2020-08-11 17:50:07 +02:00
|
|
|
package statefile
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"sort"
|
Store sensitive attribute paths in state (#26338)
* Add creation test and simplify in-place test
* Add deletion test
* Start adding marking from state
Start storing paths that should be marked
when pulled out of state. Implements deep
copy for attr paths. This commit also includes some
comment noise from investigations, and fixing the diff test
* Fix apply stripping marks
* Expand diff tests
* Basic apply test
* Update comments on equality checks to clarify current understanding
* Add JSON serialization for sensitive paths
We need to serialize a slice of cty.Path values to be used to re-mark
the sensitive values of a resource instance when loading the state file.
Paths consist of a list of steps, each of which may be either getting an
attribute value by name, or indexing into a collection by string or
number.
To serialize these without building a complex parser for a compact
string form, we render a nested array of small objects, like so:
[
[
{ type: "get_attr", value: "foo" },
{ type: "index", value: { "type": "number", "value": 2 } }
]
]
The above example is equivalent to a path `foo[2]`.
* Format diffs with map types
Comparisons need unmarked values to operate on,
so create unmarked values for those operations. Additionally,
change diff to cover map types
* Remove debugging printing
* Fix bug with marking non-sensitive values
When pulling a sensitive value from state,
we were previously using those marks to remark
the planned new value, but that new value
might *not* be sensitive, so let's not do that
* Fix apply test
Apply was not passing the second state
through to the third pass at apply
* Consistency in checking for length of paths vs inspecting into value
* In apply, don't mark with before paths
* AttrPaths test coverage for DeepCopy
* Revert format changes
Reverts format changes in format/diff for this
branch so those changes can be discussed on a separate PR
* Refactor name of AttrPaths to AttrSensitivePaths
* Rename AttributePaths/attributePaths for naming consistency
Co-authored-by: Alisdair McDiarmid <alisdair@users.noreply.github.com>
2020-09-24 18:40:17 +02:00
|
|
|
"strings"
|
2020-08-11 17:50:07 +02:00
|
|
|
"testing"
|
Store sensitive attribute paths in state (#26338)
* Add creation test and simplify in-place test
* Add deletion test
* Start adding marking from state
Start storing paths that should be marked
when pulled out of state. Implements deep
copy for attr paths. This commit also includes some
comment noise from investigations, and fixing the diff test
* Fix apply stripping marks
* Expand diff tests
* Basic apply test
* Update comments on equality checks to clarify current understanding
* Add JSON serialization for sensitive paths
We need to serialize a slice of cty.Path values to be used to re-mark
the sensitive values of a resource instance when loading the state file.
Paths consist of a list of steps, each of which may be either getting an
attribute value by name, or indexing into a collection by string or
number.
To serialize these without building a complex parser for a compact
string form, we render a nested array of small objects, like so:
[
[
{ type: "get_attr", value: "foo" },
{ type: "index", value: { "type": "number", "value": 2 } }
]
]
The above example is equivalent to a path `foo[2]`.
* Format diffs with map types
Comparisons need unmarked values to operate on,
so create unmarked values for those operations. Additionally,
change diff to cover map types
* Remove debugging printing
* Fix bug with marking non-sensitive values
When pulling a sensitive value from state,
we were previously using those marks to remark
the planned new value, but that new value
might *not* be sensitive, so let's not do that
* Fix apply test
Apply was not passing the second state
through to the third pass at apply
* Consistency in checking for length of paths vs inspecting into value
* In apply, don't mark with before paths
* AttrPaths test coverage for DeepCopy
* Revert format changes
Reverts format changes in format/diff for this
branch so those changes can be discussed on a separate PR
* Refactor name of AttrPaths to AttrSensitivePaths
* Rename AttributePaths/attributePaths for naming consistency
Co-authored-by: Alisdair McDiarmid <alisdair@users.noreply.github.com>
2020-09-24 18:40:17 +02:00
|
|
|
|
2021-05-17 19:11:06 +02:00
|
|
|
"github.com/hashicorp/terraform/internal/tfdiags"
|
Store sensitive attribute paths in state (#26338)
* Add creation test and simplify in-place test
* Add deletion test
* Start adding marking from state
Start storing paths that should be marked
when pulled out of state. Implements deep
copy for attr paths. This commit also includes some
comment noise from investigations, and fixing the diff test
* Fix apply stripping marks
* Expand diff tests
* Basic apply test
* Update comments on equality checks to clarify current understanding
* Add JSON serialization for sensitive paths
We need to serialize a slice of cty.Path values to be used to re-mark
the sensitive values of a resource instance when loading the state file.
