2019-09-18 22:52:31 +00:00
|
|
|
package stack
|
|
|
|
|
|
|
|
import (
|
2022-07-18 13:36:31 +00:00
|
|
|
"context"
|
2019-09-18 22:52:31 +00:00
|
|
|
"encoding/json"
|
2021-11-13 02:37:17 +00:00
|
|
|
"errors"
|
2019-09-18 22:52:31 +00:00
|
|
|
"fmt"
|
2023-01-06 22:39:16 +00:00
|
|
|
"os"
|
2019-09-18 22:52:31 +00:00
|
|
|
"strings"
|
|
|
|
"testing"
|
|
|
|
|
2022-02-25 16:51:52 +00:00
|
|
|
"github.com/pulumi/pulumi/pkg/v3/secrets"
|
2024-01-17 13:29:51 +00:00
|
|
|
"github.com/pulumi/pulumi/pkg/v3/secrets/b64"
|
2022-05-23 19:13:21 +00:00
|
|
|
"github.com/pulumi/pulumi/sdk/v3/go/common/encoding"
|
2021-03-17 13:20:05 +00:00
|
|
|
"github.com/pulumi/pulumi/sdk/v3/go/common/resource"
|
|
|
|
"github.com/pulumi/pulumi/sdk/v3/go/common/resource/config"
|
2019-09-18 22:52:31 +00:00
|
|
|
"github.com/stretchr/testify/assert"
|
2022-02-25 16:51:52 +00:00
|
|
|
"github.com/stretchr/testify/require"
|
2019-09-18 22:52:31 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
type testSecretsManager struct {
|
|
|
|
encryptCalls int
|
|
|
|
decryptCalls int
|
|
|
|
}
|
|
|
|
|
|
|
|
func (t *testSecretsManager) Type() string { return "test" }
|
|
|
|
|
2023-05-09 08:21:14 +00:00
|
|
|
func (t *testSecretsManager) State() json.RawMessage { return nil }
|
2019-09-18 22:52:31 +00:00
|
|
|
|
|
|
|
func (t *testSecretsManager) Encrypter() (config.Encrypter, error) {
|
|
|
|
return t, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (t *testSecretsManager) Decrypter() (config.Decrypter, error) {
|
|
|
|
return t, nil
|
|
|
|
}
|
|
|
|
|
2022-07-18 13:36:31 +00:00
|
|
|
func (t *testSecretsManager) EncryptValue(
|
2023-03-03 16:36:39 +00:00
|
|
|
ctx context.Context, plaintext string,
|
|
|
|
) (string, error) {
|
2019-09-18 22:52:31 +00:00
|
|
|
t.encryptCalls++
|
|
|
|
return fmt.Sprintf("%v:%v", t.encryptCalls, plaintext), nil
|
|
|
|
}
|
|
|
|
|
2022-07-18 13:36:31 +00:00
|
|
|
func (t *testSecretsManager) DecryptValue(
|
2023-03-03 16:36:39 +00:00
|
|
|
ctx context.Context, ciphertext string,
|
|
|
|
) (string, error) {
|
2019-09-18 22:52:31 +00:00
|
|
|
t.decryptCalls++
|
|
|
|
i := strings.Index(ciphertext, ":")
|
|
|
|
if i == -1 {
|
|
|
|
return "", errors.New("invalid ciphertext format")
|
|
|
|
}
|
|
|
|
return ciphertext[i+1:], nil
|
|
|
|
}
|
|
|
|
|
2022-07-18 13:36:31 +00:00
|
|
|
func (t *testSecretsManager) BulkDecrypt(
|
2023-03-03 16:36:39 +00:00
|
|
|
ctx context.Context, ciphertexts []string,
|
|
|
|
) (map[string]string, error) {
|
2022-07-18 13:36:31 +00:00
|
|
|
return config.DefaultBulkDecrypt(ctx, t, ciphertexts)
|
2022-04-11 07:59:46 +00:00
|
|
|
}
|
|
|
|
|
2019-09-18 22:52:31 +00:00
|
|
|
func deserializeProperty(v interface{}, dec config.Decrypter) (resource.PropertyValue, error) {
|
|
|
|
b, err := json.Marshal(v)
|
|
|
|
if err != nil {
|
|
|
|
return resource.PropertyValue{}, err
|
|
|
|
}
|
|
|
|
if err := json.Unmarshal(b, &v); err != nil {
|
|
|
|
return resource.PropertyValue{}, err
|
|
|
|
}
|
2020-05-11 18:16:30 +00:00
|
|
|
return DeserializePropertyValue(v, dec, config.NewPanicCrypter())
|
2019-09-18 22:52:31 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func TestCachingCrypter(t *testing.T) {
|
2022-03-04 08:17:41 +00:00
|
|
|
t.Parallel()
|
|
|
|
|
Lift context parameter to SerializeDeployment/Resource/Operations/Properties (#15929)
<!---
Thanks so much for your contribution! If this is your first time
contributing, please ensure that you have read the
[CONTRIBUTING](https://github.com/pulumi/pulumi/blob/master/CONTRIBUTING.md)
documentation.
