From b786db7de8c3f6a8a2025499dd099ec0bec71d12 Mon Sep 17 00:00:00 2001
From: Darek <36194577+dd-morphi@users.noreply.github.com>
Date: Thu, 23 Feb 2023 10:42:59 +0100
Subject: [PATCH] Not catching all exceptions during reading. Now "permission
 denied" is logged. (#30)

Co-authored-by: Dariusz Dobosz <dariusz.dobosz@beqom.com>
---
 .../VaultConfigurationProvider.cs             |  7 +--
 .../IntegrationTests.cs                       | 43 +++++++++++++++++++
 2 files changed, 47 insertions(+), 3 deletions(-)

diff --git a/Source/VaultSharp.Extensions.Configuration/VaultConfigurationProvider.cs b/Source/VaultSharp.Extensions.Configuration/VaultConfigurationProvider.cs
index 037cddd..18729f5 100644
--- a/Source/VaultSharp.Extensions.Configuration/VaultConfigurationProvider.cs
+++ b/Source/VaultSharp.Extensions.Configuration/VaultConfigurationProvider.cs
@@ -4,6 +4,7 @@ namespace VaultSharp.Extensions.Configuration
     using System.Collections.Generic;
     using System.Globalization;
     using System.Linq;
+    using System.Net;
     using System.Text;
     using System.Threading.Tasks;
     using Microsoft.Extensions.Configuration;
@@ -112,7 +113,7 @@ private async Task<bool> LoadVaultDataAsync(IVaultClient vaultClient)
                 if (this._versionsCache.TryGetValue(key, out var currentVersion))
                 {
                     shouldSetValue = secretData.SecretData.Metadata.Version > currentVersion;
-                    string keyMsg = shouldSetValue ? "has new version" : "is outdated";
+                    var keyMsg = shouldSetValue ? "has new version" : "is outdated";
                     this._logger?.LogDebug($"VaultConfigurationProvider: Data for key `{secretData.Key}` {keyMsg}");
                 }
 
@@ -224,7 +225,7 @@ private async IAsyncEnumerable<KeyedSecretData> ReadKeysAsync(IVaultClient vault
             {
                 keys = await vaultClient.V1.Secrets.KeyValue.V2.ReadSecretPathsAsync(folderPath, this._source.MountPoint).ConfigureAwait(false);
             }
-            catch (VaultApiException)
+            catch (VaultApiException ex) when (ex.HttpStatusCode == HttpStatusCode.NotFound)
             {
                 // this is key, not a folder
             }
@@ -254,7 +255,7 @@ private async IAsyncEnumerable<KeyedSecretData> ReadKeysAsync(IVaultClient vault
                     .ConfigureAwait(false);
                 keyedSecretData = new KeyedSecretData(valuePath, secretData.Data);
             }
-            catch (VaultApiException)
+            catch (VaultApiException ex) when (ex.HttpStatusCode == HttpStatusCode.NotFound)
             {
                 // this is folder, not a key
             }
diff --git a/Tests/VaultSharp.Extensions.Configuration.Test/IntegrationTests.cs b/Tests/VaultSharp.Extensions.Configuration.Test/IntegrationTests.cs
index 6773faf..9f8d5f1 100644
--- a/Tests/VaultSharp.Extensions.Configuration.Test/IntegrationTests.cs
+++ b/Tests/VaultSharp.Extensions.Configuration.Test/IntegrationTests.cs
@@ -2,15 +2,19 @@ namespace VaultSharp.Extensions.Configuration.Test
 {
     using System;
     using System.Collections.Generic;
+    using System.Net;
     using System.Threading;
     using System.Threading.Tasks;
     using DotNet.Testcontainers.Builders;
     using DotNet.Testcontainers.Containers;
     using FluentAssertions;
     using Microsoft.Extensions.Configuration;
+    using Microsoft.Extensions.Logging;
+    using Moq;
     using Newtonsoft.Json;
     using Serilog;
     using Serilog.Extensions.Logging;
+    using VaultSharp.Core;
     using VaultSharp.V1.AuthMethods.Token;
     using Xunit;
     using ILogger = Microsoft.Extensions.Logging.ILogger;
@@ -391,6 +395,45 @@ public async Task Success_AuthMethod()
                 await container.DisposeAsync().ConfigureAwait(false);
             }
         }
+
+
+        [Fact]
+        public async Task Failure_PermissionDenied()
+        {
+            // arrange
+            using var cts = new CancellationTokenSource();
+            var jsonData = @"{""option1"": ""value1"",""subsection"":{""option2"": ""value2""}}";
+            var loggerMock = new Mock<ILogger<IntegrationTests>>();
+            var container = this.PrepareVaultContainer();
+            try
+            {
+                await container.StartAsync(cts.Token).ConfigureAwait(false);
+                await this.LoadDataAsync("myservice-config", jsonData).ConfigureAwait(false);
+
+                // act
+                var builder = new ConfigurationBuilder();
+                builder.AddVaultConfiguration(
+                    () => new VaultOptions("http://localhost:8200", new TokenAuthMethodInfo("NON VALID TOKEN"), reloadOnChange: true, reloadCheckIntervalSeconds: 10, omitVaultKeyName: true),
+                    "myservice-config",
+                    "secret",
+                    loggerMock.Object);
+                var configurationRoot = builder.Build();
+
+                // assert
+                loggerMock.Verify(
+                    x => x.Log(
+                        It.Is<LogLevel>(l => l == LogLevel.Error),
+                        It.IsAny<EventId>(),
+                        It.Is<It.IsAnyType>((v, t) => v.ToString() == "Cannot load configuration from Vault"),
+                        It.Is<VaultApiException>(exception => exception.HttpStatusCode == HttpStatusCode.Forbidden),
+                        It.Is<Func<It.IsAnyType, Exception?, string>>((v, t) => true)), Times.Once);
+            }
+            finally
+            {
+                cts.Cancel();
+                await container.DisposeAsync().ConfigureAwait(false);
+            }
+        }
     }
 
     public class TestConfigObject