fix wildcard handling when field contains dot (#542)

* fix wildcard handling when field contains dot

* changelog

CHANGELOG.md

@@ -1,5 +1,9 @@
 ## Unreleased
 
+Improvements:
+
+* fix wildcard handling when field contains dot [GH-542](https://github.com/hashicorp/vault-action/pull/542)
+
 Features:
 
 * `secretId` is no longer required for approle to support advanced use cases like machine login when `bind_secret_id` is false. [GH-522](https://github.com/hashicorp/vault-action/pull/522)

dist/index.js

@@ -19012,8 +19012,7 @@ async function getSecrets(secretRequests, client, ignoreNotFound) {
                 if (secretRequest.selector === secretRequest.outputVarName) {
                     newRequest.outputVarName = key;
                     newRequest.envVarName = key;
-                }
-                else {
+                } else {
                     newRequest.outputVarName = secretRequest.outputVarName+key;
                     newRequest.envVarName = secretRequest.envVarName+key;
                 }
@@ -19021,6 +19020,13 @@ async function getSecrets(secretRequests, client, ignoreNotFound) {
                 newRequest.outputVarName = normalizeOutputKey(newRequest.outputVarName);
                 newRequest.envVarName = normalizeOutputKey(newRequest.envVarName,true);
 
+                // JSONata field references containing reserved tokens should
+                // be enclosed in backticks
+                // https://docs.jsonata.org/simple#examples
+                if (key.includes(".")) {
+                    const backtick = '`';
+                    key = backtick.concat(key, backtick);
+                }
                 selector = key;
 
                 results = await selectAndAppendResults(

integrationTests/basic/integration.test.js

@@ -31,6 +31,14 @@ describe('integration', () => {
             },
         });
 
+        await got(`${vaultUrl}/v1/secret/data/test-with-dot-char`, {
+            method: 'POST',
+            headers: {
+                'X-Vault-Token': vaultToken,
+            },
+            body: `{"data":{"secret.foo":"SUPERSECRET"}}`
+        });
+
         await got(`${vaultUrl}/v1/secret/data/nested/test`, {
             method: 'POST',
             headers: {
@@ -193,6 +201,16 @@ describe('integration', () => {
         expect(core.exportVariable).toBeCalledWith('OTHERSECRETDASH', 'OTHERSUPERSECRET');
     });
 
+    it('get wildcard secrets with dot char', async () => {
+        mockInput(`secret/data/test-with-dot-char * ;`);
+
+        await exportSecrets();
+
+        expect(core.exportVariable).toBeCalledTimes(1);
+
+        expect(core.exportVariable).toBeCalledWith('SECRET__FOO', 'SUPERSECRET');
+    });
+
     it('get wildcard secrets', async () => {
         mockInput(`secret/data/test * ;`);
 

src/secrets.js

@@ -72,8 +72,7 @@ async function getSecrets(secretRequests, client, ignoreNotFound) {
                 if (secretRequest.selector === secretRequest.outputVarName) {
                     newRequest.outputVarName = key;
                     newRequest.envVarName = key;
-                }
-                else {
+                } else {
                     newRequest.outputVarName = secretRequest.outputVarName+key;
                     newRequest.envVarName = secretRequest.envVarName+key;
                 }
@@ -81,6 +80,13 @@ async function getSecrets(secretRequests, client, ignoreNotFound) {
                 newRequest.outputVarName = normalizeOutputKey(newRequest.outputVarName);
                 newRequest.envVarName = normalizeOutputKey(newRequest.envVarName,true);
 
+                // JSONata field references containing reserved tokens should
+                // be enclosed in backticks
+                // https://docs.jsonata.org/simple#examples
+                if (key.includes(".")) {
+                    const backtick = '`';
+                    key = backtick.concat(key, backtick);
+                }
                 selector = key;
 
                 results = await selectAndAppendResults(