mirror of
https://github.com/openclaw/openclaw.git
synced 2026-07-19 07:51:38 +00:00
* Add Vault SecretRef plugin Signed-off-by: sallyom <somalley@redhat.com> * expand Vault setup to registered SecretRef targets Signed-off-by: sallyom <somalley@redhat.com> * fix(vault): use sdk secret target seam * fix(vault): preserve auth profile target paths * docs(vault): document plugin enable step * fix(vault): make status provider-alias aware * fix(vault): reject noncanonical secret ids * fix(vault): separate resolver timeout deadlines * fix(vault): forward private CA trust settings * fix(secrets): preserve plugin policy boundaries --------- Signed-off-by: sallyom <somalley@redhat.com> Co-authored-by: joshavant <830519+joshavant@users.noreply.github.com>
24 lines
826 B
JavaScript
24 lines
826 B
JavaScript
const EXEC_SECRET_REF_ID_PATTERN = /^[A-Za-z0-9][A-Za-z0-9._:/#-]{0,255}$/;
|
|
|
|
export function parseVaultSecretId(id) {
|
|
const parts = id.split("/");
|
|
if (parts.some((part) => part.length === 0)) {
|
|
throw new Error(`Vault SecretRef id "${id}" must not contain empty path segments.`);
|
|
}
|
|
if (!EXEC_SECRET_REF_ID_PATTERN.test(id)) {
|
|
throw new Error(`Vault SecretRef id "${id}" contains unsupported characters.`);
|
|
}
|
|
if (parts.length < 2) {
|
|
throw new Error(
|
|
`Vault SecretRef id "${id}" must use "<path>/<field>", for example "providers/openai/apiKey".`,
|
|
);
|
|
}
|
|
if (parts.some((part) => part === "." || part === "..")) {
|
|
throw new Error(`Vault SecretRef id "${id}" must not contain dot path segments.`);
|
|
}
|
|
return {
|
|
secretPath: parts.slice(0, -1).join("/"),
|
|
field: parts.at(-1),
|
|
};
|
|
}
|