Key pattern is moved to a central config expander class with its description.

Co-authored-by: Rye Biesemeyer <[email protected]>

Author: mashhurs

logstash-core/src/main/java/org/logstash/plugins/ConfigVariableExpander.java

@@ -35,11 +35,14 @@
  * */
 public class ConfigVariableExpander implements AutoCloseable {
 
-    private static String SUBSTITUTION_PLACEHOLDER_REGEX = "\\$\\{(?<name>[a-zA-Z_.][a-zA-Z0-9_.]*)(:(?<default>[^}]*))?}";
-
-    private Pattern substitutionPattern = Pattern.compile(SUBSTITUTION_PLACEHOLDER_REGEX);
-    private SecretStore secretStore;
-    private EnvironmentVariableProvider envVarProvider;
+    public static final Pattern KEY_PATTERN = Pattern.compile("[a-zA-Z_.][a-zA-Z0-9_.]*");
+    public static final String KEY_PATTERN_DESCRIPTION = "Key names are limited to ASCII letters (`a`-`z`, `A`-`Z`), numbers (`0`-`9`), " +
+            "underscores (`_`), and dots (`.`); they must be at least one character long and cannot begin with a number";
+    private static final String SUBSTITUTION_PLACEHOLDER_REGEX = "\\$\\{(?<name>" + KEY_PATTERN + ")(:(?<default>[^}]*))?}";
+
+    private static final Pattern substitutionPattern = Pattern.compile(SUBSTITUTION_PLACEHOLDER_REGEX);
+    private final SecretStore secretStore;
+    private final EnvironmentVariableProvider envVarProvider;
 
     /**
      * Creates a ConfigVariableExpander that doesn't lookup any secreted placeholder.

logstash-core/src/main/java/org/logstash/secret/SecretIdentifier.java

@@ -23,6 +23,7 @@
 import org.apache.logging.log4j.Logger;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.util.Strings;
+import org.logstash.plugins.ConfigVariableExpander;
 
 import java.util.Locale;
 import java.util.regex.Pattern;
@@ -33,9 +34,6 @@
  */
 public class SecretIdentifier {
 
-    // aligns with ConfigVariableExpander substitution pattern
-    public final static Pattern KEY_PATTERN = Pattern.compile("[a-zA-Z_.][a-zA-Z0-9_.]*");
-
     private final static Pattern colonPattern = Pattern.compile(":");
     private final static String VERSION = "v1";
     private final static Pattern urnPattern = Pattern.compile("urn:logstash:secret:"+ VERSION + ":.*$");
@@ -66,24 +64,6 @@ public static SecretIdentifier fromExternalForm(final String urn) {
         return new SecretIdentifier(validateWithTransform(parts[4], "key"));
     }
 
-    /**
-     * Minor validation and downcases the parts
-     *
-     * @param key      The key, a part of the URN to validate.
-     * @param partName The name of the part used for logging.
-     * @return The validated and transformed part.
-     */
-    private static String validateWithTransform(final String key, final String partName) {
-        if (key == null || key.isEmpty() || Strings.isBlank(key)) {
-            throw new IllegalArgumentException(String.format("%s may not be null or empty", partName));
-        }
-
-        if (!KEY_PATTERN.matcher(key).matches()) {
-            logger.warn(String.format("Invalid `%s` key appeared in keystore. Please remove it as it cannot be used in the pipelines", key));
-        }
-        return key.toLowerCase(Locale.US);
-    }
-
     @Override
     public boolean equals(Object o) {
         if (this == o) return true;
@@ -131,4 +111,31 @@ public String toExternalForm() {
     public String toString() {
         return toExternalForm();
     }
+
+    /**
+     * Validates the provided key against null, empty and {@link ConfigVariableExpander#KEY_PATTERN}
+     * @param key a key to be validated
+     * @param keyName a key name
+     */
+    private static void validateKey(final String key, final String keyName) {
+        if (key == null || key.isEmpty() || Strings.isBlank(key)) {
+            throw new IllegalArgumentException(String.format("%s may not be null or empty", keyName));
+        }
+
+        if (!ConfigVariableExpander.KEY_PATTERN.matcher(key).matches()) {
+            logger.warn(String.format("Invalid secret key name `%s` provided.", key) + ConfigVariableExpander.KEY_PATTERN_DESCRIPTION);
+        }
+    }
+
+    /**
+     * Minor validation and downcases the parts
+     *
+     * @param key      The key, a part of the URN to validate.
+     * @param partName The name of the part used for logging.
+     * @return The validated and transformed part.
+     */
+    private static String validateWithTransform(final String key, final String partName) {
+        validateKey(key, partName);
+        return key.toLowerCase(Locale.US);
+    }
 }

logstash-core/src/main/java/org/logstash/secret/cli/SecretStoreCli.java

@@ -20,8 +20,12 @@
 
 package org.logstash.secret.cli;
 
+import org.logstash.plugins.ConfigVariableExpander;
 import org.logstash.secret.SecretIdentifier;
-import org.logstash.secret.store.*;
+import org.logstash.secret.store.SecretStore;
+import org.logstash.secret.store.SecretStoreFactory;
+import org.logstash.secret.store.SecretStoreUtil;
+import org.logstash.secret.store.SecureConfig;
 
 import java.nio.CharBuffer;
 import java.nio.charset.CharsetEncoder;
@@ -258,12 +262,8 @@ public void command(String primaryCommand, SecureConfig config, String... allArg
                 if (secretStoreFactory.exists(config.clone())) {
                     final SecretStore secretStore = secretStoreFactory.load(config);
                     for (String argument : commandLine.getArguments()) {
-                        if (!SecretIdentifier.KEY_PATTERN.matcher(argument).matches()) {
-                            final String errorMessage = String.format(
-                                    "Invalid secret key %s provided. " +
-                                            "It can only accept digits, letters with optional `.` " +
-                                            "and/or `_` symbols included between or after.", argument);
-                            throw new IllegalArgumentException(errorMessage);
+                        if (!ConfigVariableExpander.KEY_PATTERN.matcher(argument).matches()) {
+                            throw new IllegalArgumentException(String.format("Invalid secret key name `%s` provided.", argument) + ConfigVariableExpander.KEY_PATTERN_DESCRIPTION);
                         }
                         final SecretIdentifier id = new SecretIdentifier(argument);
                         final byte[] existingValue = secretStore.retrieveSecret(id);