Get AppRole secret ID from file on disk (#1153)

* Read secret ID from a validated file path instead of directly

* Check if secret ID was set

* clean up

* Generate yaml for secret ID as file path

* Less convoluted help text

* more clear error message

* Make SecretIDPath and SecretRef mutually exclusive

* Test for validatePath

* Add some extra path validation for Windows

* Update manifests

* Ability for user to specify their own volumes in VSO

* Remove secretidpath-specific integration test in favor of unit test

Author: digivava

api/v1beta1/common.go

@@ -4,6 +4,11 @@
 package v1beta1
 
 import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+
 	v1 "k8s.io/api/core/v1"
 )
 
@@ -124,3 +129,46 @@ type VaultClientMeta struct {
 	// any sensitive information.
 	ID string `json:"id,omitempty"`
 }
+
+// validatePath validates a file path for security. It checks for path traversal
+// attempts, ensures the path is absolute, and validates the file exists and is
+// not too large. Returns the cleaned path if valid.
+func validatePath(path string) (string, error) {
+	// Prevent path traversal attacks in the original input
+	if strings.Contains(path, "..") {
+		return "", fmt.Errorf("invalid path: path traversal detected")
+	}
+
+	cleanPath := filepath.Clean(path)
+
+	// Double-check the final normalized path is also safe from path traversal,
+	// since filepath.Clean uses OS-specific separators and could potentially
+	// normalize paths differently
+	if strings.Contains(cleanPath, "..") {
+		return "", fmt.Errorf("invalid path: path traversal detected")
+	}
+
+	// Ensure the path is absolute to prevent relative path issues
+	if !filepath.IsAbs(cleanPath) {
+		return "", fmt.Errorf("invalid path: must be an absolute path")
+	}
+
+	// Validate the file exists and get its info
+	fileInfo, err := os.Stat(cleanPath)
+	if err != nil {
+		return "", fmt.Errorf("failed to access file %s: %w", cleanPath, err)
+	}
+
+	// Ensure it's a regular file, not a directory or special file
+	if !fileInfo.Mode().IsRegular() {
+		return "", fmt.Errorf("path must be a regular file, not a directory or special file")
+	}
+
+	// Limit file size to 1MB to prevent resource exhaustion attacks
+	const maxFileSize = 1024 * 1024
+	if fileInfo.Size() > maxFileSize {
+		return "", fmt.Errorf("file too large: %d bytes (max: %d)", fileInfo.Size(), maxFileSize)
+	}
+
+	return cleanPath, nil
+}

api/v1beta1/common_test.go

@@ -0,0 +1,96 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package v1beta1
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func Test_validatePath(t *testing.T) {
+	tmpDir := t.TempDir()
+	validFile := filepath.Join(tmpDir, "valid-file")
+	require.NoError(t, os.WriteFile(validFile, []byte("content"), 0o600))
+
+	// Create a file that's too large (> 1MB)
+	largeFile := filepath.Join(tmpDir, "large-file")
+	largeContent := make([]byte, 1024*1024+1) // 1MB + 1 byte
+	require.NoError(t, os.WriteFile(largeFile, largeContent, 0o600))
+
+	tests := []struct {
+		name      string
+		path      string
+		want      string
+		wantError bool
+		errorMsg  string
+	}{
+		{
+			name:      "valid-absolute-path",
+			path:      validFile,
+			want:      validFile,
+			wantError: false,
+		},
+		{
+			name:      "valid-path-with-redundant-separators",
+			path:      validFile + "//",
+			want:      validFile,
+			wantError: false,
+		},
+		{
+			name:      "invalid-relative-path",
+			path:      "relative/path",
+			wantError: true,
+			errorMsg:  "must be an absolute path",
+		},
+		{
+			name:      "invalid-path-with-dotdot-in-middle",
+			path:      tmpDir + "/subdir/../../etc/passwd",
+			wantError: true,
+			errorMsg:  "path traversal detected",
+		},
+		{
+			name:      "invalid-literal-dotdot-in-path",
+			path:      "/tmp/test/../sensitive",
+			wantError: true,
+			errorMsg:  "path traversal detected",
+		},
+		{
+			name:      "invalid-file-does-not-exist",
+			path:      "/nonexistent/file",
+			wantError: true,
+			errorMsg:  "failed to access file",
+		},
+		{
+			name:      "invalid-file-too-large",
+			path:      largeFile,
+			wantError: true,
+			errorMsg:  "file too large",
+		},
+		{
+			name:      "invalid-path-is-directory",
+			path:      tmpDir,
+			wantError: true,
+			errorMsg:  "must be a regular file",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := validatePath(tt.path)
+			if tt.wantError {
+				assert.Error(t, err)
+				if tt.errorMsg != "" {
+					assert.Contains(t, err.Error(), tt.errorMsg)
+				}
+			} else {
+				require.NoError(t, err)
+				assert.Equal(t, tt.want, got)
+			}
+		})
+	}
+}

