DEVHIDE
Login Or Sign up

How to serialize and deserialize Vault Policies (HCL) using the same structs in GoLang?

110 Views Asked by At

I've found a struct configuration which allows me to serialize Vault Policies from GoLang structs to bytes, and another struct configuration which allows me to deserialize from bytes into the struct. However, the two appear to be incompatible:

package minimalRepro

import (
  "fmt"
  "log"
  "os"
  "testing"

  "github.com/hashicorp/hcl"
  "github.com/hashicorp/hcl/v2/gohcl"
  "github.com/hashicorp/hcl/v2/hclwrite"
  "github.com/stretchr/testify/assert"
)

// --------------
// Deserialization Test: this passes.
// --------------

type DeserializableVaultPolicyBlock struct {
  Path         string   `hcl:"path,key"`
  Capabilities []string `hcl:"capabilities"`
}

type DeserializableVaultPolicy struct {
  DeserializableVaultPolicyBlocks []DeserializableVaultPolicyBlock `hcl:"path"`
}

func TestDeserializationMinimalRepro(t *testing.T) {
  exampleHclText := `path "foo/bar/baz" {capabilities=["read"]}

path "qux/qui/quo" {
  capabilities = ["read", "update"]
}
`
  var policy DeserializableVaultPolicy
  err := hcl.Decode(&policy, exampleHclText)
  if err != nil {
    log.Fatal("Error!")
    os.Exit(1)
  }
  assert.Equal(t, "foo/bar/baz", policy.DeserializableVaultPolicyBlocks[0].Path)
  assert.Equal(t, []string{"read"}, policy.DeserializableVaultPolicyBlocks[0].Capabilities)
  assert.Equal(t, "qux/qui/quo", policy.DeserializableVaultPolicyBlocks[1].Path)
  assert.Equal(t, []string{"read", "update"}, policy.DeserializableVaultPolicyBlocks[1].Capabilities)
}

// --------------
// Serialization Test: this passes
//
// Structure taken from
// https://pkg.go.dev/github.com/hashicorp/hcl/v2/gohcl#example-EncodeIntoBody
// --------------

type SerializableVaultPolicyBlock struct {
  Path         string   `hcl:"path,label"`
  Capabilities []string `hcl:"capabilities"`
}

type SerializableVaultPolicy struct {
  SerializableVaultPolicyBlocks []SerializableVaultPolicyBlock `hcl:"path,block"`
}

func TestSerialization(t *testing.T) {
  policy := SerializableVaultPolicy{
    SerializableVaultPolicyBlocks: []SerializableVaultPolicyBlock{
      {
        Path:         "serialized/foo/bar",
        Capabilities: []string{"update", "delete"},
      },
      {
        Path:         "serialized/baz/qux",
        Capabilities: []string{"list", "patch"},
      },
    },
  }

  f := hclwrite.NewEmptyFile()
  gohcl.EncodeIntoBody(&policy, f.Body())
  fmt.Printf("%s", f.Bytes())
  assert.Equal(t, `
path "serialized/foo/bar" {
  capabilities = ["update", "delete"]
}
path "serialized/baz/qux" {
  capabilities = ["list", "patch"]
}
`, string(f.Bytes()[:]))
}

// --------------
// Tests demonstrating Incompatibility of structs
//
// Note the differences above:
// * Path annotation:
//   - The DeserializableVaultPolicyBlock annotates `Path` with `hcl:"path,key"`
//   - The SerializableVaultPolicyBlock annotates `Path` with `hcl:"path,label"`
//
// * Block annotation:
//   - The DeserializableVaultPolicy annotates the blocks with `hcl:"path"`
//   - The SerializableVaultPolicy annotates the blocks with `hcl:"path,block"`
//
// --------------
func TestShowSerializableStructsAreNotDeserializable(t *testing.T) {
  exampleHclText := `path "foo/bar/baz" {capabilities=["read"]}

