Improve the key validation in secret identifier.

[mashhurs]

Release notes

• The keystore has improved validation, and will no longer allow the creation of secrets that cannot be accessed with config replacement parameters (${ ... }).

What does this PR do?

Before this change, key-value can be added to keystore but it might impossible to reference the key because ConfigVariableExpander ignores if key name doesn't align with SUBSTITUTION_PLACEHOLDER_REGEX
Improves user experience with the secret store CLI that when providing key name, LS validates to accept a value which can be used in pipeline (aligns with ConfigVariableExpander#SUBSTITUTION_PLACEHOLDER_REGEX).
If already invalid key(s) were added, it warns to remove/replace the keys.

Why is it important/What is the impact to the user?

No user impact. Keystore CLI restricts adding meaningless keys to keystore.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• [] I have made corresponding changes to the documentation
• [] I have made corresponding change to the default configuration files (and/or docker env variables)
• I have added tests that prove my fix is effective or that my feature works

Author's Checklist

• [ ]

How to test this PR locally

Related issues

Use cases

Screenshots

Logs

[mergify]

This pull request does not have a backport label. Could you fix it @mashhurs? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-8./d is the label to automatically backport to the 8./d branch. /d is the digit.
• backport-8.x is the label to automatically backport to the 8.x branch.
• If no backport is necessary, please add the backport-skip label

[yaauie]

No users should be impacted unless they are using restricted symbols (["?", "..", "/", "\", "'", """, "$", "*", "|", "<", ">", " "]) in the key.

This sounds like a breaking change.

• What was the prior experience when using a key that includes now-restricted characters?
• What determined that these specific characters are restricted (while allowing a bunch of non-printing characters in the lower-ascii plane and the gamut of unicode characters above the lower-ascii plane)?

[github-actions]

📃 DOCS PREVIEW ✨ https://logstash_bk_17351.docs-preview.app.elstc.co/diff

[mashhurs]

No users should be impacted unless they are using restricted symbols (["?", "..", "/", "", "'", """, "$", "*", "|", "<", ">", " "]) in the key.

This sounds like a breaking change.

• What was the prior experience when using a key that includes now-restricted characters?
• What determined that these specific characters are restricted (while allowing a bunch of non-printing characters in the lower-ascii plane and the gamut of unicode characters above the lower-ascii plane)?

Yeah, didn't think of the case if keystore had invalid keys already included.
a3372c5 commit changes the approach:

• to restrict adding invalid keys to keystore with CLI. Invalid means here outside of ConfigVariableExpander#SUBSTITUTION_PLACEHOLDER_REGEX ;
• warns/guides users if their keystore already contains invalid keys;

[yaauie]

Mechanically, this works, and safely guards against adding keys that cannot be referenced in the pipelines without breaking users whose keystores include offending keys.

I've left suggestions about DRY-ing it up a bit, and improving the admitedly-difficult description of the effective key pattern requirement.

[github-actions]

📃 DOCS PREVIEW ✨ https://logstash_bk_17351.docs-preview.app.elstc.co/diff

[github-actions]

📃 DOCS PREVIEW ✨ https://logstash_bk_17351.docs-preview.app.elstc.co/diff

[github-actions]

📃 DOCS PREVIEW ✨ https://logstash_bk_17351.docs-preview.app.elstc.co/diff

[mashhurs]

Rebased against main as we were having CI issues, fixed by #17531

[github-actions]

📃 DOCS PREVIEW ✨ https://logstash_bk_17351.docs-preview.app.elstc.co/diff

[yaauie]

👍🏼 looking on-track.

I've left a comment about message format, and suggested more useful random key generation for tests.

[github-actions]

📃 DOCS PREVIEW ✨ https://logstash_bk_17351.docs-preview.app.elstc.co/diff

[github-actions]

📃 DOCS PREVIEW ✨ https://logstash_bk_17351.docs-preview.app.elstc.co/diff

[yaauie]

Works as advertised.

I've left one nit-pick about making the validation step more cohesive, but you're free to decide whether to resolve it or not.

[elastic-sonarqube]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarQube

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 700e596

History

• 💚 Build #2845 succeeded 6e816bc
• 💔 Build #2840 failed 8e0136a
• 💚 Build #2823 succeeded bfea29d
• 💔 Build #2820 failed 6ac79ce
• 💔 Build #2819 failed 9139460
• 💔 Build #2818 failed 0d9c5af

cc @mashhurs

[github-actions]

@Mergifyio backport 8.17 8.18 8.19 9.0

[mergify]

backport 8.17 8.18 8.19 9.0

✅ Backports have been created

• #17585 [8.17] (backport #17351) Improve the key validation in secret identifier. has been created for branch 8.17 but encountered conflicts
• #17586 [8.18] (backport #17351) Improve the key validation in secret identifier. has been created for branch 8.18 but encountered conflicts
• #17587 [8.19] (backport #17351) Improve the key validation in secret identifier. has been created for branch 8.19 but encountered conflicts
• #17588 [9.0] (backport #17351) Improve the key validation in secret identifier. has been created for branch 9.0