From b2f0826cbde00a39d410631bea94f4e5654d2367 Mon Sep 17 00:00:00 2001
From: Somtochi Onyekwere <somtochionyekwere@gmail.com>
Date: Wed, 29 Jun 2022 14:42:54 +0100
Subject: [PATCH] Only add query values not already present in the token

Signed-off-by: Somtochi Onyekwere <somtochionyekwere@gmail.com>
---
 docs/spec/v1beta2/buckets.md |  3 +++
 pkg/azure/blob.go            |  6 ++++--
 pkg/azure/blob_test.go       | 10 ++++++++++
 3 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/docs/spec/v1beta2/buckets.md b/docs/spec/v1beta2/buckets.md
index c2af9e116..72cb343e9 100644
--- a/docs/spec/v1beta2/buckets.md
+++ b/docs/spec/v1beta2/buckets.md
@@ -532,6 +532,9 @@ data:
   sasKey: <base64>
 ```
 
+The query values from the `sasKey` data field in the Secrets gets merged with the `spec.endpoint` of the `Bucket`.
+If there are the same key is present in the both of them, The token takes precedence.
+
 Note that the Azure SAS Token has an expiry date and it should be updated before it expires so that Flux can
 continue to access Azure Storage.
 
diff --git a/pkg/azure/blob.go b/pkg/azure/blob.go
index d2921769f..d7651cf1d 100644
--- a/pkg/azure/blob.go
+++ b/pkg/azure/blob.go
@@ -378,8 +378,10 @@ func sasTokenFromSecret(ep string, secret *corev1.Secret) (string, error) {
 		//merge the query values in the endpoint wuth the token
 		epValues := epURL.Query()
 		for key, val := range epValues {
-			for _, str := range val {
-				values.Set(key, str)
+			if !values.Has(key) {
+				for _, str := range val {
+					values.Add(key, str)
+				}
 			}
 		}
 
diff --git a/pkg/azure/blob_test.go b/pkg/azure/blob_test.go
index 03f55d075..36f5b5b56 100644
--- a/pkg/azure/blob_test.go
+++ b/pkg/azure/blob_test.go
@@ -339,6 +339,16 @@ func Test_sasTokenFromSecret(t *testing.T) {
 			},
 			want: "https://accountName.blob.windows.net?sv=2020-08-04&ss=bfqt&srt=co&sp=rwdl&se=2022-05-26T21:55:35Z&st=2022-05-26&spr=https&sig=JlHT",
 		},
+		{
+			name:     "conflicting query values in token",
+			endpoint: "https://accountName.blob.windows.net?sv=2020-08-04&ss=abcde",
+			secret: &corev1.Secret{
+				Data: map[string][]byte{
+					sasKeyField: []byte("sv=2019-07-06&ss=bfqt&srt=co&sp=rwdl&se=2022-05-26T21:55:35Z&st=2022-05-26&spr=https&sig=JlHT"),
+				},
+			},
+			want: "https://accountName.blob.windows.net?sv=2019-07-06&ss=bfqt&srt=co&sp=rwdl&se=2022-05-26T21:55:35Z&st=2022-05-26&spr=https&sig=JlHT",
+		},
 		{
 			name: "invalid sas token",
 			secret: &corev1.Secret{