vault kv get fails with trailing whitespace

[paalbra]

Describe the bug
vault kv get fails to get secrets with trailing whitespace, e.g. "secret/fail "

To Reproduce
Steps to reproduce the behavior:

1. Create secret: curl -X PUT -H "X-Vault-Request: true" -H "X-Vault-Token: $(vault print token)" -d '{"data":{"foo":"bar"},"options":{}}' http://127.0.0.1:8200/v1/secret/data/fail%20
2. Observe trailing whitespace vault kv list -format=json secret (you will see that it's stored like: "fail ")
3. vault kv get "secret/fail " responds with: No value found at secret/data/fail

Expected behavior
The secret should be returned.

Environment:

I've tested with a plain container:

podman run -it --rm -e VAULT_DEV_ROOT_TOKEN_ID=myroot -p 8200:8200 --name vault docker.io/library/vault:1.10.0

I also use vault/curl from inside the container:

podman exec -it vault sh
apk add curl
...

Additional context
This works: curl -H "X-Vault-Request: true" -H "X-Vault-Token: $(vault print token)" http://127.0.0.1:8200/v1/secret/data/fail%20

You won't be able to create the secret with vault kv put. The command seems to trim the trailing whitespace.

This looks similar to #6213

Trailing whitespace is also mentioned here #6714

[hsimon-hashicorp]

Hi there, @paalbra - is there a specific use case that you'd like to talk about with this issue? I suspect, having spent a chunk of time as a devops/SRE person that it's an "... oh no" that made it into production, but I wanted to check and see if there was another that I hadn't thought of. Thanks! :)

[paalbra]

@hsimon-hashicorp Personally I think that trailing and leading whitespace should be considered invalid (which is kind of the topic in #6714 ?). I have no use case for it. This CLI behavior is just an observation after some users, in an instance I manage, have (by mistake, I assume) created secrets with trailing whitespace. That said: If this whitespace isn't considered invalid and it's possible to create them in the web-UI, the CLI should also behave the same/work.

[AnPucel]

Hi @paalbra , we discussed this request in our engineering team sync today. While the request is reasonable, we'd like to take some time to dig into the implementation details and validate that there won't be the potential for unintended consequences. In this case, we also have concerns around maintaining backwards compatibility, while making sure we prevent folks from unintentionally having trailing spaces in their secret paths. As a result, it may take longer for a final decision to be made. We'll keep this issue thread updated with any decisions we make along the way. Thanks in advance for your patience!

[AnPucel]

Hello! Thank you for bringing this issue to our attention. I was able to reproduce the behavior you mentioned and fixed in the PR linked above. We now honor trailing spaces in the vault kv get command