fix(conf) allow only the enabled vaults

### Summary There was some logic that allowed the default bundled vaults even in case they were not enabled. This commit fixes that.
Kong · May 4, 2022 · 9fa4647 · 9fa4647
1 parent d55d33b
commit 9fa4647
Show file tree

Hide file tree

Showing 5 changed files with 38 additions and 22 deletions.
diff --git a/kong/db/schema/entities/vaults_beta.lua b/kong/db/schema/entities/vaults_beta.lua
@@ -6,20 +6,6 @@ local VAULTS do
   local pairs = pairs
   local names = {}
   local constants = require "kong.constants"
-  local bundled = constants and constants.BUNDLED_VAULTS
-  if bundled then
-    for name in pairs(bundled) do
-      if not names[name] then
-        names[name] = true
-        i = i + 1
-        if i == 1 then
-          VAULTS = { name }
-        else
-          VAULTS[i] = name
-        end
-      end
-    end
-  end
 
   local loaded_vaults = kong and kong.configuration and kong.configuration.loaded_vaults
   if loaded_vaults then
@@ -34,6 +20,22 @@ local VAULTS do
         end
       end
     end
+
+  else
+    local bundled = constants and constants.BUNDLED_VAULTS
+    if bundled then
+      for name in pairs(bundled) do
+        if not names[name] then
+          names[name] = true
+          i = i + 1
+          if i == 1 then
+            VAULTS = { name }
+          else
+            VAULTS[i] = name
+          end
+        end
+      end
+    end
   end
 end
 

diff --git a/kong/pdk/vault.lua b/kong/pdk/vault.lua
@@ -40,19 +40,25 @@ local function new(self)
   local _VAULT = {}
 
   local LRU = lrucache.new(1000)
-  local BUNDLED_VAULTS = constants.BUNDLED_VAULTS
-  local VAULT_NAMES = BUNDLED_VAULTS and clone(BUNDLED_VAULTS) or {}
+
 
   local BRACE_START = byte("{")
   local BRACE_END = byte("}")
   local COLON = byte(":")
   local SLASH = byte("/")
 
+  local BUNDLED_VAULTS = constants.BUNDLED_VAULTS
+  local VAULT_NAMES
   local vaults = self and self.configuration and self.configuration.loaded_vaults
   if vaults then
+    VAULT_NAMES = {}
+
     for name in pairs(vaults) do
       VAULT_NAMES[name] = true
     end
+
+  else
+    VAULT_NAMES = BUNDLED_VAULTS and clone(BUNDLED_VAULTS) or {}
   end
 
   local function build_cache_key(name, resource, version)
@@ -106,6 +112,9 @@ local function new(self)
 
   local function process_secret(reference, opts)
     local name = opts.name
+    if not VAULT_NAMES[name] then
+      return nil, fmt("vault not found (%s) [%s]", name, reference)
+    end
     local vaults = self and (self.db and self.db.vaults_beta)
     local strategy
     local field

diff --git a/spec/01-unit/03-conf_loader_spec.lua b/spec/01-unit/03-conf_loader_spec.lua
@@ -1728,7 +1728,8 @@ describe("Configuration loader", function()
       helpers.setenv("PG_DATABASE", "resolved-kong-database")
 
       local conf = assert(conf_loader(nil, {
-        pg_database = "{vault://env/pg-database}"
+        pg_database = "{vault://env/pg-database}",
+        vaults = "env",
       }))
 
       assert.equal("resolved-kong-database", conf.pg_database)
@@ -1742,7 +1743,8 @@ describe("Configuration loader", function()
       helpers.setenv("PG_PORT", "5000")
 
       local conf = assert(conf_loader(nil, {
-        pg_port = "{vault://env/pg-port#0}"
+        pg_port = "{vault://env/pg-port#0}",
+        vaults = "env",
       }))
 
       assert.equal(5000, conf.pg_port)

diff --git a/spec/01-unit/04-prefix_handler_spec.lua b/spec/01-unit/04-prefix_handler_spec.lua
@@ -855,6 +855,7 @@ describe("NGINX conf compiler", function()
         local conf = assert(conf_loader(nil, {
           prefix = tmp_config.prefix,
           pg_database = "{vault://env/pg-database}",
+          vaults = "env",
         }))
 
         assert.equal("resolved-kong-database", conf.pg_database)

diff --git a/spec/02-integration/02-cmd/02-start_stop_spec.lua b/spec/02-integration/02-cmd/02-start_stop_spec.lua
@@ -24,7 +24,8 @@ describe("kong start/stop #" .. strategy, function()
       database = strategy,
       nginx_proxy_real_ip_header = "{vault://env/ipheader}",
       pg_database = helpers.test_conf.pg_database,
-      cassandra_keyspace = helpers.test_conf.cassandra_keyspace
+      cassandra_keyspace = helpers.test_conf.cassandra_keyspace,
+      vaults = "env",
     })
 
     assert.matches("Error: failed to dereference '{vault://env/ipheader}': unable to load value (ipheader) from vault (env): not found [{vault://env/ipheader}] for config option 'nginx_proxy_real_ip_header'", stderr, nil, true)
@@ -40,9 +41,9 @@ describe("kong start/stop #" .. strategy, function()
       database = helpers.test_conf.database,
       pg_password = "{vault://non-existent/pg_password}",
       pg_database = helpers.test_conf.pg_database,
-      cassandra_keyspace = helpers.test_conf.cassandra_keyspace
+      cassandra_keyspace = helpers.test_conf.cassandra_keyspace,
     })
-    assert.matches("failed to dereference '{vault://non-existent/pg_password}': could not find vault (non-existent)", stderr, nil, true)
+    assert.matches("failed to dereference '{vault://non-existent/pg_password}': vault not found (non-existent)", stderr, nil, true)
     assert.is_nil(stdout)
     assert.is_false(ok)
 
@@ -56,7 +57,8 @@ describe("kong start/stop #" .. strategy, function()
       database = helpers.test_conf.database,
       pg_password = "{vault://env/pg_password}",
       pg_database = helpers.test_conf.pg_database,
-      cassandra_keyspace = helpers.test_conf.cassandra_keyspace
+      cassandra_keyspace = helpers.test_conf.cassandra_keyspace,
+      vaults = "env",
     }))
     assert.not_matches("failed to dereference {vault://env/pg_password}", stderr, nil, true)
     assert.matches("Kong started", stdout, nil, true)