nic-6443 opened a new pull request, #13519: URL: https://github.com/apache/apisix/pull/13519
### Description AWS Secrets Manager allows slashes in secret names, but `apisix/secret/aws.lua` splits the key at the **first** slash. For `$secret://aws/1/john/secret/john-key-auth` where the secret is actually named `john/secret`, APISIX sends `SecretId=john` and treats `secret/john-key-auth` as the JSON field name, so the lookup fails with `ResourceNotFoundException` (`vault.lua`, by contrast, splits at the last slash). The reference URI is inherently ambiguous — there is no way to know upfront where the secret name ends and the JSON field begins. This PR resolves it with a longest-name-first fallback: first try the whole remaining key as the `SecretId` with no field, and on `ResourceNotFoundException` progressively move path segments from the right into the field position, e.g. for `john/secret/john-key-auth`: 1. `SecretId=john/secret/john-key-auth` (no field) 2. `SecretId=john/secret`, field `john-key-auth` 3. `SecretId=john`, field `secret/john-key-auth` The first successful lookup wins. A definitive non-NotFound error (e.g. auth failure, connection error) aborts immediately instead of trying more splits. Keys without slashes behave exactly as before, and since `apisix/secret.lua` caches resolved values by URI in an lrucache, the extra requests only happen on cache miss. Precedence note: the old behavior always split at the first slash. If both interpretations exist (a secret literally named `john` containing the field `secret/john-key-auth` **and** a secret named `john/secret`), the longest matching secret name now takes precedence. This rule is documented in the secret terminology doc (en + zh). #11655 attempted to fix this earlier but went stale; this PR picks the issue up with the fallback-resolution approach and adds regression tests (slash-named secret with field lookup, full key as secret name, end-to-end `$secret://` URI resolution), with the corresponding secrets seeded into the localstack used by CI. #### Which issue(s) this PR fixes: Fixes #11647 ### Checklist - [x] I have explained the need for this PR and the problem it solves - [x] I have explained the changes or the new features added to this PR - [x] I have added tests corresponding to this change - [x] I have updated the documentation to reflect this change - [x] I have verified that this change is backward compatible (see the precedence note above for the only behavioral edge case) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
