(GH-123) Introduced 'strip_from_keys' option

Update the hiera lookup function so that strip_from_keys can be passed to have more control and flexibility over the names of the secrets stored in azure key vaults.

Author: TraGicCode

.fixtures.yml

@@ -3,11 +3,4 @@
 ---
 fixtures:
   forge_modules:
-  repositories:
-    provision: 'https://github.com/puppetlabs/provision.git'
-    puppet_agent: 'https://github.com/puppetlabs/puppetlabs-puppet_agent.git'
-    facts: 'https://github.com/puppetlabs/puppetlabs-facts.git'
-  # Should go away when Attempting to work around PDK-1137(https://tickets.puppetlabs.com/browse/PDK-1137)
-  # is resolved.
-  symlinks:
-    azure_key_vault: '#{source_dir}'
+#     stdlib: "puppetlabs/stdlib"

README.md

@@ -240,6 +240,42 @@ When troubleshooting, you can run hiera from the commandline with the `--explain
 
       Using normalized KeyVault secret key for lookup: puppetdb--master--config--puppetdb-server
 
+### What is strip_from_keys?
+
+The `strip_from_keys` option allows you to specify one or more patterns to be stripped from the secret name just before looking up the secret in Azure Key Vault. To understand how this is useful, let's walk through an example.
+
+```yaml
+- name: 'Azure Key Vault Secrets'
+    lookup_key: azure_key_vault::lookup
+    options:
+      vault_name: "prod-key-vault"
+      vault_api_version: '2016-10-01'
+      metadata_api_version: '2018-04-02'
+      key_replacement_token: '-'
+      confine_to_keys:
+        - '^azure_.*'
+```
+
+In the example above, `confine_to_keys` is used to scope certain secrets for lookup in Azure Key Vault, ensuring they are retrieved only when they truly exist there. However, as a side effect, `confine_to_keys` influences the secret name. In this case, the Azure Key Vault named "prod-key-vault" would need to have a secret named "azure_sql_database_password".
+
+To prevent this naming requirement, the `strip_from_keys` option was introduced. It allows you to remove specific patterns from the key just before lookup in Azure Key Vault. Below is an updated example demonstrating how `strip_from_keys` can be applied.
+
+```yaml
+- name: 'Azure Key Vault Secrets'
+    lookup_key: azure_key_vault::lookup
+    options:
+      vault_name: "prod-key-vault"
+      vault_api_version: '2016-10-01'
+      metadata_api_version: '2018-04-02'
+      key_replacement_token: '-'
+      strip_from_keys:
+        - '^azure_.*'
+      confine_to_keys:
+        - '^azure_.*'
+```
+
+Now, with `strip_from_keys`, the "azure_*" string pattern is removed from the secret name just before the lookup occurs. This ensures that the system searches for a secret named "sql_database_password" instead of "azure_sql_database_password" in the Azure Key Vault named "prod-key-vault".
+
 ## How it's secure by default
 
 In order to prevent accidental leakage of your secrets throughout all of the locations puppet stores information the returned value of the `azure_key_vault::secret` function & Hiera backend return a string wrapped in a Sensitive data type.  Lets look at an example of what this means and why it's important.  Below is an example of pulling a secret and trying to output the value in a notice function.

lib/puppet/functions/azure_key_vault/lookup.rb

@@ -8,6 +8,7 @@
       vault_api_version => String,
       Optional[metadata_api_version] => String,
       confine_to_keys => Array[String],
+      Optional[strip_from_keys] => Array[String],
       Optional[key_replacement_token] => String,
       Optional[service_principal_credentials] => String,
       Optional[use_azure_arc_authentication] => Boolean
@@ -38,6 +39,20 @@ def lookup_key(secret_name, options, context)
       end
     end
 
