Spring Cloud Config The latest secret version is not fetched from GCP Secret Manager when version number is greater than 9 and there are multiple enabled secret versions

In our setup, we have multiple secret versions enabled in GCP. Hence a "list secret versions" returns multiple versions with different version id. The greatest version id is considered as the latest.

However in GoogleSecretComparatorByVersion.class, the comparator does an String lexical comparison. So a secret version id 9 takes priority over greater version id (e.g. 11, 30, ...) and this results in spring config server returning version id 9 always as the latest

I think the GoogleSecretComparatorByVersion.class must be fixed to do a proper numeric comparison.

Comment From: ryanjbaxter

Thanks for reporting this!

Not being familiar with Google Secret Manager are versions always an integer?

Would you be interested in submitting a PR?

Comment From: spring-cloud-issues

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

Comment From: nh250082

Hi. Apologies for the delay.

The official GCP codebase does seem to define the field as String but they also say that the value will be incremented when a new secret version is added. So i think the comparator should prioritise integer numbers . I think the field is defined as a String so that the user can populate "latest" in a request and GCP Secret Manager returns only the latest secret version. It does not seem to be applicable when a list of secret versions is fetched as done in GoogleSecretManagerV1AccessStrategy.getSecretVersions()

Also if you refer to java document for com.google.cloud.secretmanager.v1.SecretVersion.getName(), it does clearly state that "[SecretVersion][google.cloud.secretmanager.v1.SecretVersion] IDs in a [Secret][google.cloud.secretmanager.v1.Secret] start at 1 and are incremented for each subsequent version of the secret."

This is my first time of reporting a bug. I would be interested in submitting a PR. Can you please let me know how to do it?

Thank

Comment From: nh250082

A workaround is to always disable previous secret versions in GCP Secret Manager and ensure that only one secret version is enabled. Thus Spring Config Server can filter out the disabled ones and return the single enabled version. This code is present in GoogleSecretManagerV1AccessStrategy.getSecretValue() as seen below,

public String getSecretValue(Secret secret, Comparator<SecretVersion> comparator) {
    String result = null;
    List<SecretVersion> versions = getSecretVersions(secret);
    SecretVersion winner = null;
    for (SecretVersion secretVersion : versions) {
        if ((secretVersion.getState().getNumber() == SecretVersion.State.ENABLED_VALUE)
                && comparator.compare(secretVersion, winner) > 0) {
            winner = secretVersion;
        }
    }

Comment From: ryanjbaxter

@nh250082 makes sense. You can submit a PR following these instructions https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/about-pull-requests

Comment From: amit88265

can I work on this bug?

Comment From: ryanjbaxter

@amit88265 Absolutely!

Comment From: amit88265

Thanks, @ryanjbaxter. How do I get assigned to it? Also, I am contributing first time to spring projects. Are there any prerequisites I should know before starting apart from https://github.com/spring-cloud/spring-cloud-config#readme contributing guide?

Comment From: ryanjbaxter

Just start a PR, no formal processes to assign the issue. Everything you should need to know is in the README. If you have any questions just let me know!

Comment From: amit88265

Thanks. I am working on it. Will raise a PR shortly.

Comment From: amit88265

I face below error while building the project.

[ERROR] Non-resolvable import POM: Failure to find io.awspring.cloud:spring-cloud-aws-dependencies:pom:3.0.0-SNAPSHOT in https://repo.spring.io/snapshot was cached in the local repository, resolution will not be reattempted until the update interval of spring-snapshots has elapsed or updates are forced @ line 113, column 16 @ [ERROR] The build could not read 1 project -> [Help 1] [ERROR]
[ERROR] The project org.springframework.cloud:spring-cloud-config:4.0.2-SNAPSHOT (/Users/amitkumar/Documents/MyWork/openSource/spring/spring-cloud-config/pom.xml) has 1 error [ERROR] Non-resolvable import POM: Failure to find io.awspring.cloud:spring-cloud-aws-dependencies:pom:3.0.0-SNAPSHOT in https://repo.spring.io/snapshot was cached in the local repository, resolution will not be reattempted until the update interval of spring-snapshots has elapsed or updates are forced @ line 113, column 16 -> [Help 2] [ERROR]

I tried running in maven spring profile as well but it does not help. please help me fix this.

Comment From: ryanjbaxter

Pull the latest changes from main now, I was doing some work and unfortunately we can't reliably pull snapshot releases of spring cloud AWS at the moment.

Comment From: amit88265

Hi, I was thinking as secrets have versions starting from 1 and increasing by one subsequently, then it would be better to compare versions after converting the string version to int. code will have the following changes and the issue should be fixed. please let me know what you think.

``` @Override public int compare(SecretVersion leftVersion, SecretVersion rightVersion) { if (rightVersion == null) { return 1; } if (leftVersion == null) { return -1; } return Integer.valueOf(leftVersion.getName()).compareTo(Integer.valueOf(rightVersion.getName())); }

Comment From: ryanjbaxter

Submit a PR so I can see the code in context, along with some tests

Comment From: amit88265

@ryanjbaxter please have a look on the PR.