feat: allow dynamic paths for roles

Author: danilobuerger

README.md

@@ -90,10 +90,10 @@ you may or may not be able to access certain paths.
 There are some flags we can specify to enable/disable some functionality in the vault plugin.
 
 
-|            Flag            | Default value | Description                                                                            |
-|:--------------------------:|:-------------:|:---------------------------------------------------------------------------------------|
-|     show-config-token      |     false     | Display the token value when reading a config on it's endpoint like `/config/default`. |
-| allow-runtime-flags-change |     false     | Allows you to change the flags at runtime                                              |
+|               Flag                | Default value | Changable during runtime if `allow-runtime-flags-change` is set to `true` | Description                                                                            |
+|:---------------------------------:|:-------------:|:-------------------------------------------------------------------------:|----------------------------------------------------------------------------------------|
+|         show-config-token         |     false     |                                   true                                    | Display the token value when reading a config on it's endpoint like `/config/default`. |
+|    allow-runtime-flags-change     |     false     |                                   false                                   | Allows you to change the flags at runtime                                              |
 
 ## Security Model
 
@@ -113,16 +113,17 @@ The current authentication model requires providing Vault with a Gitlab Token.
 
 ### Role
 
-|       Property       | Required | Default value | Sensitive | Description                                                                                                          |
-|:--------------------:|:--------:|:-------------:|:---------:|:---------------------------------------------------------------------------------------------------------------------|
-|         path         |   yes    |      n/a      |    no     | Project/Group path to create an access token for. If the token type is set to personal then write the username here. |
-|         name         |   yes    |      n/a      |    no     | The name of the access token                                                                                         |
-|         ttl          |   yes    |      n/a      |    no     | The TTL of the token                                                                                                 |
-|     access_level     |  no/yes  |      n/a      |    no     | Access level of access token (only required for Group and Project access tokens)                                     |
-|        scopes        |    no    |      []       |    no     | List of scopes                                                                                                       |
-|      token_type      |   yes    |      n/a      |    no     | Access token type                                                                                                    |
-| gitlab_revokes_token |    no    |      no       |    no     | Gitlab revokes the token when it's time. Vault will not revoke the token when the lease expires                      |
-|     config_name      |    no    |    default    |    no     | The configuration to use for the role                                                                                |
+|       Property       | Required | Default value | Sensitive | Description                                                                                                                                                                                                         |
+|:--------------------:|:--------:|:-------------:|:---------:|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|         path         |   yes    |      n/a      |    no     | Project/Group path to create an access token for. If the token type is set to personal then write the username here. If `dynamic_path` is set to true this needs to be a regex.                                     |
+|         name         |   yes    |      n/a      |    no     | The name of the access token                                                                                                                                                                                        |
+|         ttl          |   yes    |      n/a      |    no     | The TTL of the token                                                                                                                                                                                                |
+|     access_level     |  no/yes  |      n/a      |    no     | Access level of access token (only required for Group and Project access tokens)                                                                                                                                    |
+|        scopes        |    no    |      []       |    no     | List of scopes                                                                                                                                                                                                      |
+|      token_type      |   yes    |      n/a      |    no     | Access token type                                                                                                                                                                                                   |
+| gitlab_revokes_token |    no    |      no       |    no     | Gitlab revokes the token when it's time. Vault will not revoke the token when the lease expires                                                                                                                     |
+|     config_name      |    no    |    default    |    no     | The configuration to use for the role                                                                                                                                                                               |
+|     dynamic_path     |    no    |     false     |    no     | If set to true, you will be able to use the regex pattern to match the path from the role path                                                                                                                      |
 
 #### path
 
@@ -173,7 +174,7 @@ Here are some examples of effective token name templates:
 
 The following data points can be used within your token name template. These are derived from the role for which the token is being generated:
 