-->
# Description
<!--- Please include a summary of the change and which issue is fixed.
Please also include relevant motivation and context. -->
SerializePropertyValue needed a `context.Context` object to pass to the
`config.Encrypter`. It was using `context.TODO()`, this change instead
accepts a context on the parameters and lifts that up to
SerializeProperties, SerializeResource, SerializeOperation, and
SerializeDeployment.
There were a few call sites for those methods that already had a context
on hand, and they now pass that context. The other calls sites now use
`context.TODO()`, we should continue to iterate in this area to ensure
everywhere that needs a context has one passed in.
## Checklist
- [x] I have run `make tidy` to update any new dependencies
- [x] I have run `make lint` to verify my code passes the lint check
- [ ] I have formatted my code using `gofumpt`
<!--- Please provide details if the checkbox below is to be left
unchecked. -->
- [ ] I have added tests that prove my fix is effective or that my
feature works
<!---
User-facing changes require a CHANGELOG entry.
-->
- [ ] I have run `make changelog` and committed the
`changelog/pending/<file>` documenting my change
<!--
If the change(s) in this PR is a modification of an existing call to the
Pulumi Cloud,
then the service should honor older versions of the CLI where this
change would not exist.
You must then bump the API version in
/pkg/backend/httpstate/client/api.go, as well as add
it to the service.
-->
- [ ] Yes, there are changes in this PR that warrants bumping the Pulumi
Cloud API version
<!-- @Pulumi employees: If yes, you must submit corresponding changes in
the service repo. -->
2024-04-15 07:45:46 +00:00
|
|
|
ctx := context.Background()
|
2019-09-18 22:52:31 +00:00
|
|
|
sm := &testSecretsManager{}
|
|
|
|
csm := NewCachingSecretsManager(sm)
|
|
|
|
|
|
|
|
foo1 := resource.MakeSecret(resource.NewStringProperty("foo"))
|
|
|
|
foo2 := resource.MakeSecret(resource.NewStringProperty("foo"))
|
|
|
|
bar := resource.MakeSecret(resource.NewStringProperty("bar"))
|
|
|
|
|
|
|
|
enc, err := csm.Encrypter()
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
|
|
|
// Serialize the first copy of "foo". Encrypt should be called once, as this value has not yet been encrypted.
|
Lift context parameter to SerializeDeployment/Resource/Operations/Properties (#15929)
<!---
Thanks so much for your contribution! If this is your first time
contributing, please ensure that you have read the
[CONTRIBUTING](https://github.com/pulumi/pulumi/blob/master/CONTRIBUTING.md)
documentation.
-->
# Description
<!--- Please include a summary of the change and which issue is fixed.
Please also include relevant motivation and context. -->
SerializePropertyValue needed a `context.Context` object to pass to the
`config.Encrypter`. It was using `context.TODO()`, this change instead
accepts a context on the parameters and lifts that up to
SerializeProperties, SerializeResource, SerializeOperation, and
SerializeDeployment.
There were a few call sites for those methods that already had a context
on hand, and they now pass that context. The other calls sites now use
`context.TODO()`, we should continue to iterate in this area to ensure
everywhere that needs a context has one passed in.
## Checklist
- [x] I have run `make tidy` to update any new dependencies
- [x] I have run `make lint` to verify my code passes the lint check
- [ ] I have formatted my code using `gofumpt`
<!--- Please provide details if the checkbox below is to be left
unchecked. -->
- [ ] I have added tests that prove my fix is effective or that my
feature works
<!---
User-facing changes require a CHANGELOG entry.
-->
- [ ] I have run `make changelog` and committed the
`changelog/pending/<file>` documenting my change
<!--
If the change(s) in this PR is a modification of an existing call to the
Pulumi Cloud,
then the service should honor older versions of the CLI where this
change would not exist.
