[Infisical] dataFrom.find.path should filter by secret folder path, not secret name prefix

[k3dom]

Problem

When using dataFrom.find.path with the Infisical provider, the path parameter filters secrets by their name prefix rather than their folder path in Infisical.

For example, with secrets structured like this in Infisical:

/GITHUB_USER
/GITHUB_PAT
/gastrovisor/JWT_SECRET
/gastrovisor/SMTP_HOST

Using dataFrom.find.path: /gastrovisor or path: gastrovisor does not filter to only secrets in the /gastrovisor folder. Instead, it seems to filter by name prefix, which doesn't work since the returned secret keys don't include the folder path.

Current Behavior

The find.path parameter acts as a name prefix filter on the secret key. However, when secrets are returned from Infisical, they come back with just the secret name (e.g., JWT_SECRET) rather than the full path (gastrovisor/JWT_SECRET), making the path filter ineffective.

Expected Behavior

The find.path parameter should filter secrets based on their folder location in Infisical, similar to how secretsScope.secretsPath works in the SecretStore configuration. This would allow users to fetch all secrets from a specific folder without needing to enumerate them explicitly.

Workaround

Currently, the only workarounds are:

1. Use secretsScope.secretsPath in the SecretStore to scope to a specific folder (but this requires a separate SecretStore per folder)
2. Use explicit data entries with full paths for each secret
3. Use dataFrom.find.name.regexp but this can only filter by name patterns, not folder location

Use Case

In a multi-tenant or multi-application setup, it's common to organize secrets by application folder:

/global-secrets/...
/app1/...
/app2/...

Being able to use dataFrom.find.path: /app1 to fetch all secrets from that folder would be very useful and align with how other providers handle path-based filtering.

Environment

• External Secrets Operator version: latest
• Infisical provider
• Using ClusterSecretStore with secretsScope.secretsPath: / and recursive: true

[evrardjp]

Can any @external-secrets/provider-infisical-reviewers have a look and give an opinion?

[philipp-holler]

This would be very useful.

I assume it would only require a small change in providers/v1/infisical/client.go#L177, changing secret.SecretKey to secret.SecretPath in the path condition. As far as I understand, the path field is meant to be recursive, so HasPrefix should still be the correct way to go (although some additional logic may be necessary to have /foo also match /foo/bar but not /foobar).

But I guess this would constitute breaking behavior, even though one could argue the previous behavior was incorrect.
Would this be an issue that prevents a fix being delivered as a simple release?

[gusfcarvalho]

I assume it would only require a small change in providers/v1/infisical/client.go#L177, changing secret.SecretKey to secret.SecretPath in the path condition. As far as I understand, the path field is meant to be recursive, so HasPrefix should still be the correct way to go (although some additional logic may be necessary to have /foo also match /foo/bar but not /foobar).

The behavior I would expect (and implemented across a few providers) is that a path either changes the API calls to call that specific path only ( e.g. if path: foo/bar, the API calls would try to GET foo/bar/*, then look for name /tag matching), or changes the authentication scopes when doing a token exchange for that path only.

This serves as a way for users to scope down the permissions they need to give to ESO to perform a dataFrom.find. Any client side filtering, I agree with you, it is a bit the same.

So, to me - the ideal behavior is that when specifying path: /gastrovisor we only GET the following secrets from the API itself (i.e. there is no return for any other secrets:

/gastrovisor/JWT_SECRET
/gastrovisor/SMTP_HOST

Implementing the behavior above, I wouldn't mind the breaking behavioral change (as the current one, I agree, is weird :P ). I'd argue this is a bug fixed as opposed to a broken feature.