-* path
+* path (using this with `dynamic_path` can lead to unexpected results)
 * ttl
 * access_level
 * scopes (csv string ex: api, sudo, read_api)
@@ -330,6 +331,7 @@ $ vault write gitlab/roles/project name='{{ .role_name }}-{{ .token_type }}-{{ r
 $ vault write gitlab/roles/group name='{{ .role_name }}-{{ .token_type }}-{{ randHexString 4 }}' path=group/subgroup scopes="read_api" access_level=developer token_type=group ttl=48h
 $ vault write gitlab/roles/sa name='{{ .role_name }}-{{ .token_type }}-{{ randHexString 4 }}' path=service_account_00b069cb73a15d0a7ba8cd67a653599c scopes="read_api" token_type=user-service-account ttl=24h
 $ vault write gitlab/roles/ga name='{{ .role_name }}-{{ .token_type }}-{{ randHexString 4 }}' path=345/service_account_00b069cb73a15d0a7ba8cd67a653599c scopes="read_api" token_type=group-service-account ttl=24h
+$ vault write gitlab/roles/personal-dynamic-path name='{{ .role_name }}-{{ .token_type }}-{{ randHexString 4 }}' path='ilija-.*' dynamic_path=true scopes="read_api" token_type=personal ttl=48h
 ```
 
 #### User service accounts

internal/model/role/role.go

@@ -21,6 +21,7 @@ type Role struct {
 	AccessLevel         token.AccessLevel `json:"access_level" structs:"access_level" mapstructure:"access_level,omitempty"`
 	TokenType           token.Type        `json:"token_type" structs:"token_type" mapstructure:"token_type"`
 	GitlabRevokesTokens bool              `json:"gitlab_revokes_token" structs:"gitlab_revokes_token" mapstructure:"gitlab_revokes_token"`
+	DynamicPath         bool              `json:"dynamic_path" structs:"dynamic_path" mapstructure:"dynamic_path"`
 	ConfigName          string            `json:"config_name" structs:"config_name" mapstructure:"config_name"`
 }
 
@@ -39,6 +40,7 @@ func (e Role) LogicalResponseData() map[string]any {
 		"access_level":         e.AccessLevel.String(),
 		"ttl":                  int64(e.TTL / time.Second),
 		"token_type":           e.TokenType.String(),
+		"dynamic_path":         e.DynamicPath,
 		"gitlab_revokes_token": e.GitlabRevokesTokens,
 		"config_name":          e.ConfigName,
 	}

internal/token/validate_path.go

@@ -0,0 +1,79 @@
+package token
+
+import (
+	"regexp"
+	"strings"
+
+	"github.com/ilijamt/vault-plugin-secrets-gitlab/internal/utils"
+)
+
+var (
+	allowedSegment      = regexp.MustCompile(`^[A-Za-z0-9_.-]+$`)
+	invalidPathPrefixes = []string{"-", "_", "."}
+	invalidPathSuffixes = []string{"-", "_", ".", ".git", ".atom"}
+	invalidSegmentEdges = []string{"-", "_", "."}
+)
+
+/*
+IsValidPath validates a path string for a specified tokenType.
+
+Validation rules:
+  - Each segment can contain only ASCII letters, digits, '_', '-', '.'.
+  - Path must not start with '-', '_', or '.'.
+  - Path must not end with '-', '_', '.', '.git' or '.atom'.
+  - Segment count rules per token type:
+    -- TypePersonal, TypeUserServiceAccount: exactly 1 segment.
+    -- TypeGroupServiceAccount: exactly 2 segments.
+    -- TypeProject, TypeGroup, TypeProjectDeploy, TypeGroupDeploy, TypePipelineProjectTrigger: 1 or more segments.
+
+Returns true if valid, else false.
+*/
+func IsValidPath(path string, tokenType Type) (valid bool) {
+	if strings.TrimSpace(path) == "" {
+		return false
+	}
+
+	if utils.HasAny(path, invalidPathPrefixes, strings.HasPrefix) ||
+		utils.HasAny(path, invalidPathSuffixes, strings.HasSuffix) {
+		return false
+	}
+
+	segments := strings.Split(path, "/")
+	for _, s := range segments {
+		if s == "" {
+			return false
+		}
+
+		if !allowedSegment.MatchString(s) ||
+			utils.HasAny(s, invalidSegmentEdges, strings.HasPrefix) ||
