micronaut-gcp icon indicating copy to clipboard operation
micronaut-gcp copied to clipboard

Published 20 hours ago verified publisher icon micronaut-projects

Secret Manager Secrets with (intentional) line breaks not handled correctly

Open albrechtflo-hg opened this issue 3 years ago • 2 comments

The implementation of the property source for Secret Manager secrets removes line breaks (\n) in the secrets:

https://github.com/micronaut-projects/micronaut-gcp/blob/master/gcp-secret-manager/src/main/java/io/micronaut/gcp/secretmanager/SecretManagerConfigurationClient.java#L92

This causes problems, as e.g. in our case, we want to put the PEM Private Key for a Kafka connection to the Secret Manager. The PEM contains newlines, which you could include in YAML without any problem. But when referring to a property from the Secret Manager, the PEM is invalid, as the newlines are removed (at least the newline after ---- BEGIN PRIVATE KEY --- must be included).

Steps to Reproduce

  1. Create a Secret in Google Cloud with intentional newlines
  2. Refer to this Secret in a property
  3. Output the property value, e.g. to STDOUT.

Expected Behaviour

The property, including its line breaks, are written to STDOUT.

Actual Behaviour

The property is written to STDOUT, without its line breaks.

Environment Information

  • Operating System: Linux / JIB Docker
  • Micronaut Version: io.micronaut.gcp:micronaut-gcp-secret-manager:3.5.0
  • JDK Version: 11

Example Application

I think this is quite trivial to reproduce; more trivial than giving access to our Secret Manager to the world.

albrechtflo-hg avatar Jul 07 '21 13:07 albrechtflo-hg

Seems like you have identified the issue, would you be interested in sending a PR that resolves the issue?

graemerocher avatar Jul 07 '21 13:07 graemerocher

Well, it would be easy to just remove the replaceAll() from that line, but that might break some applications - I think this call is intentional there, as it happens easily to add a terminating newline when editing secrets via Google Cloud Console.

So most elegant solution would be to make this "newline removal" configurable - but that is a rather huge change I wouldn't be able to provide currently due to capacity restrictions on my side.

For now, we were able to solve this for us with a workaround, by "concatenating" the newlines with the "real" secret directly in the application.yml:

kafka:
  ssl:
    keystore:
      type: PEM
      key: |
        -----BEGIN PRIVATE KEY-----
        ${sm.kafka.private.key.pem}
        -----END PRIVATE KEY-----

This works fine for us and may help others running into similar issues.

albrechtflo-hg avatar Jul 08 '21 07:07 albrechtflo-hg