awspring / spring-cloud-aws

The New Home for Spring Cloud AWS
http://awspring.io
Apache License 2.0
892 stars 303 forks source link

SecretsManager Validation problem on startup of Spring Boot 2.6.6 microservice #302

Closed andyrozman closed 2 years ago

andyrozman commented 2 years ago

Type: Bug

Component: "Secrets Manager"

Describe the bug So because of Spring Vulnerability I have to upgrade my Spring Boot from 2.2 to 2.6.6. This changes also include Cloud upgrade (2021.0.1) and of course switching to io.awspring.cloud (2.4.0).

I was trying to get this working (I created small boot application for testing after loosing whole day), and my small application started working correctly just after I included spring-cloud-starter-bootstrap (3.1.1) (as per documentation). When I tried to apply the same solution to my production microservice (running on AWS in ECS cluster), I started getting validation errors on parameter aws.secretsmanager.prefix (The prefix must have pattern of: (/)?([a-zA-Z0-9.-]+)(?:/[a-zA-Z0-9]+)*).

Error log I get 2022-04-08 17:09:06.097 WARN [zumzum,,] 1 --- [ main] s.c.a.AnnotationConfigApplicationContext : Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'awsSecretsManagerPropertySourceLocator' defined in class path resource [io/awspring/cloud/autoconfigure/secretsmanager/AwsSecretsManagerBootstrapConfiguration.class]: Unsatisfied dependency expressed through method 'awsSecretsManagerPropertySourceLocator' parameter 0; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'smClient' defined in class path resource [io/awspring/cloud/autoconfigure/secretsmanager/AwsSecretsManagerBootstrapConfiguration.class]: Unsatisfied dependency expressed through method 'smClient' parameter 0; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'aws.secretsmanager-io.awspring.cloud.secretsmanager.AwsSecretsManagerProperties': Invocation of init method failed; nested exception is io.awspring.cloud.secretsmanager.ValidationException: The prefix must have pattern of: (/)?([a-zA-Z0-9.-]+)(?:/[a-zA-Z0-9]+)*

2022-04-08 17:09:06.097 WARN [zumzum,,] 1 --- [ main] s.c.a.AnnotationConfigApplicationContext : Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'awsSecretsManagerPropertySourceLocator' defined in class path resource [io/awspring/cloud/autoconfigure/secretsmanager/AwsSecretsManagerBootstrapConfiguration.class]: Unsatisfied dependency expressed through method 'awsSecretsManagerPropertySourceLocator' parameter 0; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'smClient' defined in class path resource [io/awspring/cloud/autoconfigure/secretsmanager/AwsSecretsManagerBootstrapConfiguration.class]: Unsatisfied dependency expressed through method 'smClient' parameter 0; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'aws.secretsmanager-io.awspring.cloud.secretsmanager.AwsSecretsManagerProperties': Invocation of init method failed; nested exception is io.awspring.cloud.secretsmanager.ValidationException: The prefix must have pattern of: (/)?([a-zA-Z0-9.-]+)(?:/[a-zA-Z0-9]+)*

2022-04-08 17:09:06.493 ERROR [zumzum,,] 1 --- [ main] o.s.b.d.LoggingFailureAnalysisReporter :


APPLICATION FAILED TO START


Description:

Validation failed for field: aws.secretsmanager.prefix

Action:

The prefix must have pattern of: (/)?([a-zA-Z0-9.-]+)(?:/[a-zA-Z0-9]+)*

2022-04-08 17:09:06.496 ERROR [zumzum,,] 1 --- [ main] o.s.b.d.LoggingFailureAnalysisReporter :


APPLICATION FAILED TO START


Description:

Validation failed for field: aws.secretsmanager.prefix

Action:

The prefix must have pattern of: (/)?([a-zA-Z0-9.-]+)(?:/[a-zA-Z0-9]+)*

Sample bootstrap.yml

aws: paramstore: prefix: /${spring.profiles.active} secretsmanager: prefix: /secret/${spring.profiles.active}

maciejwalkowiak commented 2 years ago

What's the value of ${spring.profiles.active}? Has this setup worked before with Spring Cloud AWS 2.3.4?

andyrozman commented 2 years ago

So the value is zumzum-dev04 (zumzum is replacement from company name). This worked with with Spring Boot 2.2.1-RELEASE and Spring Cloud Hoxton.SR1. We haven't updated Spring since the project started (which was in 2019).

andyrozman commented 2 years ago

I think I found the problem... So in file io.awspring.cloud.secretsmanager.AwsSecretsManagerProperties you have defined: private static final Pattern PREFIX_PATTERN = Pattern.compile("(/)?([a-zA-Z0-9.\-]+)(?:/[a-zA-Z0-9]+)"); in old code (before split), this is defined as this: private static final Pattern PREFIXPATTERN = Pattern.compile("(/[a-zA-Z0-9.\-]+)");

I checked. My secret-manager prefix: "/secret/zumzum-dev04" works with old implementation, but not with new.

If I change implementation, few parts of your tests stop working. The ones that have prefix "secret".

If you change it into this, then it would work for your case and mine: private static final Pattern PREFIX_PATTERN = Pattern.compile("(/)?([a-zA-Z0-9.\-]+)(?:/[a-zA-Z0-9.\-]+)*");

Would it be possible to fix this and make new 2.4 release with this change? I think that in next few weeks you might get few more users (that will try to upgrade to newest boot and some might have similar problem).

Also if I might suggest, when Exception is thrown, it would be nice to see what the input string was.

So something like this: if (StringUtils.hasLength(prefix) && !PREFIX_PATTERN.matcher(prefix).matches()) { throw new ValidationException(CONFIG_PREFIX + ".prefix", "The prefix must have pattern of: " + PREFIX_PATTERN.toString() + ", input prefix was: \"" + prefix + "\""); }

maciejwalkowiak commented 2 years ago

Would it be possible to fix this and make new 2.4 release with this change? I think that in next few weeks you might get few more users (that will try to upgrade to newest boot and some might have similar problem).

Yes, will be fixed and released.

andyrozman commented 2 years ago

What is release timeline for this?

maciejwalkowiak commented 2 years ago

Once we get #303 right meaning today/tomorrow/Monday 2.4.1 should be released.

andyrozman commented 2 years ago

Great. Thank you for all your great work...

maciejwalkowiak commented 2 years ago

Fixed in https://github.com/awspring/spring-cloud-aws/commit/f034d798f9a0dae4bb1c3256b3a36592cc89dd71