You must then bump the API version in
/pkg/backend/httpstate/client/api.go, as well as add
it to the service.
-->
- [ ] Yes, there are changes in this PR that warrants bumping the Pulumi
Cloud API version
<!-- @Pulumi employees: If yes, you must submit corresponding changes in
the service repo. -->
2024-04-15 07:45:46 +00:00
|
|
|
foo1Ser, err := SerializePropertyValue(ctx, foo1, enc, false /* showSecrets */)
|
2019-09-18 22:52:31 +00:00
|
|
|
assert.NoError(t, err)
|
|
|
|
assert.Equal(t, 1, sm.encryptCalls)
|
|
|
|
|
|
|
|
// Serialize the second copy of "foo". Because this is a different secret instance, Encrypt should be called
|
|
|
|
// a second time even though the plaintext is the same as the last value we encrypted.
|
Lift context parameter to SerializeDeployment/Resource/Operations/Properties (#15929)
<!---
Thanks so much for your contribution! If this is your first time
contributing, please ensure that you have read the
[CONTRIBUTING](https://github.com/pulumi/pulumi/blob/master/CONTRIBUTING.md)
documentation.
-->
# Description
<!--- Please include a summary of the change and which issue is fixed.
Please also include relevant motivation and context. -->
SerializePropertyValue needed a `context.Context` object to pass to the
`config.Encrypter`. It was using `context.TODO()`, this change instead
accepts a context on the parameters and lifts that up to
SerializeProperties, SerializeResource, SerializeOperation, and
SerializeDeployment.
There were a few call sites for those methods that already had a context
on hand, and they now pass that context. The other calls sites now use
`context.TODO()`, we should continue to iterate in this area to ensure
everywhere that needs a context has one passed in.
## Checklist
- [x] I have run `make tidy` to update any new dependencies
- [x] I have run `make lint` to verify my code passes the lint check
- [ ] I have formatted my code using `gofumpt`
<!--- Please provide details if the checkbox below is to be left
unchecked. -->
- [ ] I have added tests that prove my fix is effective or that my
feature works
<!---
User-facing changes require a CHANGELOG entry.
-->
- [ ] I have run `make changelog` and committed the
`changelog/pending/<file>` documenting my change
<!--
If the change(s) in this PR is a modification of an existing call to the
Pulumi Cloud,
then the service should honor older versions of the CLI where this
change would not exist.
You must then bump the API version in
/pkg/backend/httpstate/client/api.go, as well as add
it to the service.
-->
- [ ] Yes, there are changes in this PR that warrants bumping the Pulumi
Cloud API version
<!-- @Pulumi employees: If yes, you must submit corresponding changes in
the service repo. -->
2024-04-15 07:45:46 +00:00
|
|
|
foo2Ser, err := SerializePropertyValue(ctx, foo2, enc, false /* showSecrets */)
|
2019-09-18 22:52:31 +00:00
|
|
|
assert.NoError(t, err)
|
|
|
|
assert.Equal(t, 2, sm.encryptCalls)
|
|
|
|
assert.NotEqual(t, foo1Ser, foo2Ser)
|
|
|
|
|
|
|
|
// Serialize "bar". Encrypt should be called once, as this value has not yet been encrypted.
|
Lift context parameter to SerializeDeployment/Resource/Operations/Properties (#15929)
<!---
Thanks so much for your contribution! If this is your first time
contributing, please ensure that you have read the
[CONTRIBUTING](https://github.com/pulumi/pulumi/blob/master/CONTRIBUTING.md)
documentation.
-->
# Description
<!--- Please include a summary of the change and which issue is fixed.
Please also include relevant motivation and context. -->
SerializePropertyValue needed a `context.Context` object to pass to the
`config.Encrypter`. It was using `context.TODO()`, this change instead
accepts a context on the parameters and lifts that up to
SerializeProperties, SerializeResource, SerializeOperation, and
SerializeDeployment.
There were a few call sites for those methods that already had a context
on hand, and they now pass that context. The other calls sites now use
`context.TODO()`, we should continue to iterate in this area to ensure
everywhere that needs a context has one passed in.
## Checklist
- [x] I have run `make tidy` to update any new dependencies
- [x] I have run `make lint` to verify my code passes the lint check
- [ ] I have formatted my code using `gofumpt`
<!--- Please provide details if the checkbox below is to be left
unchecked. -->
- [ ] I have added tests that prove my fix is effective or that my
feature works
<!---
User-facing changes require a CHANGELOG entry.
