Allow dot and colon in variable path

[xtremerui]

What does this PR accomplish?

Bug Fix | Feature | Documentation

closes #4249 .

Changes proposed by this PR:

Allow dot . and : in variable path if quoted with ". Parse variable name in ((var_name)) to VariableReference so underneath implementation of Variable interface doesn't need to.

((foo:"a_path_with.dot".bar.zoo)) ->

VariableReference{
  Name: "foo:\"a_path_with.dot\".bar.zoo",
  Source: "foo",
  Path: "a_path_with.dot",
  Fields: ["bar","zoo"],
}

Release Note

• You can now interpolate variables with special characters . and : in the name by wrapping them in double quotes
• e.g. (("some.secret".field1)) accesses field1 of the secret some.secret

Notes to reviewer:

Contributor Checklist

• Followed Code of conduct, Contributing Guide & avoided Anti-patterns
• Signed all commits
• Added tests (Unit and/or Integration)
• Updated Documentation
• Updated Release notes

Reviewer Checklist

• Code reviewed
• Tests reviewed
• Documentation reviewed
• Release notes reviewed
• PR acceptance performed
• New config flags added? Ensure that they are added to the
  BOSH and
  Helm packaging; otherwise, ignored for
  the integration
  tests
  (for example, if they are Garden configs that are not displayed in the
  --help text).

[chenbh]

Same issue as Conjur, looking below it seems like it only cares about Path and not Fields. But I haven't actually used Credhub so can't say for sure

[chenbh]

I'm beginning to think that the Name shouldn't include Source, that way it'll just be Path + Fields and won't break all of our existing cred managers

[xtremerui]

The problem is if we do path + fields we will need to concatenate them back with . and wrap them properly with ". I think the parsing of (()) makes us to use ref.Path for creds manager.

And the logic in template will take care of looking up fields.

[chenbh]

We can probably use parts[1]

concourse/vars/template.go

Lines 144 to 145 in 46efd51

	parts := strings.SplitN(name, ":", 2)
	varRef.Source = parts[0]

[chenbh]

And the logic in template will take care of looking up fields.

True, I guess another question is how much processing should the cred manager do vs Concourse. They technically have all the information (e.g. Fields) required to fully resolve the secret, but it might be less code duplication if Concourse handles that part

[chenbh]

Comment needs updating, the main purpose now is to extract Fields from a map[string]interface{}

[xtremerui]

I think the end goal of this Get is still finding a string value? Extracting fields is the first part. It then use the fields to do recursive look up.

[aoldershaw]

After a bunch of fiddling, I eventually got a local Conjur connected to Concourse. I ended up mostly following the quick start, but made the few modifications to the quick start repo. These are the changes I made

1. Don't use SSL (was having trouble getting self-signed certs to pair with concourse)

diff --git a/conf/default.conf b/conf/default.conf
index 8aa7e18..0832396 100755
--- a/conf/default.conf
+++ b/conf/default.conf
@@ -1,11 +1,8 @@
 server {
-    listen              443 ssl;
+    listen              80;
     server_name         proxy;
     access_log          /var/log/nginx/access.log;

-    ssl_certificate     /etc/nginx/tls/nginx.crt;
-    ssl_certificate_key /etc/nginx/tls/nginx.key;
-
     location / {
       proxy_pass http://conjur;
     }

diff --git a/docker-compose.yml b/docker-compose.yml
index 1332b86..56ad583 100755
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -53,10 +53,9 @@ services:
     image: nginx:1.13.6-alpine
     container_name: nginx_proxy
     ports:
-      - "8443:443"
+      - "8081:80"
     volumes:
       - ./conf/:/etc/nginx/conf.d/:ro
-      - ./conf/tls/:/etc/nginx/tls/:ro
     depends_on:
     - conjur
     - openssl

2. Use the following policy, rather than the provided BotApp.yml:

- !policy
  id: concourse
  body:
  - !variable "secret.value"
  - !variable "secret"

3. Use the following docker-compose override for running concourse:

version: '3'

services:
  web:
    environment:
      CONCOURSE_CONJUR_APPLIANCE_URL: http://docker.for.mac.localhost:8081
      CONCOURSE_CONJUR_ACCOUNT: myConjurAccount
      CONCOURSE_CONJUR_AUTHN_LOGIN: admin
      CONCOURSE_CONJUR_AUTHN_API_KEY: 1xkf4xh2efa4ja7k3ng0rhdqg52dajps63ks08h511q08ks1d8a4pd
      CONCOURSE_CONJUR_SECRET_TEMPLATE: concourse/{{.Secret}}

where the API_KEY is the admin key (in the admin_data file from the quick start).

---

Anyway, I tested it a bit with the changes in this PR and without. Something about this change seems to not work with (at least) Conjur, even in the case where there are no dots or colons in the path. e.g. consider the following pipeline:

jobs:
- name: job
  plan:
  - task: echo
    config:
      platform: linux
      image_resource:
        type: registry-image
        source: {repository: busybox}
      run:
        path: echo
        args: [((secret))]

On master, this works correctly (i.e. echos the value of secret in Conjur), but with this change, I get the following error:

failed to interpolate task config: 404 Not Found. Variable 'concourse/main/echo/secret' not found in account 'myConjurAccount'.

