fix: replace unsafe dictionary indexers in ValidateCAConnectionInfo and ValidateProductInfo

spbsoluble · spbsoluble · commit 8f5df3b86f94 · 2026-04-28T14:11:41.000-07:00
Direct Dictionary.get_Item calls throw KeyNotFoundException when the
gateway does not populate all parameter keys before calling validation
(observed on PUT/POST config/configuration). Replace with TryGetValue
throughout.

Also relaxes the ValidateProductInfo RoleName check: RoleName is
optional since the Enroll path already falls back to ProductID when
RoleName is absent, so the validator no longer rejects configs that
omit it.
diff --git a/hashicorp-vault-cagateway/HashicorpVaultCAConnector.cs b/hashicorp-vault-cagateway/HashicorpVaultCAConnector.cs
@@ -340,19 +340,23 @@ public async Task ValidateCAConnectionInfo(Dictionary<string, object> connection
             List<string> errors = new List<string>();
 
             // then, we make sure required fields are defined..
-            if (string.IsNullOrEmpty(connectionInfo[Constants.CAConfig.HOST] as string))
+            connectionInfo.TryGetValue(Constants.CAConfig.HOST, out var hostVal);
+            if (string.IsNullOrEmpty(hostVal as string))
             {
                 errors.Add($"The '{Constants.CAConfig.HOST}' is required.");
             }
 
-            if (string.IsNullOrEmpty(connectionInfo[Constants.CAConfig.MOUNTPOINT] as string))
+            connectionInfo.TryGetValue(Constants.CAConfig.MOUNTPOINT, out var mountVal);
+            if (string.IsNullOrEmpty(mountVal as string))
             {
                 errors.Add($"The '{Constants.CAConfig.MOUNTPOINT}' is required.");
             }
 
             // make sure an authentication mechanism is defined (either certificate or token)
-            var token = connectionInfo[Constants.CAConfig.TOKEN] as string;
-            var cert = connectionInfo[Constants.CAConfig.CLIENTCERT] as string;
+            connectionInfo.TryGetValue(Constants.CAConfig.TOKEN, out var tokenVal);
+            connectionInfo.TryGetValue(Constants.CAConfig.CLIENTCERT, out var certVal);
+            var token = tokenVal as string;
+            var cert = certVal as string;
 
             if (string.IsNullOrEmpty(token) && string.IsNullOrEmpty(cert))
             {
@@ -439,10 +443,11 @@ public Task ValidateProductInfo(EnrollmentProductInfo productInfo, Dictionary<st
                 logger.LogError(LogHandler.FlattenException(ex));
                 throw;
             }
-            // make sure Role Name is present in the template config
-            if (string.IsNullOrEmpty(productInfo.ProductParameters[Constants.TemplateConfig.ROLENAME] as string))
+            // RoleName is optional — if absent or empty, ProductID is used as the role name (see Enroll).
+            productInfo.ProductParameters.TryGetValue(Constants.TemplateConfig.ROLENAME, out var roleNameVal);
+            if (roleNameVal != null && string.IsNullOrEmpty(roleNameVal as string))
             {
-                errors.Add($"The '{Constants.TemplateConfig.ROLENAME}' is required.");
+                errors.Add($"The '{Constants.TemplateConfig.ROLENAME}' must not be empty if provided.");
             }
 
             // if any errors, throw

Original file line number	Diff line number	Diff line change
`@@ -340,19 +340,23 @@ public async Task ValidateCAConnectionInfo(Dictionary<string, object> connection`
`340`	`340`	`List<string> errors = new List<string>();`
`341`	`341`
`342`	`342`	`// then, we make sure required fields are defined..`
`343`		`- if (string.IsNullOrEmpty(connectionInfo[Constants.CAConfig.HOST] as string))`
	`343`	`+ connectionInfo.TryGetValue(Constants.CAConfig.HOST, out var hostVal);`
	`344`	`+ if (string.IsNullOrEmpty(hostVal as string))`
`344`	`345`	`{`
`345`	`346`	`errors.Add($"The '{Constants.CAConfig.HOST}' is required.");`
`346`	`347`	`}`
`347`	`348`
`348`		`- if (string.IsNullOrEmpty(connectionInfo[Constants.CAConfig.MOUNTPOINT] as string))`
	`349`	`+ connectionInfo.TryGetValue(Constants.CAConfig.MOUNTPOINT, out var mountVal);`
	`350`	`+ if (string.IsNullOrEmpty(mountVal as string))`
`349`	`351`	`{`
`350`	`352`	`errors.Add($"The '{Constants.CAConfig.MOUNTPOINT}' is required.");`
`351`	`353`	`}`
`352`	`354`
`353`	`355`	`// make sure an authentication mechanism is defined (either certificate or token)`
`354`		`- var token = connectionInfo[Constants.CAConfig.TOKEN] as string;`
`355`		`- var cert = connectionInfo[Constants.CAConfig.CLIENTCERT] as string;`
	`356`	`+ connectionInfo.TryGetValue(Constants.CAConfig.TOKEN, out var tokenVal);`
	`357`	`+ connectionInfo.TryGetValue(Constants.CAConfig.CLIENTCERT, out var certVal);`
	`358`	`+ var token = tokenVal as string;`
	`359`	`+ var cert = certVal as string;`
`356`	`360`
`357`	`361`	`if (string.IsNullOrEmpty(token) && string.IsNullOrEmpty(cert))`
`358`	`362`	`{`
`@@ -439,10 +443,11 @@ public Task ValidateProductInfo(EnrollmentProductInfo productInfo, Dictionary<st`
`439`	`443`	`logger.LogError(LogHandler.FlattenException(ex));`
`440`	`444`	`throw;`
`441`	`445`	`}`
`442`		`- // make sure Role Name is present in the template config`
`443`		`- if (string.IsNullOrEmpty(productInfo.ProductParameters[Constants.TemplateConfig.ROLENAME] as string))`
	`446`	`+ // RoleName is optional — if absent or empty, ProductID is used as the role name (see Enroll).`
	`447`	`+ productInfo.ProductParameters.TryGetValue(Constants.TemplateConfig.ROLENAME, out var roleNameVal);`
	`448`	`+ if (roleNameVal != null && string.IsNullOrEmpty(roleNameVal as string))`
`444`	`449`	`{`
`445`		`- errors.Add($"The '{Constants.TemplateConfig.ROLENAME}' is required.");`
	`450`	`+ errors.Add($"The '{Constants.TemplateConfig.ROLENAME}' must not be empty if provided.");`
`446`	`451`	`}`
`447`	`452`
`448`	`453`	`// if any errors, throw`