Allow Base64 characters in variable path regex (#180)

#179

Author: gergelyurbancsik

src/Confix.Tool/src/Confix.Library/Variables/VariablePath.cs

@@ -36,8 +36,14 @@ public static bool TryParse(string variable, [NotNullWhen(true)] out VariablePat
     private const string VariableProviderCaptureGroup = "VariableProvider";
     private const string VariableNameCaptureGroup = "VariableName";
 
+    // The variable name (path) part is allowed to contain the standard and url-safe Base64
+    // alphabet characters (`+`, `/`, `=`, `-`) in addition to word characters and dots.
+    // This is required by providers such as the secret provider, where the variable's path
+    // is the Base64-encoded ciphertext (e.g. `$secret:K2b8F2zG9HpJxMI+...==`).
+    private const string VariableNameCharacterClass = @"[\w\.+/=\-]";
+
     [GeneratedRegex(
-        $$"""^\$(?<{{VariableProviderCaptureGroup}}>[\w\.]+):(?<{{VariableNameCaptureGroup}}>[\w\.]+)$""")]
+        $$"""^\$(?<{{VariableProviderCaptureGroup}}>[\w\.]+):(?<{{VariableNameCaptureGroup}}>{{VariableNameCharacterClass}}+)$""")]
     private static partial Regex VariableNameRegex();
 }
 
@@ -59,6 +65,6 @@ public static string ReplaceVariables(this string value, Func<VariablePath, stri
 
     private const string VariableCaptureGroup = "variable";
 
-    [GeneratedRegex($$"""(\{\{)?(?<{{VariableCaptureGroup}}>\$(?:[\w\.]+):(?:[\w\.]+))(\}\})?""")]
+    [GeneratedRegex($$"""(\{\{)?(?<{{VariableCaptureGroup}}>\$(?:[\w\.]+):(?:[\w\.+/=\-]+))(\}\})?""")]
     private static partial Regex MultipleInterpolatedVariablesRegex();
 }

src/Confix.Tool/test/Confix.Tool.Tests/Variables/SecretVariableProviderTests.cs

@@ -179,4 +179,36 @@ public async Task ResolveAsync__WrongPassword_Should_Exit()
         // assert
         ex.Message.Should().Be("Invalid password for private key");
     }
+
+    [Theory]
+    [InlineData(EncryptionPadding.OaepSHA256)]
+    [InlineData(EncryptionPadding.Pkcs1)]
+    public async Task SetAsync_Result_Is_A_Parseable_VariablePath(EncryptionPadding padding)
+    {
+        // arrange
+        SecretVariableProvider provider = new(new SecretVariableProviderDefinition(
+            SecretVariableProviderAlgorithm.RSA,
+            padding,
+            PUBLIC_KEY,
+            null,
+            PRIVATE_KEY,
+            null,
+            null)
+        );
+
+        var initialSecret = JsonValue.Create("I'm super secret string")!;
+
+        // act
+        var encryptedPath = await provider.SetAsync("not relevant here", initialSecret, default);
+
+        // assert
+        // The Base64-encoded ciphertext returned by SetAsync must round-trip through the
+        // `$secret:<ciphertext>` syntax used in configuration files (see VariablePath regex).
+        bool parsed = VariablePath.TryParse($"$secret:{encryptedPath}", out VariablePath? variablePath);
+        parsed.Should().BeTrue("the encrypted ciphertext must be a valid VariablePath");
+        variablePath!.Value.Path.Should().Be(encryptedPath);
+
+        var decrypted = await provider.ResolveAsync(variablePath.Value.Path, default);
+        decrypted.IsEquivalentTo(initialSecret).Should().BeTrue();
+    }
 }

src/Confix.Tool/test/Confix.Tool.Tests/Variables/VariablePathTests.cs

@@ -8,6 +8,10 @@ public class VariablePathTests
     [InlineData("$foo:bar", "foo", "bar")]
     [InlineData("$foo.bar:baz.x", "foo.bar", "baz.x")]
     [InlineData("$foo_bar:baz_x", "foo_bar", "baz_x")]
+    [InlineData("$secret:K2b8F2zG9HpJxMI", "secret", "K2b8F2zG9HpJxMI")]
+    [InlineData("$secret:abc+def/ghi==", "secret", "abc+def/ghi==")]
+    [InlineData("$secret:abc/def+ghi=", "secret", "abc/def+ghi=")]
+    [InlineData("$secret:abc-def_ghi", "secret", "abc-def_ghi")]
     public void Parse_ValidVariableName_CorrectResult(string variableName, string providerName, string path)
     {
         // arrange & act
@@ -31,6 +35,22 @@ public void TryParse_ValidVariableName_CorrectResult()
         path!.Value.Path.Should().Be("baz.x");
     }
 
+    [Fact]
+    public void TryParse_Base64EncodedPath_CorrectResult()
+    {
+        // arrange
+        const string base64 = "K2b8F2zG9HpJxMImaYwlf0ByzArc+abc/def==";
+
+        // act
+        bool success = VariablePath.TryParse($"$secret:{base64}", out VariablePath? path);
+
+        // assert
+        success.Should().BeTrue();
+        path.HasValue.Should().BeTrue();
+        path!.Value.ProviderName.Should().Be("secret");
+        path.Value.Path.Should().Be(base64);
+    }
+
     [Theory]
     [InlineData("bar")]
     [InlineData("$foo.bar")]
@@ -44,4 +64,50 @@ public void TryParse_Invalid_SuccessFalse(string variableName)
         success.Should().BeFalse();
         path.HasValue.Should().BeFalse();
     }
+
+    [Fact]
+    public void GetVariables_Base64EncodedPath_ReturnsFullVariable()
+    {
+        // arrange
+        const string base64 = "K2b8F2zG9HpJxMImaYwlf0ByzArc+abc/def==";
+        string value = $"$secret:{base64}";
+
+        // act
+        var variables = value.GetVariables().ToArray();
+
+        // assert
+        variables.Should().HaveCount(1);
+        variables[0].ProviderName.Should().Be("secret");
+        variables[0].Path.Should().Be(base64);
+    }
+
+    [Fact]
+    public void GetVariables_InterpolatedBase64EncodedPath_ReturnsFullVariable()
+    {
+        // arrange
+        const string base64 = "K2b8F2zG9HpJxMImaYwlf0ByzArc+abc/def==";
+        string value = $"prefix-{{{{$secret:{base64}}}}}-suffix";
+
+        // act
+        var variables = value.GetVariables().ToArray();
+
+        // assert
+        variables.Should().HaveCount(1);
+        variables[0].ProviderName.Should().Be("secret");
+        variables[0].Path.Should().Be(base64);
+    }
+
+    [Fact]
+    public void ReplaceVariables_Base64EncodedPath_ReplacesFullVariable()
+    {
+        // arrange
+        const string base64 = "K2b8F2zG9HpJxMImaYwlf0ByzArc+abc/def==";
+        string value = $"$secret:{base64}";
+
+        // act
+        string result = value.ReplaceVariables(_ => "REPLACED");
+
+        // assert
+        result.Should().Be("REPLACED");
+    }
 }