From a1e9af892938cce15fa562c129335e58f37f00ab Mon Sep 17 00:00:00 2001
From: John Eikenberry <jae@zhar.net>
Date: Fri, 5 Nov 2021 14:07:57 -0700
Subject: [PATCH] support secret write queries w/ an empty write

Vault uses the write API for create+read and the create call doesn't
always take write key/value pairs (requires no fields to be provided)
but these cases would error out on absense of k/v pair. This change
simply skips the k/v check if the parameter string field is empty.
---
 template/funcs.go         |  7 +++++--
 template/template_test.go | 21 +++++++++++++++++++++
 2 files changed, 26 insertions(+), 2 deletions(-)

diff --git a/template/funcs.go b/template/funcs.go
index bfccb6544..00f4a2393 100644
--- a/template/funcs.go
+++ b/template/funcs.go
@@ -342,10 +342,12 @@ func secretFunc(b *Brain, used, missing *dep.Set) func(...string) (*dep.Secret,
 			return result, nil
 		}
 
-		// TODO: Refactor into separate template functions
 		path, rest := s[0], s[1:]
 		data := make(map[string]interface{})
 		for _, str := range rest {
+			if len(str) == 0 {
+				continue
+			}
 			parts := strings.SplitN(str, "=", 2)
 			if len(parts) != 2 {
 				return result, fmt.Errorf("not k=v pair %q", str)
@@ -358,7 +360,8 @@ func secretFunc(b *Brain, used, missing *dep.Set) func(...string) (*dep.Secret,
 		var d dep.Dependency
 		var err error
 
-		if len(rest) == 0 {
+		isReadQuery := len(rest) == 0
+		if isReadQuery {
 			d, err = dep.NewVaultReadQuery(path)
 		} else {
 			d, err = dep.NewVaultWriteQuery(path, data)
diff --git a/template/template_test.go b/template/template_test.go
index 72aae972e..591a2e111 100644
--- a/template/template_test.go
+++ b/template/template_test.go
@@ -555,6 +555,27 @@ func TestTemplate_Execute(t *testing.T) {
 			"encrypted",
 			false,
 		},
+		{
+			"func_secret_write_empty",
+			&NewTemplateInput{
+				Contents: `{{ with secret "transit/encrypt/foo" "" }}{{ .Data.ciphertext }}{{ end }}`,
+			},
+			&ExecuteInput{
+				Brain: func() *Brain {
+					b := NewBrain()
+					d, err := dep.NewVaultWriteQuery("transit/encrypt/foo", nil)
+					if err != nil {
+						t.Fatal(err)
+					}
+					b.Remember(d, &dep.Secret{
+						Data: map[string]interface{}{"ciphertext": "encrypted"},
+					})
+					return b
+				}(),
+			},
+			"encrypted",
+			false,
+		},
 		{
 			"func_secret_write_no_exist",
 			&NewTemplateInput{