-->
- [ ] I have run `make changelog` and committed the
`changelog/pending/<file>` documenting my change
<!--
If the change(s) in this PR is a modification of an existing call to the
Pulumi Cloud,
then the service should honor older versions of the CLI where this
change would not exist.
You must then bump the API version in
/pkg/backend/httpstate/client/api.go, as well as add
it to the service.
-->
- [ ] Yes, there are changes in this PR that warrants bumping the Pulumi
Cloud API version
<!-- @Pulumi employees: If yes, you must submit corresponding changes in
the service repo. -->
2024-04-15 07:45:46 +00:00
|
|
|
barSer, err := SerializePropertyValue(ctx, bar, enc, false /* showSecrets */)
|
2019-09-18 22:52:31 +00:00
|
|
|
assert.NoError(t, err)
|
|
|
|
assert.Equal(t, 3, sm.encryptCalls)
|
|
|
|
|
|
|
|
// Serialize the first copy of "foo" again. Encrypt should not be called, as this value has already been
|
|
|
|
// encrypted.
|
Lift context parameter to SerializeDeployment/Resource/Operations/Properties (#15929)
<!---
Thanks so much for your contribution! If this is your first time
contributing, please ensure that you have read the
[CONTRIBUTING](https://github.com/pulumi/pulumi/blob/master/CONTRIBUTING.md)
documentation.
-->
# Description
<!--- Please include a summary of the change and which issue is fixed.
Please also include relevant motivation and context. -->
SerializePropertyValue needed a `context.Context` object to pass to the
`config.Encrypter`. It was using `context.TODO()`, this change instead
accepts a context on the parameters and lifts that up to
SerializeProperties, SerializeResource, SerializeOperation, and
SerializeDeployment.
There were a few call sites for those methods that already had a context
on hand, and they now pass that context. The other calls sites now use
`context.TODO()`, we should continue to iterate in this area to ensure
everywhere that needs a context has one passed in.
## Checklist
- [x] I have run `make tidy` to update any new dependencies
- [x] I have run `make lint` to verify my code passes the lint check
- [ ] I have formatted my code using `gofumpt`
<!--- Please provide details if the checkbox below is to be left
unchecked. -->
- [ ] I have added tests that prove my fix is effective or that my
feature works
<!---
User-facing changes require a CHANGELOG entry.
-->
- [ ] I have run `make changelog` and committed the
`changelog/pending/<file>` documenting my change
<!--
If the change(s) in this PR is a modification of an existing call to the
Pulumi Cloud,
then the service should honor older versions of the CLI where this
change would not exist.
You must then bump the API version in
/pkg/backend/httpstate/client/api.go, as well as add
it to the service.
-->
- [ ] Yes, there are changes in this PR that warrants bumping the Pulumi
Cloud API version
<!-- @Pulumi employees: If yes, you must submit corresponding changes in
the service repo. -->
2024-04-15 07:45:46 +00:00
|
|
|
foo1Ser2, err := SerializePropertyValue(ctx, foo1, enc, false /* showSecrets */)
|
2019-09-18 22:52:31 +00:00
|
|
|
assert.NoError(t, err)
|
|
|
|
assert.Equal(t, 3, sm.encryptCalls)
|
|
|
|
assert.Equal(t, foo1Ser, foo1Ser2)
|
|
|
|
|
|
|
|
// Serialize the second copy of "foo" again. Encrypt should not be called, as this value has already been
|
|
|
|
// encrypted.
|
Lift context parameter to SerializeDeployment/Resource/Operations/Properties (#15929)
<!---
Thanks so much for your contribution! If this is your first time
contributing, please ensure that you have read the
[CONTRIBUTING](https://github.com/pulumi/pulumi/blob/master/CONTRIBUTING.md)
documentation.
-->
# Description
<!--- Please include a summary of the change and which issue is fixed.
Please also include relevant motivation and context. -->
SerializePropertyValue needed a `context.Context` object to pass to the
`config.Encrypter`. It was using `context.TODO()`, this change instead
accepts a context on the parameters and lifts that up to
SerializeProperties, SerializeResource, SerializeOperation, and
SerializeDeployment.
There were a few call sites for those methods that already had a context
on hand, and they now pass that context. The other calls sites now use
`context.TODO()`, we should continue to iterate in this area to ensure
everywhere that needs a context has one passed in.