Paths consist of a list of steps, each of which may be either getting an
attribute value by name, or indexing into a collection by string or
number.
To serialize these without building a complex parser for a compact
string form, we render a nested array of small objects, like so:
[
[
{ type: "get_attr", value: "foo" },
{ type: "index", value: { "type": "number", "value": 2 } }
]
]
The above example is equivalent to a path `foo[2]`.
* Format diffs with map types
Comparisons need unmarked values to operate on,
so create unmarked values for those operations. Additionally,
change diff to cover map types
* Remove debugging printing
* Fix bug with marking non-sensitive values
When pulling a sensitive value from state,
we were previously using those marks to remark
the planned new value, but that new value
might *not* be sensitive, so let's not do that
* Fix apply test
Apply was not passing the second state
through to the third pass at apply
* Consistency in checking for length of paths vs inspecting into value
* In apply, don't mark with before paths
* AttrPaths test coverage for DeepCopy
* Revert format changes
Reverts format changes in format/diff for this
branch so those changes can be discussed on a separate PR
* Refactor name of AttrPaths to AttrSensitivePaths
* Rename AttributePaths/attributePaths for naming consistency
Co-authored-by: Alisdair McDiarmid <alisdair@users.noreply.github.com>
2020-09-24 18:40:17 +02:00
|
|
|
"github.com/zclconf/go-cty/cty"
|
2020-08-11 17:50:07 +02:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
// This test verifies that modules are sorted before resources:
|
|
|
|
|
// https://github.com/hashicorp/terraform/issues/21552
|
|
|
|
|
func TestVersion4_sort(t *testing.T) {
|
|
|
|
|
resources := sortResourcesV4{
|
|
|
|
|
{
|
|
|
|
|
Module: "module.child",
|
|
|
|
|
Type: "test_instance",
|
|
|
|
|
Name: "foo",
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
Type: "test_instance",
|
|
|
|
|
Name: "foo",
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
Module: "module.kinder",
|
|
|
|
|
Type: "test_instance",
|
|
|
|
|
Name: "foo",
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
Module: "module.child.grandchild",
|
|
|
|
|
Type: "test_instance",
|
|
|
|
|
Name: "foo",
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
sort.Stable(resources)
|
|
|
|
|
|
|
|
|
|
moduleOrder := []string{"", "module.child", "module.child.grandchild", "module.kinder"}
|
|
|
|
|
|
|
|
|
|
for i, resource := range resources {
|
|
|
|
|
if resource.Module != moduleOrder[i] {
|
|
|
|
|
t.Errorf("wrong sort order: expected %q, got %q\n", moduleOrder[i], resource.Module)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
Store sensitive attribute paths in state (#26338)
* Add creation test and simplify in-place test
* Add deletion test
* Start adding marking from state
Start storing paths that should be marked
when pulled out of state. Implements deep
copy for attr paths. This commit also includes some
comment noise from investigations, and fixing the diff test
* Fix apply stripping marks
* Expand diff tests
* Basic apply test
* Update comments on equality checks to clarify current understanding
* Add JSON serialization for sensitive paths
We need to serialize a slice of cty.Path values to be used to re-mark
the sensitive values of a resource instance when loading the state file.
Paths consist of a list of steps, each of which may be either getting an
attribute value by name, or indexing into a collection by string or
number.
To serialize these without building a complex parser for a compact
string form, we render a nested array of small objects, like so:
[
[
{ type: "get_attr", value: "foo" },
{ type: "index", value: { "type": "number", "value": 2 } }
]
]
The above example is equivalent to a path `foo[2]`.