+    strip_from_keys = options['strip_from_keys']
+    if strip_from_keys
+      raise ArgumentError, 'strip_from_keys must be an array' unless strip_from_keys.is_a?(Array)
+
+      strip_from_keys.each do |prefix|
+        secret_name_before_strippers = secret_name
+        regex = Regexp.new(prefix)
+        if secret_name.match?(regex)
+          secret_name = secret_name.gsub(regex, '')
+          context.explain { "Stripping the following pattern of #{prefix} from secret_name.  The stripped secret_name has now changed from #{secret_name_before_strippers} to #{secret_name}" }
+        end
+      end
+    end
+
     normalized_secret_name = TragicCode::Azure.normalize_object_name(secret_name, options['key_replacement_token'] || '-')
     context.explain { "Using normalized KeyVault secret key for lookup: #{normalized_secret_name}" }
     return Puppet::Pops::Types::PSensitiveType::Sensitive.new(context.cached_value(normalized_secret_name)) if context.cache_has_key(normalized_secret_name)

metadata.json

@@ -83,7 +83,7 @@
     "azure key vault",
     "azure vault"
   ],
-  "pdk-version": "3.2.0",
-  "template-url": "https://github.com/puppetlabs/pdk-templates.git#main",
+  "pdk-version": "3.4.0",
+  "template-url": "https://github.com/puppetlabs/pdk-templates#main",
   "template-ref": "tags/3.4.0.3-0-g8fb22fc"
 }

spec/functions/azure_key_vault_lookup_spec.rb

@@ -86,6 +86,12 @@
     ).and_raise_error(ArgumentError, %r{'confine_to_keys' expects an Array value}i)
   end
 
+  it 'errors when strip_from_keys is no array' do
+    is_expected.to run.with_params(
+      'profile::windows::sqlserver::sensitive_azure_sql_user_password', options.merge({ 'strip_from_keys' => '^vault.*$' }), lookup_context
+    ).and_raise_error(ArgumentError, %r{'strip_from_keys' expects an Array value}i)
+  end
+
   it "errors when using both 'metadata_api_version' and 'service_principal_credentials'" do
     is_expected.to run.with_params(
       'profile::windows::sqlserver::sensitive_azure_sql_user_password', options.merge({ 'service_principal_credentials' => 'path' }), lookup_context
@@ -131,6 +137,50 @@
     )
   end
 
+  describe 'strip_from_keys' do
+    [
+      {
+        input_secret_name: 'profile::windows::sqlserver::azure_sql_user_password',
+        expected_secret_name: 'profile--windows--sqlserver--sql-user-password',
+        secret_value: 'secret_value',
+        strip_from_keys: ['azure_'],
+        confine_to_keys: ['^.*azure_.*']
+      },
+      {
+        input_secret_name: 'profile::windows::sqlserver::azure_sql_user_password',
+        expected_secret_name: 'azure-sql-user-password',
+        secret_value: 'secret_value',
+        strip_from_keys: ['^profile::.*::'],
+        confine_to_keys: ['^.*azure_.*']
+      },
+    ].each do |test_case|
+      it "strips the patterns #{test_case[:strip_from_keys]} from the secret_name changing it from #{test_case[:input_secret_name]} to #{test_case[:expected_secret_name]}" do
+        access_token_value = 'access_value'
+
+        expect(TragicCode::Azure).to receive(:get_access_token).and_return(access_token_value)
+
+        expect(TragicCode::Azure).to receive(:get_secret).with(
+          options['vault_name'],
+          test_case[:expected_secret_name],
+          options['vault_api_version'],
+          access_token_value,
+          '',
+        ).and_return(test_case[:secret_value])
+
+        # rubocop:disable RSpec/NamedSubject
+        expect(subject.execute(
+          test_case[:input_secret_name],
+          options.merge({
+                          'confine_to_keys' => test_case[:confine_to_keys],
+            'strip_from_keys' => test_case[:strip_from_keys]
+                        }),
+          lookup_context,
+        ).unwrap).to eq test_case[:secret_value]
+        # rubocop:enable RSpec/NamedSubject
+      end
+    end
+  end
+
   it 'calls context.not_found when secret is not found in vault' do
     access_token_value = 'access_value'