## Checklist
- [x] I have run `make tidy` to update any new dependencies
- [x] I have run `make lint` to verify my code passes the lint check
- [ ] I have formatted my code using `gofumpt`
<!--- Please provide details if the checkbox below is to be left
unchecked. -->
- [ ] I have added tests that prove my fix is effective or that my
feature works
<!---
User-facing changes require a CHANGELOG entry.
-->
- [ ] I have run `make changelog` and committed the
`changelog/pending/<file>` documenting my change
<!--
If the change(s) in this PR is a modification of an existing call to the
Pulumi Cloud,
then the service should honor older versions of the CLI where this
change would not exist.
You must then bump the API version in
/pkg/backend/httpstate/client/api.go, as well as add
it to the service.
-->
- [ ] Yes, there are changes in this PR that warrants bumping the Pulumi
Cloud API version
<!-- @Pulumi employees: If yes, you must submit corresponding changes in
the service repo. -->
2024-04-15 07:45:46 +00:00
|
|
|
foo2Ser2, err := SerializePropertyValue(ctx, foo2, enc, false /* showSecrets */)
|
2019-09-18 22:52:31 +00:00
|
|
|
assert.NoError(t, err)
|
|
|
|
assert.Equal(t, 3, sm.encryptCalls)
|
|
|
|
assert.Equal(t, foo2Ser, foo2Ser2)
|
|
|
|
|
|
|
|
// Serialize "bar" again. Encrypt should not be called, as this value has already been encrypted.
|
Lift context parameter to SerializeDeployment/Resource/Operations/Properties (#15929)
<!---
Thanks so much for your contribution! If this is your first time
contributing, please ensure that you have read the
[CONTRIBUTING](https://github.com/pulumi/pulumi/blob/master/CONTRIBUTING.md)
documentation.
-->
# Description
<!--- Please include a summary of the change and which issue is fixed.
Please also include relevant motivation and context. -->
SerializePropertyValue needed a `context.Context` object to pass to the
`config.Encrypter`. It was using `context.TODO()`, this change instead
accepts a context on the parameters and lifts that up to
SerializeProperties, SerializeResource, SerializeOperation, and
SerializeDeployment.
There were a few call sites for those methods that already had a context
on hand, and they now pass that context. The other calls sites now use
`context.TODO()`, we should continue to iterate in this area to ensure
everywhere that needs a context has one passed in.
## Checklist
- [x] I have run `make tidy` to update any new dependencies
- [x] I have run `make lint` to verify my code passes the lint check
- [ ] I have formatted my code using `gofumpt`
<!--- Please provide details if the checkbox below is to be left
unchecked. -->
- [ ] I have added tests that prove my fix is effective or that my
feature works
<!---
User-facing changes require a CHANGELOG entry.
-->
- [ ] I have run `make changelog` and committed the
`changelog/pending/<file>` documenting my change
<!--
If the change(s) in this PR is a modification of an existing call to the
Pulumi Cloud,
then the service should honor older versions of the CLI where this
change would not exist.
You must then bump the API version in
/pkg/backend/httpstate/client/api.go, as well as add
it to the service.
-->
- [ ] Yes, there are changes in this PR that warrants bumping the Pulumi
Cloud API version
<!-- @Pulumi employees: If yes, you must submit corresponding changes in
the service repo. -->
2024-04-15 07:45:46 +00:00
|
|
|
barSer2, err := SerializePropertyValue(ctx, bar, enc, false /* showSecrets */)
|
2019-09-18 22:52:31 +00:00
|
|
|
assert.NoError(t, err)
|
|
|
|
assert.Equal(t, 3, sm.encryptCalls)
|
|
|
|
assert.Equal(t, barSer, barSer2)
|
|
|
|
|
|
|
|
dec, err := csm.Decrypter()
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
|
|
|
// Decrypt foo1Ser. Decrypt should be called.
|
|
|
|
foo1Dec, err := deserializeProperty(foo1Ser, dec)
|
|
|
|
assert.NoError(t, err)
|
|
|
|
assert.True(t, foo1.DeepEquals(foo1Dec))
|
|
|
|
assert.Equal(t, 1, sm.decryptCalls)
|
|
|
|
|
|
|
|
// Decrypt foo2Ser. Decrypt should be called.
|
|
|
|
foo2Dec, err := deserializeProperty(foo2Ser, dec)
|
|
|
|
assert.NoError(t, err)
|
|
|
|
assert.True(t, foo2.DeepEquals(foo2Dec))
|
|
|
|
assert.Equal(t, 2, sm.decryptCalls)
|
|
|
|
|
|
|
|
// Decrypt barSer. Decrypt should be called.