api/v1beta1/vaultauth_types.go

@@ -127,13 +127,15 @@ type VaultAuthConfigAppRole struct {
 	// RoleID of the AppRole Role to use for authenticating to Vault.
 	RoleID string `json:"roleId,omitempty"`
 
-	// SecretID of the AppRole Role to use for authenticating to Vault.
-	// If both SecretID and SecretRef are specified, SecretID takes precedence.
-	SecretID string `json:"secretID,omitempty"`
+	// SecretIDPath is a file system path pointing to a file containing the plaintext Secret ID for the
+	// AppRole Role to use for authenticating to Vault.
+	// SecretIDPath and SecretRef are mutually exclusive, and only one should be specified.
+	SecretIDPath string `json:"secretIDPath,omitempty"`
 
 	// SecretRef is the name of a Kubernetes secret in the consumer's (VDS/VSS/PKI) namespace which
 	// provides the AppRole Role's SecretID. The secret must have a key named `id` which holds the
 	// AppRole Role's secretID.
+	// SecretIDPath and SecretRef are mutually exclusive, and only one should be specified.
 	SecretRef string `json:"secretRef,omitempty"`
 }
 
@@ -145,6 +147,9 @@ func (a *VaultAuthConfigAppRole) Merge(other *VaultAuthConfigAppRole) (*VaultAut
 	if c.RoleID == "" {
 		c.RoleID = other.RoleID
 	}
+	if c.SecretIDPath == "" {
+		c.SecretIDPath = other.SecretIDPath
+	}
 	if c.SecretRef == "" {
 		c.SecretRef = other.SecretRef
 	}
@@ -163,8 +168,20 @@ func (a *VaultAuthConfigAppRole) Validate() error {
 		errs = errors.Join(fmt.Errorf("empty roleID"))
 	}
 
-	if a.SecretRef == "" && a.SecretID == "" {
-		errs = errors.Join(fmt.Errorf("empty secretRef and seecretID"))
+	if a.SecretRef == "" && a.SecretIDPath == "" {
+		errs = errors.Join(errs, fmt.Errorf("either secretRef or secretIDPath must be specified"))
+	}
+
+	if a.SecretRef != "" && a.SecretIDPath != "" {
+		errs = errors.Join(errs, fmt.Errorf("secretRef and secretIDPath are mutually exclusive, only one should be specified"))
+	}
+
+	if a.SecretIDPath != "" {
+		safePath, err := validatePath(a.SecretIDPath)
+		if err != nil {
+			return fmt.Errorf("invalid SecretIDPath: %w", err)
+		}
+		a.SecretIDPath = safePath
 	}
 
