fix error on reading deleted secret

When reading a deleted secret from vault, vault would return meta-data and no data. The code wasn't setup to handle that and would error out in the template with an "nil pointer evaluating interface {}" error. This checks for that and returns the normal "no secret exists" error that triggers the standard retrying behavior instead of exiting. Fixes hashicorp#1198
theolleg · Aug 19, 2019 · f52ffb8 · f52ffb8
1 parent 4ebf9ec
commit f52ffb8
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 7 deletions.
diff --git a/dependency/dependency_test.go b/dependency/dependency_test.go
@@ -151,8 +151,7 @@ func (v *vaultServer) CreateSecret(path string, data map[string]interface{},
 
 // deleteSecret lets us delete keys as needed for tests
 func (v *vaultServer) deleteSecret(path string) error {
-	path = v.secretsPath + "/" + path
-	_, err := testClients.Vault().Logical().Delete(path)
+	_, err := testClients.Vault().Logical().Delete(v.secretsPath + "/" + path)
 	if err != nil {
 		fmt.Println(err)
 	}

diff --git a/dependency/vault_read.go b/dependency/vault_read.go
@@ -147,7 +147,8 @@ func (d *VaultReadQuery) readSecret(clients *ClientSet, opts *QueryOptions) (*ap
 	if d.isKVv2 == nil {
 		mountPath, isKVv2, err := isKVv2(vaultClient, d.rawPath)
 		if err != nil {
-			log.Printf("[WARN] %s: failed to check if %s is KVv2, assume not: %s", d, d.rawPath, err)
+			log.Printf("[WARN] %s: failed to check if %s is KVv2, "+
+				"assume not: %s", d, d.rawPath, err)
 			isKVv2 = false
 			d.secretPath = d.rawPath
 		} else if isKVv2 {
@@ -163,12 +164,22 @@ func (d *VaultReadQuery) readSecret(clients *ClientSet, opts *QueryOptions) (*ap
 		Path:     "/v1/" + d.secretPath,
 		RawQuery: queryString,
 	})
-	vaultSecret, err := vaultClient.Logical().ReadWithData(d.secretPath, d.queryValues)
+	vaultSecret, err := vaultClient.Logical().ReadWithData(d.secretPath,
+		d.queryValues)
+
 	if err != nil {
 		return nil, errors.Wrap(err, d.String())
 	}
-	if vaultSecret == nil {
+	if vaultSecret == nil || deletedKVv2(vaultSecret) {
 		return nil, fmt.Errorf("no secret exists at %s", d.secretPath)
 	}
 	return vaultSecret, nil
 }
+
+func deletedKVv2(s *api.Secret) bool {
+	switch md := s.Data["metadata"].(type) {
+	case map[string]interface{}:
+		return md["deletion_time"] != ""
+	}
+	return false
+}
diff --git a/dependency/vault_read_test.go b/dependency/vault_read_test.go
@@ -350,8 +350,11 @@ func TestVaultReadQuery_Fetch_KVv2(t *testing.T) {
 		if err == nil {
 			t.Fatal("Nil received when error expected")
 		}
-		exp_err := fmt.Errorf("no secret exists at %s", path)
-		assert.Equal(t, exp_err, errors.Cause(err))
+		exp_err := fmt.Sprintf("no secret exists at %s", path)
+		if errors.Cause(err).Error() != exp_err {
+			t.Fatalf("Unexpected error received.\nexpected '%s'\ngot: '%s'",
+				exp_err, errors.Cause(err))
+		}
 	})
 
 	t.Run("stops", func(t *testing.T) {