csi: Fix parsing of '=' in secrets at command line and HTTP (#15670)

The command line flag parsing and the HTTP header parsing for CSI secrets incorrectly split at more than one '=' rune, making it impossible to use secrets that included that rune.
2023-01-03 16:28:38 -05:00 · 2023-01-03 16:28:38 -05:00 · 8859e1bff1
parent a991342f8d
commit 8859e1bff1
7 changed files with 17 additions and 18 deletions
--- a/.changelog/15670.txt
+++ b/.changelog/15670.txt
@ -0,0 +1,3 @@
+```release-note:bug
+csi: Fixed a bug where secrets that include '=' were incorrectly rejected
+```
--- a/command/agent/csi_endpoint.go
+++ b/command/agent/csi_endpoint.go
@ -409,9 +409,8 @@ func parseCSISecrets(req *http.Request) structs.CSISecrets {
 	secrets := map[string]string{}
 	secretkvs := strings.Split(secretsHeader, ",")
 	for _, secretkv := range secretkvs {
-		kv := strings.Split(secretkv, "=")
-		if len(kv) == 2 {
-			secrets[kv[0]] = kv[1]
+		if key, value, found := strings.Cut(secretkv, "="); found {
+			secrets[key] = value
 		}
 	}
 	if len(secrets) == 0 {
--- a/command/agent/csi_endpoint_test.go
+++ b/command/agent/csi_endpoint_test.go
@ -59,6 +59,8 @@ func TestHTTP_CSIParseSecrets(t *testing.T) {
 			structs.CSISecrets(map[string]string{"one": "overwrite"})},
 		{"one=value_one,two=value_two",
 			structs.CSISecrets(map[string]string{"one": "value_one", "two": "value_two"})},
+		{"one=value_one=two,two=value_two",
+			structs.CSISecrets(map[string]string{"one": "value_one=two", "two": "value_two"})},
 	}
 	for _, tc := range testCases {
 		req, _ := http.NewRequest("GET", "/v1/plugin/csi/foo", nil)
--- a/command/volume_delete.go
+++ b/command/volume_delete.go
@ -104,9 +104,8 @@ func (c *VolumeDeleteCommand) Run(args []string) int {

 	secrets := api.CSISecrets{}
 	for _, kv := range secretsArgs {
-		s := strings.Split(kv, "=")
-		if len(s) == 2 {
-			secrets[s[0]] = s[1]
+		if key, value, found := strings.Cut(kv, "="); found {
+			secrets[key] = value
 		} else {
 			c.Ui.Error("Secret must be in the format: -secret key=value")
 			return 1
--- a/command/volume_snapshot_create.go
+++ b/command/volume_snapshot_create.go
@ -117,9 +117,8 @@ func (c *VolumeSnapshotCreateCommand) Run(args []string) int {

 	secrets := api.CSISecrets{}
 	for _, kv := range secretsArgs {
-		s := strings.Split(kv, "=")
-		if len(s) == 2 {
-			secrets[s[0]] = s[1]
+		if key, value, found := strings.Cut(kv, "="); found {
+			secrets[key] = value
 		} else {
 			c.Ui.Error("Secret must be in the format: -secret key=value")
 			return 1
@ -128,9 +127,8 @@ func (c *VolumeSnapshotCreateCommand) Run(args []string) int {

 	params := map[string]string{}
 	for _, kv := range parametersArgs {
-		p := strings.Split(kv, "=")
-		if len(p) == 2 {
-			params[p[0]] = p[1]
+		if key, value, found := strings.Cut(kv, "="); found {
+			params[key] = value
 		}
 	}

--- a/command/volume_snapshot_delete.go
+++ b/command/volume_snapshot_delete.go
@ -94,9 +94,8 @@ func (c *VolumeSnapshotDeleteCommand) Run(args []string) int {

 	secrets := api.CSISecrets{}
 	for _, kv := range secretsArgs {
-		s := strings.Split(kv, "=")
-		if len(s) == 2 {
-			secrets[s[0]] = s[1]
+		if key, value, found := strings.Cut(kv, "="); found {
+			secrets[key] = value
 		} else {
 			c.Ui.Error("Secret must be in the format: -secret key=value")
 			return 1
--- a/command/volume_snapshot_list.go
+++ b/command/volume_snapshot_list.go
@ -140,9 +140,8 @@ func (c *VolumeSnapshotListCommand) Run(args []string) int {

 	secrets := api.CSISecrets{}
 	for _, kv := range secretsArgs {
-		s := strings.Split(kv, "=")
-		if len(s) == 2 {
-			secrets[s[0]] = s[1]
+		if key, value, found := strings.Cut(kv, "="); found {
+			secrets[key] = value
 		} else {
 			c.Ui.Error("Secret must be in the format: -secret key=value")
 			return 1