Update Secret API: If different secret name int passed in the PUT 'Request Path Parameter' and 'Request Body', then secret name present in the path is considered for the update operation, but returns the request body parameter.
The Update Secret API has the secret name in the request path as well as the request body. The secret name that is used for update in the Key Vault is the path variable, but the secret name that is passed in the body is returned as is without any validations. Thus having a conflict when Path and Body names differ.
To the azure Key Vault, the secret name from the path is modified with the value from the Secret object passed in the body.
Example of issue:
curl --location --request PUT 'https://osdu-glab.msft-osdu-test.org/api/secret/v1/secrets/my-super-name' \
--header 'Authorization: Bearer ${BearerToken}\
--header 'data-partition-id: ${datapartition}' \
--header 'Content-Type: application/json' \
--header 'Cookie: JSESSIONID=5864B7D927F808490829212BB7EB3659' \
--data '{
"id": 1212,
"key": "my.name",
"value": "babyshark",
"createdAt": "2023-03-17T07:00:33.579Z",
"enabled": true
}'response recieved:
{
"id": "1212",
"key": "my.name",
"value": "babyshark",
"createdAt": "2023-03-17T07:00:33.579Z",
"enabled": true
}Proposed Solution:
Validate the body and path variable name for name match, report exception if not matched.
Edited by Deepa Kumari