Keyvault references break if the secret value contains two percent symbols

[joshschmitter]

In teamcity, variables are denoted by an opening and closing percent symbol: %my_var%

If a keyvault secret value contains two percent symbols (e.g., my%keyvault%secretValue), the plugin fails to evaluate the secret value and returns the name of the parameter instead. It seems that the secret value is somehow being interpolated by teamcity as containing a variable name.

Moreover, the variable interpolation seems to happen twice before being returned. Variables can be escaped by being duplicated %%. So I tried setting my secret value as my%%keyvault%%secretValue, but this still failed. When I quadrupled each % symbol, it evaluated correctly. my%%%%keyvault%%%%secretValue evaluates to my desired result of my%keyvault%secretValue.

To reproduce:

1. create a keyvault secret with value of my%keyvault%secretValue

2. add a parameter myparameter in a teamcity build referencing the keyvault secret.
   Value should look like: %keyvault:my-kv/my-secret-name%

3. create a teamcity build step with a powershell (or other cli) runner to echo the parameter: echo '%myparameter%'

4. the build log will contain a line showing the parameter name where there should be a mask for the secret value:

   [20:58:12] [Step 1/1] %myparameter%

5. change the keyvault secret value to my%%%%keyvault%%%%secretValue.

6. run the build step again. Output should look something like this:

   [20:58:12] [Step 1/1] ***********

The mask shows that the secret is being retrieved and evaluated successfully.

[vyadh]

Great, thanks for this. I did try to take a crack at this a while ago, but I had some trouble doing something similar. I'll take this change out for a spin and see if I can reproduce the issue I had escaping it. It may very well be the double-interpolation as you mentioned - I think TeamCity resolves references once before the plugin sees them (which is actually helpful, as you can use environment-specific key vaults or keys by embedding an environment parameter).

[joshschmitter]

Cool thanks! After further testing, I think the second round of interpolation I mentioned was actually due to my use of the File Content Replacer build feature. So I think only one round of interpolation is relevant to this plugin.

[joshschmitter]

@vyadh, any chance you could take a look at testing this PR or give an update?

[vyadh]

Apologies, been meaning to merge this in for a while. What I need to do is write some tests and then go through some scenarios we use, such as where we use nested parameters (e.g. %keyvault:%kvname%-%kvregion%/secret%). It will be easier to find time for this once my new team comes on board, but unfortunately that's been paused for the moment because of recent events in the world.