Lowkey Vault Docker does not support dynamic host ports (#1321)

- Adds better URI validation to filter out invalid host names - Updates tests - Updates documentation Updates #1319 {patch} Signed-off-by: Esta Nagy <[email protected]>
nagyesta · Jan 18, 2025 · 039093e · 039093e
1 parent 23c7b26
commit 039093e
Show file tree

Hide file tree

Showing 8 changed files with 52 additions and 7 deletions.
diff --git a/lowkey-vault-app/README.md b/lowkey-vault-app/README.md
@@ -78,6 +78,9 @@ argument.
 java -jar lowkey-vault-app-<version>.jar --LOWKEY_VAULT_NAMES="name1" --LOWKEY_VAULT_ALIASES="name1.localhost=alias.localhost,localhost=example:<port>"
 ```
 
+> [!TIP]
+> If your alias does not contain the `<port>` placeholder, then you shouldn't use quotes (`"`) around the alias values. The example uses the quotes only because the `<` and `>` characters have special meaning in the shell.
+
 This command will result in the following aliases as seen in the logs:
 
 ```

diff --git a/lowkey-vault-app/src/main/java/com/github/nagyesta/lowkeyvault/AppConfiguration.java b/lowkey-vault-app/src/main/java/com/github/nagyesta/lowkeyvault/AppConfiguration.java
@@ -49,6 +49,11 @@ public VaultService vaultService() throws IOException {
 
     @Bean
     public Function<URI, URI> portMapper() {
+        if (useRelaxedPorts) {
+            log.info("Using relaxed vault URI matching (ignoring ports).");
+        } else {
+            log.info("Using strict vault URI matching (expecting exact match).");
+        }
         return Optional.of(useRelaxedPorts)
                 .filter(BooleanUtils::isTrue)
                 .map(use -> (Function<URI, URI>) uri -> replacePortWith(uri, port))

diff --git a/...ey-vault-app/src/main/java/com/github/nagyesta/lowkeyvault/context/util/VaultUriUtil.java b/...ey-vault-app/src/main/java/com/github/nagyesta/lowkeyvault/context/util/VaultUriUtil.java
@@ -24,7 +24,11 @@ public static URI vaultUri(@NonNull final String hostname, final int optionalPor
         if (optionalPort != DEFAULT_HTTPS_PORT) {
             builder.append(COLON).append(optionalPort);
         }
-        return URI.create(builder.toString());
+        final URI result = URI.create(builder.toString());
+        if (result.getHost() == null) {
+            throw new IllegalArgumentException("URI couldn't be parsed: " + builder);
+        }
+        return result;
     }
 
     public static URI aliasUri(@NonNull final String vaultAuthority, final int serverPort) {

diff --git a/...t-app/src/main/java/com/github/nagyesta/lowkeyvault/service/vault/impl/VaultFakeImpl.java b/...t-app/src/main/java/com/github/nagyesta/lowkeyvault/service/vault/impl/VaultFakeImpl.java
@@ -53,7 +53,7 @@ public VaultFakeImpl(@NonNull final URI vaultUri, @NonNull final RecoveryLevel r
     }
 
     @Override
-    public boolean matches(@NonNull final URI vaultUri, final Function<URI, URI> uriMapper) {
+    public boolean matches(@NonNull final URI vaultUri, @NonNull final Function<URI, URI> uriMapper) {
         final URI lookupUri = uriMapper.apply(vaultUri);
         return uriMapper.apply(this.vaultUri).equals(lookupUri) || this.aliases.stream()
                 .map(uriMapper)

diff --git a/...ault-app/src/test/java/com/github/nagyesta/lowkeyvault/context/util/VaultUriUtilTest.java b/...ault-app/src/test/java/com/github/nagyesta/lowkeyvault/context/util/VaultUriUtilTest.java
@@ -12,6 +12,8 @@
 import java.net.URI;
 import java.util.stream.Stream;
 
+import static com.github.nagyesta.lowkeyvault.TestConstants.TOMCAT_SECURE_PORT;
+
 class VaultUriUtilTest {
 
     @SuppressWarnings("checkstyle:MagicNumber")
@@ -46,6 +48,13 @@ public static Stream<Arguments> authorityProvider() {
                 .build();
     }
 
+    public static Stream<Arguments> invalidUriPartsProvider() {
+        return Stream.<Arguments>builder()
+                .add(Arguments.of("localhost", -1))
+                .add(Arguments.of("demo.127.0.0.1", TOMCAT_SECURE_PORT))
+                .build();
+    }
+
     @Test
     void testConstructorShouldThrowExceptionWhenCalled() throws NoSuchMethodException {
         //given
@@ -81,6 +90,18 @@ void testVaultUriShouldThrowExceptionWhenCalledWithNull() {
         //then + exception
     }
 