path "qux/qui/quo" {
  capabilities = ["read", "update"]
}
`

  var policy SerializableVaultPolicy
  err := hcl.Decode(&policy, exampleHclText)
  if err != nil {
    log.Fatal(err)
    os.Exit(1)
  }
  assert.Equal(t, "foo/bar/baz", policy.SerializableVaultPolicyBlocks[0].Path)
  // The assertion above fails - the actual string is `""`
  assert.Equal(t, []string{"read"}, policy.SerializableVaultPolicyBlocks[0].Capabilities)
  assert.Equal(t, "qux/qui/quo", policy.SerializableVaultPolicyBlocks[1].Path)
  assert.Equal(t, []string{"read", "update"}, policy.SerializableVaultPolicyBlocks[1].Capabilities)
}

func TestShowDeserializableStructsAreNotSerializable(t *testing.T) {
  policy := DeserializableVaultPolicy{
    DeserializableVaultPolicyBlocks: []DeserializableVaultPolicyBlock{
      {
        Path:         "serialized/foo/bar",
        Capabilities: []string{"update", "delete"},
      },
      {
        Path:         "serialized/baz/qux",
        Capabilities: []string{"list", "patch"},
      },
    },
  }

  f := hclwrite.NewEmptyFile()
  // The line below panics with:
  // `cannot encode []minimalRepro.DeserializableVaultPolicyBlock as HCL expression: no cty.Type for minimalRepro.DeserializableVaultPolicyBlock (no cty field tags)`
  gohcl.EncodeIntoBody(&policy, f.Body())
  assert.Equal(t, `
path "serialized/foo/bar" {
  capabilities = ["update", "delete"]
}
path "serialized/baz/qux" {
  capabilities = ["list", "patch"]
}
`, string(f.Bytes()[:]))
}

Is there a single struct configuration which can be used for both Serialization and Deserialization of Vault Policy HCL documents?

I note this related question, which is not relevant - my fields are exported (by virtue of being in Title Case).

EDIT: Technically a different problem, though close enough that I think it's worth including here as well - I've also found that the Serialization implementation here will still serialize null fields, which results in errors when trying to then call vaultClient.Sys().PutPolicy() with the updated string. Any tips on how to suppress null fields from being serialized would also be appreciated!

EDIT2: In fact this serialization approach has a further problem, for nested objects. Observe the following:

# In shell
$ vault read policy my-made-up-policy
path "path/to/some/secret" {
  capabilities = ["read"]
  required_parameters = ["foo"]
  allowed_parameters = {
    "foo" = ["bar", "baz"]
  }
}

// GoLang code
...
type AllowedParameters struct {
  OrgName      []string `hcl:"org_name"`
  Repositories []string `hcl:"repositories"`
}

type SerializableVaultPolicyBlock struct {
  Path               string            `hcl:"path,label"`
  Capabilities       []string          `hcl:"capabilities"`
  RequiredParameters []string          `hcl:"required_parameters"`
  AllowedParameters  AllowedParameters `hcl:"allowed_parameters,block"`
}

# Output of serialization of a different policy
path "path/to/a/different/secret" {
  capabilities = ["update", "delete"]
  required_parameters = ["paramName"]
  allowed_parameters {
    paramName = ["paramValue"]
  }
}

That is - there is no = after allowed_parameters, and the contents do not have their keys quoted. I guess this is consistent (since it is tagged/serialized in the same way as Path), but it is an error by Vault syntax.

If I change the type of AllowedParameters in SerializableVaultPolicyBlock to map[string]interface{}, an attempt to serialize gives panic: value is map, not struct. If I change the type to map[string][]string, then the serialization is closer, but still not correct:

# Output of serialization
path "path/to/a/different/secret" {
  capabilities = ["update", "delete"]
  required_parameters = ["paramName"]
  allowed_parameters = {
    paramName = ["paramValue"]
  }
}

that is, there is a = after allowed_parameters, but paramName is still not quoted.

go struct hcl
Original Q&A
0

There are 0 best solutions below

Related Questions in GO

Related Questions in STRUCT

Related Questions in HCL

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.