amplify-education
Error parsing HashiCorp Vault policies
We have recently discovered that some of our users have been deploying Vault policies formatted like below, where the opening curly bracket is placed below the line:
path "secretspath/*"
{
capabilities = ["create", "read", "update", "delete", "list"]
}
However, Vault accepts that as a valid HCL whether you use CLI, UI or Terraform for the deployment. When parsing this to hcl2, it throws the following error:
lark.exceptions.UnexpectedToken: Unexpected token Token('__ANON_0', '\n') at line 1, column 20.
Expected one of:
* LBRACE
* __ANON_3
* STRING_LIT
We are using python-hcl2 to create a policy object and then lookup its capabilities. This works very well for most of the policies, but there are some formatted like above that can't be properly parsed. Is there a way to fix this. or an easy workaround other than manipulating the policy with some regex before pushing to hcl2?
I can duplicate this, though I currently see a slightly different exception.
path "sys/auth" {
capabilities = ["read"]
}
parses;
path "sys/auth"
{
capabilities = ["read"]
}
generates an exception.
raise UnexpectedCharacters(lex_state.text, line_ctr.char_pos, line_ctr.line, line_ctr.column,
lark.exceptions.UnexpectedCharacters: <exception str() failed>
This appears to fix the problem:
--- a/hcl2/hcl2.lark
+++ b/hcl2/hcl2.lark
@@ -1,7 +1,7 @@
start : body
body : (new_line_or_comment? (attribute | block))* new_line_or_comment?
attribute : identifier "=" expression
-block : identifier (identifier | STRING_LIT)* "{" body "}"
+block : identifier (identifier | STRING_LIT)* new_line_or_comment? "{" body "}"
new_line_and_or_comma: new_line_or_comment | "," | "," new_line_or_comment
new_line_or_comment: ( /\n/ | /#.*\n/ | /\/\/.*\n/ )+