+
+    @ParameterizedTest
+    @MethodSource("invalidUriPartsProvider")
+    void testVaultUriShouldThrowExceptionWhenCalledWithInvalidUriParts(final String hostname, final int port) {
+        //given
+
+        //when
+        Assertions.assertThrows(IllegalArgumentException.class, () -> VaultUriUtil.vaultUri(hostname, port));
+
+        //then + exception
+    }
+
     @ParameterizedTest
     @MethodSource("aliasSource")
     void testAliasUriShouldReplacePortNumberWhenInputContainsPlaceholder(

diff --git a/...p/src/test/java/com/github/nagyesta/lowkeyvault/service/vault/impl/VaultFakeImplTest.java b/...p/src/test/java/com/github/nagyesta/lowkeyvault/service/vault/impl/VaultFakeImplTest.java
@@ -102,7 +102,7 @@ void testMatchesShouldUseFullMatchWithAnyOfTheAliasesWhenCalled(final URI self,
 
     @SuppressWarnings("ConstantConditions")
     @Test
-    void testMatchesShouldThrowExceptionWhenCalledWithNull() {
+    void testMatchesShouldThrowExceptionWhenCalledWithNullUri() {
         //given
         final VaultFakeImpl underTest = new VaultFakeImpl(HTTPS_LOCALHOST);
 
@@ -112,6 +112,18 @@ void testMatchesShouldThrowExceptionWhenCalledWithNull() {
         //then + exception
     }
 
+    @SuppressWarnings("ConstantConditions")
+    @Test
+    void testMatchesShouldThrowExceptionWhenCalledWithNullMapper() {
+        //given
+        final VaultFakeImpl underTest = new VaultFakeImpl(HTTPS_LOCALHOST);
+
+        //when
+        Assertions.assertThrows(IllegalArgumentException.class, () -> underTest.matches(HTTPS_LOCALHOST, null));
+
+        //then + exception
+    }
+
     @SuppressWarnings("ConstantConditions")
     @Test
     void testSetAliasesShouldThrowExceptionWhenCalledWithNull() {

diff --git a/...rc/test/java/com/github/nagyesta/lowkeyvault/service/vault/impl/VaultServiceImplTest.java b/...rc/test/java/com/github/nagyesta/lowkeyvault/service/vault/impl/VaultServiceImplTest.java
@@ -370,8 +370,7 @@ void testUpdateAliasShouldThrowExceptionWhenCalledWithInvalidInput(
             final URI baseUri, final Set<URI> aliases, final URI add, final URI remove, final Class<Exception> expectedException) {
         //given
         final VaultServiceImpl underTest = new VaultServiceImpl(Function.identity());
-        final VaultFake vaultFake = underTest.create(
-                baseUri, RecoveryLevel.CUSTOMIZED_RECOVERABLE, RecoveryLevel.MAX_RECOVERABLE_DAYS_INCLUSIVE, aliases);
+        underTest.create(baseUri, RecoveryLevel.CUSTOMIZED_RECOVERABLE, RecoveryLevel.MAX_RECOVERABLE_DAYS_INCLUSIVE, aliases);
 
         //when
         Assertions.assertThrows(expectedException, () -> underTest.updateAlias(baseUri, add, remove));
@@ -398,7 +397,7 @@ void testUpdateAliasShouldAddAndRemoveAliasesWhenCalledWithValidInput(
     void testUpdateAliasShouldThrowExceptionWhenVaultNotFound() {
         //given
         final VaultServiceImpl underTest = new VaultServiceImpl(Function.identity());
-        final VaultFake vaultFake = underTest.create(HTTPS_DEFAULT_LOWKEY_VAULT_8443);
+        underTest.create(HTTPS_DEFAULT_LOWKEY_VAULT_8443);
 
         //when
         Assertions.assertThrows(NotFoundException.class, () -> underTest.updateAlias(HTTPS_LOCALHOST, HTTPS_LOCALHOST_80, null));

diff --git a/lowkey-vault-docker/README.md b/lowkey-vault-docker/README.md
@@ -72,4 +72,5 @@ container) using a volume.
 
 ## ARM builds
 
-Lowkey Vault offers a multi-arch variant using Buildx. You can find the relevant project [here](https://github.com/nagyesta/lowkey-vault-docker-buildx).
+> [!TIP]
+> Lowkey Vault offers a multi-arch variant using Buildx. You can find the relevant project [here](https://github.com/nagyesta/lowkey-vault-docker-buildx).