csi: Fix parsing of '=' in secrets at command line and HTTP (#15670)

The command line flag parsing and the HTTP header parsing for CSI secrets incorrectly split at more than one '=' rune, making it impossible to use secrets that included that rune.
hashicorp · Jan 3, 2023 · e23b3a3 · e23b3a3
1 parent 089e680
commit e23b3a3
Show file tree

Hide file tree

Showing 7 changed files with 17 additions and 18 deletions.
diff --git a/.changelog/15670.txt b/.changelog/15670.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+csi: Fixed a bug where secrets that include '=' were incorrectly rejected
+```
diff --git a/command/agent/csi_endpoint.go b/command/agent/csi_endpoint.go
@@ -409,9 +409,8 @@ func parseCSISecrets(req *http.Request) structs.CSISecrets {
 	secrets := map[string]string{}
 	secretkvs := strings.Split(secretsHeader, ",")
 	for _, secretkv := range secretkvs {
-		kv := strings.Split(secretkv, "=")
-		if len(kv) == 2 {
-			secrets[kv[0]] = kv[1]
+		if key, value, found := strings.Cut(secretkv, "="); found {
+			secrets[key] = value
 		}
 	}
 	if len(secrets) == 0 {

diff --git a/command/agent/csi_endpoint_test.go b/command/agent/csi_endpoint_test.go
@@ -59,6 +59,8 @@ func TestHTTP_CSIParseSecrets(t *testing.T) {
 			structs.CSISecrets(map[string]string{"one": "overwrite"})},
 		{"one=value_one,two=value_two",
 			structs.CSISecrets(map[string]string{"one": "value_one", "two": "value_two"})},
+		{"one=value_one=two,two=value_two",
+			structs.CSISecrets(map[string]string{"one": "value_one=two", "two": "value_two"})},
 	}
 	for _, tc := range testCases {
 		req, _ := http.NewRequest("GET", "/v1/plugin/csi/foo", nil)

diff --git a/command/volume_delete.go b/command/volume_delete.go
@@ -104,9 +104,8 @@ func (c *VolumeDeleteCommand) Run(args []string) int {
 
 	secrets := api.CSISecrets{}
 	for _, kv := range secretsArgs {
-		s := strings.Split(kv, "=")
-		if len(s) == 2 {
-			secrets[s[0]] = s[1]
+		if key, value, found := strings.Cut(kv, "="); found {
+			secrets[key] = value
 		} else {
 			c.Ui.Error("Secret must be in the format: -secret key=value")
 			return 1

diff --git a/command/volume_snapshot_create.go b/command/volume_snapshot_create.go
@@ -117,9 +117,8 @@ func (c *VolumeSnapshotCreateCommand) Run(args []string) int {
 
 	secrets := api.CSISecrets{}
 	for _, kv := range secretsArgs {
-		s := strings.Split(kv, "=")
-		if len(s) == 2 {
-			secrets[s[0]] = s[1]
+		if key, value, found := strings.Cut(kv, "="); found {
+			secrets[key] = value
 		} else {
 			c.Ui.Error("Secret must be in the format: -secret key=value")
 			return 1
@@ -128,9 +127,8 @@ func (c *VolumeSnapshotCreateCommand) Run(args []string) int {
 
 	params := map[string]string{}
 	for _, kv := range parametersArgs {
-		p := strings.Split(kv, "=")
-		if len(p) == 2 {
-			params[p[0]] = p[1]
+		if key, value, found := strings.Cut(kv, "="); found {
+			params[key] = value
 		}
 	}
 

diff --git a/command/volume_snapshot_delete.go b/command/volume_snapshot_delete.go
@@ -94,9 +94,8 @@ func (c *VolumeSnapshotDeleteCommand) Run(args []string) int {
 
 	secrets := api.CSISecrets{}
 	for _, kv := range secretsArgs {
-		s := strings.Split(kv, "=")
-		if len(s) == 2 {
-			secrets[s[0]] = s[1]
+		if key, value, found := strings.Cut(kv, "="); found {
+			secrets[key] = value
 		} else {
 			c.Ui.Error("Secret must be in the format: -secret key=value")
 			return 1

diff --git a/command/volume_snapshot_list.go b/command/volume_snapshot_list.go
@@ -140,9 +140,8 @@ func (c *VolumeSnapshotListCommand) Run(args []string) int {
 
 	secrets := api.CSISecrets{}
 	for _, kv := range secretsArgs {
-		s := strings.Split(kv, "=")
-		if len(s) == 2 {
-			secrets[s[0]] = s[1]
+		if key, value, found := strings.Cut(kv, "="); found {
+			secrets[key] = value
 		} else {
 			c.Ui.Error("Secret must be in the format: -secret key=value")
 			return 1