[
https://issues.apache.org/jira/browse/CAMEL-23814?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Claus Ibsen updated CAMEL-23814:
--------------------------------
Reporter: Claus Ibsen (was: Nikita Awasthi)
> Optional secret property placeholders in YAML DSL parameters not stripped due
> to RAW() wrapping
> -----------------------------------------------------------------------------------------------
>
> Key: CAMEL-23814
> URL: https://issues.apache.org/jira/browse/CAMEL-23814
> Project: Camel
> Issue Type: Bug
> Components: camel-yaml-dsl
> Reporter: Claus Ibsen
> Priority: Major
> Labels: easyfix
>
> When a Kamelet (or any YAML DSL route) uses optional property placeholders
> {{?xxx}} in the to endpoint parameters section, and the parameter is a secret
> (format: password), the optional placeholder is not stripped when the
> property is not provided.
> The root cause is in the interaction between YamlSupport.createEndpointUri()
> and EndpointHelper.extractParamsToKeep():
> 1. YamlSupport.createEndpointUri() wraps secret parameter values in RAW()
> *before* property placeholder resolution. An unprovided optional param like
> {{?accessKey}} becomes RAW({{?accessKey}}).
> 2. EndpointHelper.extractParamsToKeep() checks if parameter values start with
> {{? to identify unresolved optional placeholders that should be removed. But
> RAW-wrapped values start with RAW( instead of {{?, so they survive the filter.
> 3. The endpoint URI ends up containing invalid parameters like
> accessKey=RAW({{?accessKey}}), which causes endpoint creation to fail.
> *Non-secret* optional params (e.g. log components showHeaders, showStreams)
> are stripped correctly because they are never RAW-wrapped.
> This affects all Kamelets with optional secret parameters, including
> kafka-sink (saslPassword, oauthClientSecret, SSL passwords), aws-s3-source
> (accessKey, secretKey, sessionToken), and many others.
> h3. Steps to reproduce
> Use the my-aws-s3-source kamelet (which has optional secret params accessKey,
> secretKey, sessionToken in its template parameters section) without providing
> the secret parameters:
> {code:java}
> from("kamelet:my-aws-s3-source?bucketNameOrArn=mybucket®ion=eu-south-2&autoCreateBucket=false&useDefaultCredentialsProvider=true")
> .to("mock:result");
> {code}
> The resulting endpoint URI contains:
> {code}
> aws2-s3://mybucket?accessKey=RAW(%7B%7B?accessKey%7D%7D)&secretKey=RAW(%7B%7B?cheeseKey%7D%7D)&sessionToken=RAW(%7B%7B?sessionToken%7D%7D)&...
> {code}
> The optional secret params should have been stripped entirely from the URI.
> A reproducing unit test has been written in
> KameletOptionalParameterTest.testAwsOptionalSecretParamsNotProvided
> (currently @Disabled).
> h3. Affected code
> * dsl/camel-yaml-dsl/camel-yaml-dsl-common/.../YamlSupport.java -
> createEndpointUri() wraps secrets in RAW() before resolution
> * core/camel-support/.../EndpointHelper.java - extractParamsToKeep() does not
> detect RAW({{?xxx}}) pattern
> h3. Possible fix
> Either:
> * EndpointHelper.extractParamsToKeep() should also detect RAW({{?xxx}})
> patterns (unwrap RAW before checking for {{?), or
> * YamlSupport.createEndpointUri() should defer RAW() wrapping until after
> optional placeholder resolution
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
