The latest secret version is not fetched from GCP Secret Manager when version number is greater than 9 and there are multiple enabled secret versions

[nh250082]

In our setup, we have multiple secret versions enabled in GCP. Hence a "list secret versions" returns multiple versions with different version id. The greatest version id is considered as the latest.

However in GoogleSecretComparatorByVersion.class, the comparator does an String lexical comparison. So a secret version id 9 takes priority over greater version id (e.g. 11, 30, ...) and this results in spring config server returning version id 9 always as the latest

I think the GoogleSecretComparatorByVersion.class must be fixed to do a proper numeric comparison.

[ryanjbaxter]

Thanks for reporting this!

Not being familiar with Google Secret Manager are versions always an integer?

Would you be interested in submitting a PR?

[spring-cloud-issues]

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

[nh250082]

Hi. Apologies for the delay.

The official GCP codebase does seem to define the field as String but they also say that the value will be incremented when a new secret version is added. So i think the comparator should prioritise integer numbers . I think the field is defined as a String so that the user can populate "latest" in a request and GCP Secret Manager returns only the latest secret version. It does not seem to be applicable when a list of secret versions is fetched as done in GoogleSecretManagerV1AccessStrategy.getSecretVersions()

Also if you refer to java document for com.google.cloud.secretmanager.v1.SecretVersion.getName(), it does clearly state that "[SecretVersion][google.cloud.secretmanager.v1.SecretVersion] IDs in a [Secret][google.cloud.secretmanager.v1.Secret] start at 1 and are incremented for each subsequent version of the secret."

This is my first time of reporting a bug. I would be interested in submitting a PR. Can you please let me know how to do it?

Thank

[nh250082]

A workaround is to always disable previous secret versions in GCP Secret Manager and ensure that only one secret version is enabled. Thus Spring Config Server can filter out the disabled ones and return the single enabled version. This code is present in GoogleSecretManagerV1AccessStrategy.getSecretValue() as seen below,

public String getSecretValue(Secret secret, Comparator<SecretVersion> comparator) {
	String result = null;
	List<SecretVersion> versions = getSecretVersions(secret);
	SecretVersion winner = null;
	for (SecretVersion secretVersion : versions) {
		if ((secretVersion.getState().getNumber() == SecretVersion.State.ENABLED_VALUE)
				&& comparator.compare(secretVersion, winner) > 0) {
			winner = secretVersion;
		}
	}

[ryanjbaxter]

@nh250082 makes sense. You can submit a PR following these instructions https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/about-pull-requests