin with a number.")
+                end
               end
             else
-              echo *(warn_message(path))
+              echo *warn_message("The value fetched for #{path} is blank.")
             end
           end
 
@@ -40,8 +49,8 @@ def call
 
         private
 
-        def warn_message(path)
-          ["The value fetched for #{path} is blank.", ansi: :yellow]
+        def warn_message(message)
+          [message, ansi: :yellow]
         end
       end
     end

spec/build/services/vault/keys/resolver_spec.rb

@@ -39,7 +39,24 @@
           call
         end
       end
+    end
+
+    context 'when paths contain unusual chars' do
+      let(:paths) { %w[path/to/something/secret-thing] }
+
+      before do
+        Travis::Vault::Keys::KV2.stubs(:resolve).with(paths.first, vault).returns({ my_key: 'MySecretValue' })
+      end
 
+      context 'when path returns value from Vault' do
+        it do
+          sh.expects(:export).never
+          sh.expects(:echo).with('The env name secret-thing_my_key is invalid. Valid chars: a-z, A-Z, 0-9 and _. May NOT begin with a number.', ansi: :yellow)
+          data.expects(:vault_secrets=).never
+
+          call
+        end
+      end
     end
 
     context 'when path does not returns value from Vault' do