|
|
|
|
barDec, err := deserializeProperty(barSer, dec)
|
|
|
|
assert.NoError(t, err)
|
|
|
|
assert.True(t, bar.DeepEquals(barDec))
|
|
|
|
assert.Equal(t, 3, sm.decryptCalls)
|
|
|
|
|
|
|
|
// Create a new CachingSecretsManager and re-run the decrypts. Each decrypt should insert the plain- and
|
|
|
|
// ciphertext into the cache with the associated secret.
|
|
|
|
csm = NewCachingSecretsManager(sm)
|
|
|
|
|
|
|
|
dec, err = csm.Decrypter()
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
|
|
|
// Decrypt foo1Ser. Decrypt should be called.
|
|
|
|
foo1Dec, err = deserializeProperty(foo1Ser, dec)
|
|
|
|
assert.NoError(t, err)
|
|
|
|
assert.True(t, foo1.DeepEquals(foo1Dec))
|
|
|
|
assert.Equal(t, 4, sm.decryptCalls)
|
|
|
|
|
|
|
|
// Decrypt foo2Ser. Decrypt should be called.
|
|
|
|
foo2Dec, err = deserializeProperty(foo2Ser, dec)
|
|
|
|
assert.NoError(t, err)
|
|
|
|
assert.True(t, foo2.DeepEquals(foo2Dec))
|
|
|
|
assert.Equal(t, 5, sm.decryptCalls)
|
|
|
|
|
|
|
|
// Decrypt barSer. Decrypt should be called.
|
|
|
|
barDec, err = deserializeProperty(barSer, dec)
|
|
|
|
assert.NoError(t, err)
|
|
|
|
assert.True(t, bar.DeepEquals(barDec))
|
|
|
|
assert.Equal(t, 6, sm.decryptCalls)
|
|
|
|
|
|
|
|
enc, err = csm.Encrypter()
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
|
|
|
// Serialize the first copy of "foo" again. Encrypt should not be called, as this value has already been
|
|
|
|
// cached by the earlier calls to Decrypt.
|
Lift context parameter to SerializeDeployment/Resource/Operations/Properties (#15929)
<!---
Thanks so much for your contribution! If this is your first time
contributing, please ensure that you have read the
[CONTRIBUTING](https://github.com/pulumi/pulumi/blob/master/CONTRIBUTING.md)
documentation.
-->
# Description
<!--- Please include a summary of the change and which issue is fixed.
Please also include relevant motivation and context. -->
SerializePropertyValue needed a `context.Context` object to pass to the
`config.Encrypter`. It was using `context.TODO()`, this change instead
accepts a context on the parameters and lifts that up to
SerializeProperties, SerializeResource, SerializeOperation, and
SerializeDeployment.
There were a few call sites for those methods that already had a context
on hand, and they now pass that context. The other calls sites now use
`context.TODO()`, we should continue to iterate in this area to ensure
everywhere that needs a context has one passed in.
## Checklist
- [x] I have run `make tidy` to update any new dependencies
- [x] I have run `make lint` to verify my code passes the lint check
- [ ] I have formatted my code using `gofumpt`
<!--- Please provide details if the checkbox below is to be left
unchecked. -->
- [ ] I have added tests that prove my fix is effective or that my
feature works
<!---
User-facing changes require a CHANGELOG entry.
-->
- [ ] I have run `make changelog` and committed the
`changelog/pending/<file>` documenting my change
<!--
If the change(s) in this PR is a modification of an existing call to the
Pulumi Cloud,
then the service should honor older versions of the CLI where this
change would not exist.
You must then bump the API version in
/pkg/backend/httpstate/client/api.go, as well as add
it to the service.
-->
- [ ] Yes, there are changes in this PR that warrants bumping the Pulumi
Cloud API version
<!-- @Pulumi employees: If yes, you must submit corresponding changes in
the service repo. -->
2024-04-15 07:45:46 +00:00
|
|
|
foo1Ser2, err = SerializePropertyValue(ctx, foo1Dec, enc, false /* showSecrets */)
|
2019-09-18 22:52:31 +00:00
|
|
|
assert.NoError(t, err)
|
|
|
|
assert.Equal(t, 3, sm.encryptCalls)
|
|
|
|
assert.Equal(t, foo1Ser, foo1Ser2)
|
|
|
|
|
|
|
|
// Serialize the second copy of "foo" again. Encrypt should not be called, as this value has already been
|
|
|
|
// cached by the earlier calls to Decrypt.
|
Lift context parameter to SerializeDeployment/Resource/Operations/Properties (#15929)
<!---
Thanks so much for your contribution! If this is your first time
contributing, please ensure that you have read the
[CONTRIBUTING](https://github.com/pulumi/pulumi/blob/master/CONTRIBUTING.md)
documentation.