(note: I had to modify to modify this line

concourse/atc/creds/conjur/conjur.go

Line 43 in a822574

return nil, nil, false, nil

to get the error message to show up, since currently we just ignore it and assume the var wasn't found)

[xtremerui]

Thx for the detail of integration test.

(note: I had to modify to modify this line

concourse/atc/creds/conjur/conjur.go

Line 43 in a822574

return nil, nil, false, nil

to get the error message to show up, since currently we just ignore it and assume the var wasn't found)

This error is strange since it outputs the correct path path for looking up secret under path concourse/team_name/pipeline_name,which matches the unit test. Concourse doesn't implement RetrieveSecret so there is no change in that part. I wonder what the argument of RetrieveSecret is in master when it success to fetch the secret. Will try this locally.

Updated: the working path in master is concourse/secret, which matches the policy defined in conjur. So the problem is concourse is using the wrong path to fetch the secret (or it doesn't try each kind of template for path)

[xtremerui]

@aoldershaw the way that creds manager looking up secret is

• generate secret looks up path. If no templating ENV is set, it will use the default path template concourse/team_name/pipeline_name/secret, concourse/team_name/secert, concourse/secret in Conjur's case.
• try fetching the secret by EVERY path here
  

  concourse/atc/creds/secret_var_lookup.go

  Line 22 in c5e2ad3

  for _, rule := range sl.LookupPaths {

  
  notice how it relies on the return of Get

  concourse/atc/creds/secret_var_lookup.go

  Line 28 in c5e2ad3

  result, _, found, err := sl.Secrets.Get(secretRef)

  
  . It always expect no error so it could go to next iteration. So in your case if you change the line in Conjur to return an error. It will failed in the first attempt and stop the loop, while the correct path concourse/secret is ignored. Not sure if that is your case or not.

In my local testing, I rebased master and run the test pretty much follow your instruction. I have these values set up in Conjur.

docker-compose exec client conjur variable value concourse/secret 
blah
 docker-compose exec client conjur variable value concourse/secret.value
foo

In my test both ((secret)) and (("secret.value")) revolved to blah and foo, respectively. And ((secret.value)) give back error like
failed to interpolate task config: cannot access field 'value' of non-map value ('string') from var: secret.value.

Additionally, I use the setup to test static variable by fly -t local sp -p echo -c echo.yml -v secret.value=buzz.

I also used this pipeline to test named variable

var_sources:
- name: dumb
  type: dummy
  config:
    vars:
      simple: hello!
      user.value:
        username: big
        password: sekrit

jobs:
- name: job
  plan:
  - task: echo
    config:
      platform: linux
      image_resource:
        type: registry-image
        source: {repository: busybox}
      run:
        path: echo
        args: [((dumb:"user.value".password))]

All seems working. Could you try this rebased version again? Thx!

[aoldershaw]

@xtremerui just tried it out again (with both Conjur and Vault), and it works as expected. Will take a closer look through the code now

[aoldershaw]

Have some questions

[aoldershaw]

Just realized there's both a varsTracker and a credVarsTracker (which happens to live in vars_tracker.go). Doesn't have to be on this PR to change this, but it's a bit confusing

[aoldershaw]

Looks pretty good but FYI some of the unit tests are broken - missed reverting some test code in dfcc427 I think

[aoldershaw]

LGTM!

[TheSecMaven]

what version of concourse will this roll into?

[aoldershaw]

@mkkeffeler should be the next release (6.5.0), which will probably be in around 2-3 weeks

[TheSecMaven]

was this test case tested? seems to be faiiling for us on 6.6

params:
  CP_CREDENTIALS: (("me/Nonprod/N_A_GOG_GCP_SVC_PFOP_NL/CloudService-N_A_GOG_GCP_NL-me.me.com-test@me.com/password"))

[xtremerui]

was it working before? Seems to me the last part com-test@me.com needs to be quoted?

[TheSecMaven]

actually no. its a conjur credential. all of those dots are dots in the actual secret name, not a sub attribute or anything like that

[xtremerui]

do you mean the var is not evaluated to a value by conjur when you say "failed"? or there is an error.

[TheSecMaven]

the var is not evaluated to a value in conjur, conjur logs show it isn't being looked up. when we print "env" we see the variable that we typed in the pipeline, rather than the value. other variables work though.

[xtremerui]

@mkkeffeler Thx for the info. I think the interpolation regex failed to match the var name in your particular case. This is a bug we will fix it.

[TheSecMaven]

hmm not sure i follow. Can you explain how it does that? and is there a workaround?

[xtremerui]

we have a regex to first check if the node in yml file is a var that needed to be interpolated or not. For example, one condition is it needs to be surrounded by ((..)). There are some other conditions as well.

The example you gave by current regex is not considered a var at all so it is treated as normal text. By allowing @ in the regex will fix the problem. If you are more interested you can check the PR I submit to fix this later.

[TheSecMaven]

got it

we also will have spaces in some vars. not sure if thats already working, but worth calling out :)