search

tink-crypto / tink

Tink is a multi-language, cross-platform, open source library that provides cryptographic APIs that are secure, easy to use correctly, and hard(er) to misuse.
https://developers.google.com/tink
Apache License 2.0
13.47k stars 1.18k forks source link

Rewrite Vault transit mount parsing #699

Closed theory closed 1 year ago

theory commented 1 year ago

At work our Vault instance is set up to add Transit to sub-paths (mounts), so something like /teams/billing/my-service/transit/keys/foo (mount: /teams/billing/my-service/transit) is perfectly valid. In fact, the transit mount can be named anything, and doesn't have to end in /transit!

The Tink Vault path parser did not support this flexibility, however, assuming that paths are always /transit/keys/foo. That's only true for the root /transit mount.

So rewrite the Vault transit URL path parser to support any URL ending in {mount}/keys/{keyName}. The key name cannot contain any unescaped slashes, so remove that support, too.

The result is one new method, getEndpointPaths(), which replaces getEncryptionPath(), getDecryptionPath(), and extractKey(), parses the key URL just once, and returns both the encrypt and decrypt endpoints. Also replace TestExtractKey() with TestGetPaths() to test all the variations.

theory commented 1 year ago

Can confirm that, with this change I am able to use the longer Vault URL successfully.