-->
# Description
<!--- Please include a summary of the change and which issue is fixed.
Please also include relevant motivation and context. -->
SerializePropertyValue needed a `context.Context` object to pass to the
`config.Encrypter`. It was using `context.TODO()`, this change instead
accepts a context on the parameters and lifts that up to
SerializeProperties, SerializeResource, SerializeOperation, and
SerializeDeployment.
There were a few call sites for those methods that already had a context
on hand, and they now pass that context. The other calls sites now use
`context.TODO()`, we should continue to iterate in this area to ensure
everywhere that needs a context has one passed in.
## Checklist
- [x] I have run `make tidy` to update any new dependencies
- [x] I have run `make lint` to verify my code passes the lint check
- [ ] I have formatted my code using `gofumpt`
<!--- Please provide details if the checkbox below is to be left
unchecked. -->
- [ ] I have added tests that prove my fix is effective or that my
feature works
<!---
User-facing changes require a CHANGELOG entry.
-->
- [ ] I have run `make changelog` and committed the
`changelog/pending/<file>` documenting my change
<!--
If the change(s) in this PR is a modification of an existing call to the
Pulumi Cloud,
then the service should honor older versions of the CLI where this
change would not exist.
You must then bump the API version in
/pkg/backend/httpstate/client/api.go, as well as add
it to the service.
-->
- [ ] Yes, there are changes in this PR that warrants bumping the Pulumi
Cloud API version
<!-- @Pulumi employees: If yes, you must submit corresponding changes in
the service repo. -->
2024-04-15 07:45:46 +00:00
|
|
|
foo2Ser2, err = SerializePropertyValue(ctx, foo2Dec, enc, false /* showSecrets */)
|
2019-09-18 22:52:31 +00:00
|
|
|
assert.NoError(t, err)
|
|
|
|
assert.Equal(t, 3, sm.encryptCalls)
|
|
|
|
assert.Equal(t, foo2Ser, foo2Ser2)
|
|
|
|
|
|
|
|
// Serialize "bar" again. Encrypt should not be called, as this value has already been cached by the
|
|
|
|
// earlier calls to Decrypt.
|
Lift context parameter to SerializeDeployment/Resource/Operations/Properties (#15929)
<!---
Thanks so much for your contribution! If this is your first time
contributing, please ensure that you have read the
[CONTRIBUTING](https://github.com/pulumi/pulumi/blob/master/CONTRIBUTING.md)
documentation.
-->
# Description
<!--- Please include a summary of the change and which issue is fixed.
Please also include relevant motivation and context. -->
SerializePropertyValue needed a `context.Context` object to pass to the
`config.Encrypter`. It was using `context.TODO()`, this change instead
accepts a context on the parameters and lifts that up to
SerializeProperties, SerializeResource, SerializeOperation, and
SerializeDeployment.
There were a few call sites for those methods that already had a context
on hand, and they now pass that context. The other calls sites now use
`context.TODO()`, we should continue to iterate in this area to ensure
everywhere that needs a context has one passed in.
## Checklist
- [x] I have run `make tidy` to update any new dependencies
- [x] I have run `make lint` to verify my code passes the lint check
- [ ] I have formatted my code using `gofumpt`
<!--- Please provide details if the checkbox below is to be left
unchecked. -->
- [ ] I have added tests that prove my fix is effective or that my
feature works
<!---
User-facing changes require a CHANGELOG entry.
-->
- [ ] I have run `make changelog` and committed the
`changelog/pending/<file>` documenting my change
<!--
If the change(s) in this PR is a modification of an existing call to the
Pulumi Cloud,
then the service should honor older versions of the CLI where this
change would not exist.
You must then bump the API version in
/pkg/backend/httpstate/client/api.go, as well as add
it to the service.
