fix: fixes naming convention permission check for data items with pat…

…h attribute only. (external-secrets#830) * Fixes naming convention permission check for data items with path attribute only. * Apply suggestions from code review Co-authored-by: Markus Maga <[email protected]> * Updates permission check to independently verify key and path. Co-authored-by: Markus Maga <[email protected]>
moolen · Sep 22, 2021 · a7d8c6c · a7d8c6c
1 parent 8e15151
commit a7d8c6c
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 8 deletions.
diff --git a/lib/poller.js b/lib/poller.js
@@ -281,16 +281,15 @@ class Poller {
  // Testing data property
  if (namingConvention && externalData) {
  externalData.forEach((secretProperty, index) => {
- if (secretProperty.path) {
- if (!reNaming.test(secretProperty.path)) {
- allowed = false
- reason = `path ${secretProperty.path} does not match naming convention ${namingConvention}`
- return {
- allowed, reason
- }
+ if ('path' in secretProperty && !reNaming.test(secretProperty.path)) {
+ allowed = false
+ reason = `path ${secretProperty.path} does not match naming convention ${namingConvention}`
+ return {
+ allowed, reason
  }
  }
- if (!reNaming.test(secretProperty.key)) {
+
+ if ('key' in secretProperty && !reNaming.test(secretProperty.key)) {
  allowed = false
  reason = `key name ${secretProperty.key} does not match naming convention ${namingConvention}`
  return {

diff --git a/lib/poller.test.js b/lib/poller.test.js
@@ -982,6 +982,43 @@ describe('Poller', () => {
  },
  permitted: false
  },
+ {
+ // test regex on path
+ ns: { metadata: { annotations: { [namingPermittedAnnotation]: 'dev/team-a/.*' } } },
+ descriptor: {
+ data: [
+ { path: 'dev/team-a/secret' }
+ ]
+ },
+ permitted: true
+ },
+ {
+ ns: { metadata: { annotations: { [namingPermittedAnnotation]: 'dev/team-a/.*' } } },
+ descriptor: {
+ data: [
+ { key: 'dev/team-a/secret', name: 'somethingelse', path: '' }
+ ]
+ },
+ permitted: false
+ },
+ {
+ ns: { metadata: { annotations: { [namingPermittedAnnotation]: 'dev/team-a/.*' } } },
+ descriptor: {
+ data: [
+ { key: 'this-should-fail', name: 'somethingelse', path: 'dev/team-a/such-path' }
+ ]
+ },
+ permitted: false
+ },
+ {
+ ns: { metadata: { annotations: { [namingPermittedAnnotation]: 'dev/team-a/.*' } } },
+ descriptor: {
+ data: [
+ { key: 'dev/team-a/such-key', name: 'somethingelse', path: 'this-should-fail' }
+ ]
+ },
+ permitted: false
+ },
  {
  // test regex on path
  ns: { metadata: { annotations: { [namingPermittedAnnotation]: 'dev/team-a/.*' } } },