* Format diffs with map types
Comparisons need unmarked values to operate on,
so create unmarked values for those operations. Additionally,
change diff to cover map types
* Remove debugging printing
* Fix bug with marking non-sensitive values
When pulling a sensitive value from state,
we were previously using those marks to remark
the planned new value, but that new value
might *not* be sensitive, so let's not do that
* Fix apply test
Apply was not passing the second state
through to the third pass at apply
* Consistency in checking for length of paths vs inspecting into value
* In apply, don't mark with before paths
* AttrPaths test coverage for DeepCopy
* Revert format changes
Reverts format changes in format/diff for this
branch so those changes can be discussed on a separate PR
* Refactor name of AttrPaths to AttrSensitivePaths
* Rename AttributePaths/attributePaths for naming consistency
Co-authored-by: Alisdair McDiarmid <alisdair@users.noreply.github.com>
2020-09-24 18:40:17 +02:00
|
|
|
|
|
|
|
|
func TestVersion4_unmarshalPaths(t *testing.T) {
|
|
|
|
|
testCases := map[string]struct {
|
|
|
|
|
json string
|
|
|
|
|
paths []cty.Path
|
|
|
|
|
diags []string
|
|
|
|
|
}{
|
|
|
|
|
"no paths": {
|
|
|
|
|
json: `[]`,
|
|
|
|
|
paths: []cty.Path{},
|
|
|
|
|
},
|
|
|
|
|
"attribute path": {
|
|
|
|
|
json: `[
|
|
|
|
|
[
|
|
|
|
|
{
|
|
|
|
|
"type": "get_attr",
|
|
|
|
|
"value": "password"
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
]`,
|
|
|
|
|
paths: []cty.Path{cty.GetAttrPath("password")},
|
|
|
|
|
},
|
|
|
|
|
"attribute and string index": {
|
|
|
|
|
json: `[
|
|
|
|
|
[
|
|
|
|
|
{
|
|
|
|
|
"type": "get_attr",
|
|
|
|
|
"value": "triggers"
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"type": "index",
|
|
|
|
|
"value": {
|
|
|
|
|
"value": "secret",
|
|
|
|
|
"type": "string"
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
]`,
|
|
|
|
|
paths: []cty.Path{cty.GetAttrPath("triggers").IndexString("secret")},
|
|
|
|
|
},
|
|
|
|
|
"attribute, number index, attribute": {
|
|
|
|
|
json: `[
|
|
|
|
|
[
|
|
|
|
|
{
|
|
|
|
|
"type": "get_attr",
|
|
|
|
|
"value": "identities"
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"type": "index",
|
|
|
|
|
"value": {
|
|
|
|
|
"value": 2,
|
|
|
|
|
"type": "number"
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"type": "get_attr",
|
|
|
|
|
"value": "private_key"
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
]`,
|
|
|
|
|
paths: []cty.Path{cty.GetAttrPath("identities").IndexInt(2).GetAttr("private_key")},
|
|
|
|
|
},
|
|
|
|
|
"multiple paths": {
|
|
|
|
|
json: `[
|
|
|
|
|
[
|
|
|
|
|
{
|
|
|
|
|
"type": "get_attr",
|
|
|
|
|
"value": "alpha"
|
|
|
|
|
}
|
|
|
|
|
],
|
|
|
|
|
[
|
|
|
|
|
{
|
|
|
|
|
"type": "get_attr",
|
|
|
|
|
"value": "beta"
|
|
|
|
|
}
|
|
|
|
|
],
|
|
|
|
|
[
|
|
|
|
|
{
|
|
|
|
|
"type": "get_attr",
|
|
|
|
|
"value": "gamma"
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
]`,
|
|
|
|
|
paths: []cty.Path{cty.GetAttrPath("alpha"), cty.GetAttrPath("beta"), cty.GetAttrPath("gamma")},
|
|
|
|
|
},
|
|
|
|
|
"errors": {
|
|
|
|
|
json: `[
|
|
|
|
|
[
|
|
|
|
|
{
|
|
|
|
|
"type": "get_attr",
|
|
|
|
|
"value": 5
|
|
|
|
|
}
|
|
|
|
|
],
|
|
|
|
|
[
|
|
|
|
|
{
|
|
|
|
|
"type": "index",
|
|
|
|
|
"value": "test"
|
|
|
|
|
}
|
|
|
|
|
],
|
|
|
|
|
[
|
|
|
|
|
{
|
|
|
|
|
"type": "invalid_type",
|
|
|
|
|
"value": ["this is invalid too"]
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
]`,
|
|
|
|
|
paths: []cty.Path{},
|
|
|
|
|