-->
- [ ] Yes, there are changes in this PR that warrants bumping the Pulumi
Cloud API version
<!-- @Pulumi employees: If yes, you must submit corresponding changes in
the service repo. -->
2024-04-15 07:45:46 +00:00
|
|
|
barSer2, err = SerializePropertyValue(ctx, barDec, enc, false /* showSecrets */)
|
2019-09-18 22:52:31 +00:00
|
|
|
assert.NoError(t, err)
|
|
|
|
assert.Equal(t, 3, sm.encryptCalls)
|
|
|
|
assert.Equal(t, barSer, barSer2)
|
|
|
|
}
|
2022-02-25 16:51:52 +00:00
|
|
|
|
|
|
|
type mapTestSecretsProvider struct {
|
|
|
|
m *mapTestSecretsManager
|
|
|
|
}
|
|
|
|
|
|
|
|
func (p *mapTestSecretsProvider) OfType(ty string, state json.RawMessage) (secrets.Manager, error) {
|
2024-01-17 13:29:51 +00:00
|
|
|
m, err := b64.Base64SecretsProvider.OfType(ty, state)
|
2022-02-25 16:51:52 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
p.m = &mapTestSecretsManager{sm: m}
|
|
|
|
return p.m, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
type mapTestSecretsManager struct {
|
|
|
|
sm secrets.Manager
|
|
|
|
|
|
|
|
d *mapTestDecrypter
|
|
|
|
}
|
|
|
|
|
|
|
|
func (t *mapTestSecretsManager) Type() string { return t.sm.Type() }
|
|
|
|
|
2023-05-09 08:21:14 +00:00
|
|
|
func (t *mapTestSecretsManager) State() json.RawMessage { return t.sm.State() }
|
2022-02-25 16:51:52 +00:00
|
|
|
|
|
|
|
func (t *mapTestSecretsManager) Encrypter() (config.Encrypter, error) {
|
|
|
|
return t.sm.Encrypter()
|
|
|
|
}
|
|
|
|
|
|
|
|
func (t *mapTestSecretsManager) Decrypter() (config.Decrypter, error) {
|
|
|
|
d, err := t.sm.Decrypter()
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
t.d = &mapTestDecrypter{d: d}
|
|
|
|
return t.d, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
type mapTestDecrypter struct {
|
|
|
|
d config.Decrypter
|
|
|
|
|
|
|
|
decryptCalls int
|
|
|
|
bulkDecryptCalls int
|
|
|
|
}
|
|
|
|
|
2022-07-18 13:36:31 +00:00
|
|
|
func (t *mapTestDecrypter) DecryptValue(
|
2023-03-03 16:36:39 +00:00
|
|
|
ctx context.Context, ciphertext string,
|
|
|
|
) (string, error) {
|
2022-02-25 16:51:52 +00:00
|
|
|
t.decryptCalls++
|
2022-07-18 13:36:31 +00:00
|
|
|
return t.d.DecryptValue(ctx, ciphertext)
|
2022-02-25 16:51:52 +00:00
|
|
|
}
|
|
|
|
|
2022-07-18 13:36:31 +00:00
|
|
|
func (t *mapTestDecrypter) BulkDecrypt(
|
2023-03-03 16:36:39 +00:00
|
|
|
ctx context.Context, ciphertexts []string,
|
|
|
|
) (map[string]string, error) {
|
2022-02-25 16:51:52 +00:00
|
|
|
t.bulkDecryptCalls++
|
2022-07-18 13:36:31 +00:00
|
|
|
return config.DefaultBulkDecrypt(ctx, t.d, ciphertexts)
|
2022-02-25 16:51:52 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func TestMapCrypter(t *testing.T) {
|
2022-03-04 08:17:41 +00:00
|
|
|
t.Parallel()
|
|
|
|
|
2022-07-18 13:36:31 +00:00
|
|
|
ctx := context.Background()
|
|
|
|
|
2023-01-06 22:39:16 +00:00
|
|
|
bytes, err := os.ReadFile("testdata/checkpoint-secrets.json")
|
2022-02-25 16:51:52 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
|
2022-05-23 19:13:21 +00:00
|
|
|
chk, err := UnmarshalVersionedCheckpointToLatestCheckpoint(encoding.JSON, bytes)
|
2022-02-25 16:51:52 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
var prov mapTestSecretsProvider
|
|
|
|
|
2022-07-18 13:36:31 +00:00
|
|
|
_, err = DeserializeDeploymentV3(ctx, *chk.Latest, &prov)
|
2022-02-25 16:51:52 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
d := prov.m.d
|
|
|
|
assert.Equal(t, 1, d.bulkDecryptCalls)
|
|
|
|
assert.Equal(t, 0, d.decryptCalls)
|
|
|
|
}
|