+			utils.HasAny(s, invalidSegmentEdges, strings.HasSuffix) {
+			return false
+		}
+	}
+
+	switch tokenType {
+	case TypePersonal, TypeUserServiceAccount:
+		/*
+			Format of the paths:
+				- {username}
+		*/
+		return len(segments) == 1
+
+	case TypeGroupServiceAccount:
+		/*
+			Format of the paths:
+				- {groupId}/{serviceAccountName}
+		*/
+		return len(segments) == 2
+
+	case TypeProject, TypeGroup, TypeProjectDeploy, TypeGroupDeploy, TypePipelineProjectTrigger:
+		/*
+			Format of the paths:
+				- group/project or group/subgroup/project
+				- group or group/subgroup
+		*/
+		return len(segments) >= 1
+	}
+
+	return true
+}

internal/token/validate_path_test.go

@@ -0,0 +1,70 @@
+package token_test
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+
+	"github.com/ilijamt/vault-plugin-secrets-gitlab/internal/token"
+)
+
+func TestIsValidPath(t *testing.T) {
+	tests := []struct {
+		name      string
+		path      string
+		tokenType token.Type
+		valid     bool
+	}{
+		// Test cases
+		{"personal access token - dynamic path", "admin-user", token.TypePersonal, true},
+		{"project access token - dynamic path", "example/example", token.TypeProject, true},
+		{"group access token - dynamic path", "example", token.TypeGroup, true},
+
+		// TypePersonal and TypeUserServiceAccount: single segment
+		{"single valid - letters", "userone", token.TypePersonal, true},
+		{"single valid - underscore", "user_one", token.TypeUserServiceAccount, true},
+		{"single valid - hyphen+dot", "user.one-two", token.TypePersonal, true},
+		{"single valid - digits", "user2024", token.TypePersonal, true},
+		{"starts with invalid prefix '-'", "-user", token.TypePersonal, false},
+		{"starts with invalid prefix '_'", "_user", token.TypeUserServiceAccount, false},
+		{"starts with invalid prefix '.'", ".user", token.TypePersonal, false},
+		{"ends with invalid suffix '-'", "user-", token.TypePersonal, false},
+		{"ends with invalid suffix '_'", "user_", token.TypeUserServiceAccount, false},
+		{"ends with invalid suffix '.'", "user.", token.TypePersonal, false},
+		{"ends with invalid suffix '.git'", "user.git", token.TypeUserServiceAccount, false},
+		{"ends with invalid suffix '.atom'", "user.atom", token.TypePersonal, false},
+		{"ends with invalid suffix (mixed case)", "user.Atom", token.TypePersonal, true}, // Only lower ".atom" is invalid
+		{"too many segments", "user/one", token.TypePersonal, false},
+		{"empty path", "", token.TypePersonal, false},
+		{"whitespace path", "   ", token.TypeUserServiceAccount, false},
+
+		// TypeGroupServiceAccount: two segments
+		{"group SA valid", "group1/account2", token.TypeGroupServiceAccount, true},
+		{"group SA valid underscore", "group1/_account", token.TypeGroupServiceAccount, false},
+		{"group SA valid, dot middle", "team.service/acct-2", token.TypeGroupServiceAccount, true},
+		{"group SA too few segments", "group1", token.TypeGroupServiceAccount, false},
+		{"group SA too many segments", "g/a/too/many", token.TypeGroupServiceAccount, false},
+		{"group SA segment starts with invalid", "-group/acct", token.TypeGroupServiceAccount, false},
+		{"group SA segment ends with invalid", "group/acct-", token.TypeGroupServiceAccount, false},
+
+		// TypeProject, TypeGroup, TypeProjectDeploy, TypeGroupDeploy, TypePipelineProjectTrigger types
+		{"one segment", "myproj", token.TypeProject, true},
+		{"two segments", "group/proj", token.TypeGroup, true},
+		{"segments invalid", "grp-1/pro.j2/_b", token.TypeProjectDeploy, false},
+		{"segments valid", "grp1/pro.j2/b_c", token.TypeGroup, true},