diags: []string{
|
|
|
|
|
"Failed to unmarshal get attr step name",
|
|
|
|
|
"Failed to unmarshal index step key",
|
|
|
|
|
"Unsupported path step",
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
"one invalid path, others valid": {
|
|
|
|
|
json: `[
|
|
|
|
|
[
|
|
|
|
|
{
|
|
|
|
|
"type": "get_attr",
|
|
|
|
|
"value": "alpha"
|
|
|
|
|
}
|
|
|
|
|
],
|
|
|
|
|
[
|
|
|
|
|
{
|
|
|
|
|
"type": "invalid_type",
|
|
|
|
|
"value": ["this is invalid too"]
|
|
|
|
|
}
|
|
|
|
|
],
|
|
|
|
|
[
|
|
|
|
|
{
|
|
|
|
|
"type": "get_attr",
|
|
|
|
|
"value": "gamma"
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
]`,
|
|
|
|
|
paths: []cty.Path{cty.GetAttrPath("alpha"), cty.GetAttrPath("gamma")},
|
|
|
|
|
diags: []string{"Unsupported path step"},
|
|
|
|
|
},
|
|
|
|
|
"invalid structure": {
|
|
|
|
|
json: `{}`,
|
|
|
|
|
paths: []cty.Path{},
|
|
|
|
|
diags: []string{"Error unmarshaling path steps"},
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for name, tc := range testCases {
|
|
|
|
|
t.Run(name, func(t *testing.T) {
|
|
|
|
|
paths, diags := unmarshalPaths([]byte(tc.json))
|
|
|
|
|
|
|
|
|
|
if len(tc.diags) == 0 {
|
|
|
|
|
if len(diags) != 0 {
|
|
|
|
|
t.Errorf("expected no diags, got: %#v", diags)
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
if got, want := len(diags), len(tc.diags); got != want {
|
|
|
|
|
t.Fatalf("got %d diags, want %d\n%s", got, want, diags.Err())
|
|
|
|
|
}
|
|
|
|
|
for i := range tc.diags {
|
|
|
|
|
got := tfdiags.Diagnostics{diags[i]}.Err().Error()
|
|
|
|
|
if !strings.Contains(got, tc.diags[i]) {
|
|
|
|
|
t.Errorf("expected diag %d to contain %q, but was:\n%s", i, tc.diags[i], got)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if len(paths) != len(tc.paths) {
|
|
|
|
|
t.Fatalf("got %d paths, want %d", len(paths), len(tc.paths))
|
|
|
|
|
}
|
|
|
|
|
for i, path := range paths {
|
|
|
|
|
if !path.Equals(tc.paths[i]) {
|
|
|
|
|
t.Errorf("wrong paths\n got: %#v\nwant: %#v", path, tc.paths[i])
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestVersion4_marshalPaths(t *testing.T) {
|
|
|
|
|
testCases := map[string]struct {
|
|
|
|
|
paths []cty.Path
|
|
|
|
|
json string
|
|
|
|
|
}{
|
|
|
|
|
"no paths": {
|
|
|
|
|
paths: []cty.Path{},
|
|
|
|
|
json: `[]`,
|
|
|
|
|
},
|
|
|
|
|
"attribute path": {
|
|
|
|
|
paths: []cty.Path{cty.GetAttrPath("password")},
|
|
|
|
|
json: `[[{"type":"get_attr","value":"password"}]]`,
|
|
|
|
|
},
|
|
|
|
|
"attribute, number index, attribute": {
|
|
|
|
|
paths: []cty.Path{cty.GetAttrPath("identities").IndexInt(2).GetAttr("private_key")},
|
|
|
|
|
json: `[[{"type":"get_attr","value":"identities"},{"type":"index","value":{"value":2,"type":"number"}},{"type":"get_attr","value":"private_key"}]]`,
|
|
|
|
|
},
|
|
|
|
|
"multiple paths": {
|
|
|
|
|
paths: []cty.Path{cty.GetAttrPath("a"), cty.GetAttrPath("b"), cty.GetAttrPath("c")},
|
|
|
|
|
json: `[[{"type":"get_attr","value":"a"}],[{"type":"get_attr","value":"b"}],[{"type":"get_attr","value":"c"}]]`,
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for name, tc := range testCases {
|
|
|
|
|
t.Run(name, func(t *testing.T) {
|
|
|
|
|
json, diags := marshalPaths(tc.paths)
|
|
|
|
|
|
|
|
|
|
if len(diags) != 0 {
|
|
|
|
|
t.Fatalf("expected no diags, got: %#v", diags)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if got, want := string(json), tc.json; got != want {
|
|
|
|
|
t.Fatalf("wrong JSON output\n got: %s\nwant: %s\n", got, want)
|
|
|
|
|
}
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
}
|