Vault totp accept secrets with missing padding

[optiz0r]

Describe the bug

When adding totp keys to vault, the secret issued by the provider might be missing padding characters. Google authenticator accepts the secret as-is, but vault fails with illegal base32 data at input byte xx. Vault should handle any missing padding by rounding the input data up to 32 bytes as other authenticator apps do.

At the moment, it's necessary to trial and error adding padding equals signs to the end of the secret until it gets to the right length and vault accepts it. You can also try and work out the correct number of padding symbols, but given there's not a one-to-one mapping between number of equals signs in the encoded string, and the output length, so this is non-trivial and most definitely not user-friendly!

To Reproduce

$ echo "1234567890123456789012" | base32
GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQGEZAU===

$ vault write totp/keys/test url="otpauth://totp/test:test?secret=GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQGEZAU&issuer=test"
Error writing to: totp/keys/test.
URL: /v1/totp/keys/test
Code: 400
Errors:
  invalid key value: illegal base32 data at input byte 32

$ vault write totp/keys/test url="otpauth://totp/test:test?secret=GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQGEZAU===&issuer=test"
Success! Data written to: totp/keys/test

Expected behavior

Key is accepted, and codes can be read from vault

Environment:

vault 1.7.2

[kazhuravlev]

Hi! This issue is fixed by MR from @MartinLeedotOrg in this MR. Maybe we should close the issue?