+		{"forbidden prefix", "-group/project", token.TypeGroupDeploy, false},
+		{"forbidden suffix", "g1/proj.git", token.TypeProject, false},
+		{"trailing slash", "g1/", token.TypeProject, false},
+		{"leading slash", "/g1", token.TypeProjectDeploy, false},
+		{"double slash (empty segment)", "g1//p2", token.TypeProjectDeploy, false},
+		{"ends with forbidden segment edge", "g1/g2.", token.TypeProject, false},
+		{"dots and hyphens", "g1.part-2/project_3.one", token.TypeGroup, true},
+
+		// Empty segment from double slash
+		{"double slash", "foo//bar", token.TypeProject, false},
+	}
+
+	for _, tt := range tests {
+		assert.Equal(t, tt.valid, token.IsValidPath(tt.path, tt.tokenType))
+	}
+}

internal/utils/has_any.go

@@ -0,0 +1,11 @@
+package utils
+
+// HasAny returns true if pred(s, v) is true for any v in vals.
+func HasAny[T any](s T, vals []T, pred func(T, T) bool) bool {
+	for _, v := range vals {
+		if pred(s, v) {
+			return true
+		}
+	}
+	return false
+}

internal/utils/has_any_test.go

@@ -0,0 +1,72 @@
+package utils_test
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+
+	"github.com/ilijamt/vault-plugin-secrets-gitlab/internal/utils"
+)
+
+func TestHasAny_String(t *testing.T) {
+	type args struct {
+		s    string
+		vals []string
+		pred func(string, string) bool
+	}
+	tests := []struct {
+		name string
+		args args
+		want bool
+	}{
+		{
+			name: "Has prefix, match",
+			args: args{"foobar", []string{"foo", "bar", "baz"}, strings.HasPrefix},
+			want: true,
+		},
+		{
+			name: "Has prefix, no match",
+			args: args{"foobar", []string{"baz", "qux"}, strings.HasPrefix},
+			want: false,
+		},
+		{
+			name: "Has suffix, match",
+			args: args{"filename.git", []string{".zip", ".git"}, strings.HasSuffix},
+			want: true,
+		},
+		{
+			name: "Has suffix, no match",
+			args: args{"filename.txt", []string{".git", ".zip"}, strings.HasSuffix},
+			want: false,
+		},
+		{
+			name: "Contains, match",
+			args: args{"hello", []string{"e", "z"}, strings.Contains},
+			want: true,
+		},
+		{
+			name: "Empty vals",
+			args: args{"foo", []string{}, strings.HasPrefix},
+			want: false,
+		},
+		{
+			name: "Empty s",
+			args: args{"", []string{"foo"}, strings.HasPrefix},
+			want: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := utils.HasAny(tt.args.s, tt.args.vals, tt.args.pred)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}
+
+// Example for a generic case, e.g. with int slices
+func TestHasAny_Int(t *testing.T) {
+	isMultiple := func(x, y int) bool { return x%y == 0 }
+	assert.True(t, utils.HasAny(12, []int{5, 3, 4}, isMultiple)) // 12 % 3 == 0
+	assert.False(t, utils.HasAny(7, []int{2, 4, 6}, isMultiple))
+}

path_flags_test.go

@@ -25,20 +25,23 @@ func TestPathFlags(t *testing.T) {
 	require.NoError(t, err)
 	require.NotNil(t, resp)
 	require.NoError(t, resp.Error())
+	require.True(t, resp.Data["allow_runtime_flags_change"].(bool))
 	require.False(t, resp.Data["show_config_token"].(bool))
 
 	resp, err = b.HandleRequest(ctx, &logical.Request{
 		Operation: logical.UpdateOperation,
 		Path:      gitlab.PathConfigFlags, Storage: l,
 		Data: map[string]interface{}{
-			"show_config_token": "true",
+			"show_config_token":          "true",
+			"allow_runtime_flags_change": "false",
 		},
 	})
 
 	require.NoError(t, err)
 	require.NotNil(t, resp)
 	require.NoError(t, resp.Error())
 	require.True(t, resp.Data["show_config_token"].(bool))
+	require.True(t, resp.Data["allow_runtime_flags_change"].(bool))
 
 	events.expectEvents(t, []expectedEvent{
 		{eventType: "gitlab/flags-write"},