 	return errs

api/v1beta1/vaultauth_types_test.go

@@ -0,0 +1,149 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package v1beta1
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestVaultAuthConfigAppRole_Validate(t *testing.T) {
+	tmpDir := t.TempDir()
+	validFilePath := filepath.Join(tmpDir, "test-secretid")
+	require.NoError(t, os.WriteFile(validFilePath, []byte("test-secret-id"), 0o600))
+
+	tests := []struct {
+		name      string
+		appRole   *VaultAuthConfigAppRole
+		wantError bool
+		errorMsg  string
+	}{
+		{
+			name: "valid-with-secretref",
+			appRole: &VaultAuthConfigAppRole{
+				RoleID:    "test-role",
+				SecretRef: "test-secret",
+			},
+			wantError: false,
+		},
+		{
+			name: "valid-with-secretidpath",
+			appRole: &VaultAuthConfigAppRole{
+				RoleID:       "test-role",
+				SecretIDPath: validFilePath,
+			},
+			wantError: false,
+		},
+		{
+			name: "invalid-both-secretref-and-secretidpath",
+			appRole: &VaultAuthConfigAppRole{
+				RoleID:       "test-role",
+				SecretRef:    "test-secret",
+				SecretIDPath: validFilePath,
+			},
+			wantError: true,
+			errorMsg:  "mutually exclusive",
+		},
+		{
+			name: "invalid-missing-both",
+			appRole: &VaultAuthConfigAppRole{
+				RoleID: "test-role",
+			},
+			wantError: true,
+			errorMsg:  "either secretRef or secretIDPath must be specified",
+		},
+		{
+			name: "invalid-missing-roleid",
+			appRole: &VaultAuthConfigAppRole{
+				SecretRef: "test-secret",
+			},
+			wantError: true,
+			errorMsg:  "empty roleID",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := tt.appRole.Validate()
+			if tt.wantError {
+				assert.Error(t, err)
+				if tt.errorMsg != "" {
+					assert.Contains(t, err.Error(), tt.errorMsg)
+				}
+			} else {
+				assert.NoError(t, err)
+			}
+		})
+	}
+}
+
+func TestVaultAuthConfigAppRole_Merge(t *testing.T) {
+	tests := []struct {
+		name      string
+		base      *VaultAuthConfigAppRole
+		other     *VaultAuthConfigAppRole
+		want      *VaultAuthConfigAppRole
+		wantError bool
+	}{
+		{
+			name: "merge-empty-fields",
+			base: &VaultAuthConfigAppRole{
+				RoleID: "base-role",
+			},
+			other: &VaultAuthConfigAppRole{
+				RoleID:    "other-role",
+				SecretRef: "other-secret",
+			},
+			want: &VaultAuthConfigAppRole{
+				RoleID:    "base-role",
+				SecretRef: "other-secret",
+			},
+			wantError: false,
+		},
+		{
+			name: "merge-preserves-base-values",
+			base: &VaultAuthConfigAppRole{
+				RoleID:    "base-role",
+				SecretRef: "base-secret",
+			},
+			other: &VaultAuthConfigAppRole{
+				RoleID:    "other-role",
+				SecretRef: "other-secret",
+			},
+			want: &VaultAuthConfigAppRole{
+				RoleID:    "base-role",
+				SecretRef: "base-secret",
+			},
+			wantError: false,
+		},
+		{
+			name: "merge-creates-invalid-config",
+			base: &VaultAuthConfigAppRole{
+				RoleID: "base-role",
+			},
+			other: &VaultAuthConfigAppRole{
+				RoleID: "other-role",
+			},
+			wantError: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := tt.base.Merge(tt.other)
+			if tt.wantError {
+				assert.Error(t, err)
+			} else {
+				require.NoError(t, err)
+				assert.Equal(t, tt.want.RoleID, got.RoleID)
+				assert.Equal(t, tt.want.SecretRef, got.SecretRef)
+				assert.Equal(t, tt.want.SecretIDPath, got.SecretIDPath)
+			}
+		})
+	}
+}

chart/crds/secrets.hashicorp.com_vaultauthglobals.yaml

@@ -79,16 +79,18 @@ spec:
                     description: RoleID of the AppRole Role to use for authenticating
                       to Vault.
                     type: string
-                  secretID:
+                  secretIDPath:
                     description: |-
-                      SecretID of the AppRole Role to use for authenticating to Vault.
-                      If both SecretID and SecretRef are specified, SecretID takes precedence.
+                      SecretIDPath is a file system path pointing to a file containing the plaintext Secret ID for the
+                      AppRole Role to use for authenticating to Vault.
+                      SecretIDPath and SecretRef are mutually exclusive, and only one should be specified.
                     type: string
                   secretRef:
                     description: |-
                       SecretRef is the name of a Kubernetes secret in the consumer's (VDS/VSS/PKI) namespace which
                       provides the AppRole Role's SecretID. The secret must have a key named `id` which holds the
                       AppRole Role's secretID.
+                      SecretIDPath and SecretRef are mutually exclusive, and only one should be specified.
                     type: string
                 type: object
               aws: