-
Notifications
You must be signed in to change notification settings - Fork 44
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Strip secret values from Configure #2437
base: master
Are you sure you want to change the base?
Conversation
276ac8e
to
90e406e
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #2437 +/- ##
==========================================
+ Coverage 57.40% 57.44% +0.03%
==========================================
Files 369 369
Lines 50250 50299 +49
==========================================
+ Hits 28848 28894 +46
- Misses 19822 19825 +3
Partials 1580 1580 ☔ View full report in Codecov by Sentry. |
b18ba93
to
2b3f3c7
Compare
1b2a5ce
to
8989436
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since pulumi/pulumi-gcp#2405 doesn't really have any context on why this happened, can we add some background in the PR description?
8989436
to
da54c20
Compare
da54c20
to
4acb843
Compare
I'm not comfortable here. Is it the case that Configure started receiving secrets in |
@@ -68,19 +68,33 @@ func (*ConfigEncoding) tryUnwrapSecret(encoded any) (any, bool) { | |||
} | |||
|
|||
func (enc *ConfigEncoding) convertStringToPropertyValue(s string, typ shim.ValueType) (resource.PropertyValue, error) { | |||
// If the schema expects a string, we can just return this as-is. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This seems rather risky. The former behavior of treating strings plainly was there for a reason, and in my last archaeology round I couldn't fully recover it so I left it as-is. Stringly typed values were not subject to ConfigEncoding, I think. This code was not designed to handle secrets, but the change does more than introduce secret handling.
Now for something of type string that "looks like" JSON without any secrets, the new code will try to parse it and in case of success introduce changes that might be unwanted?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Stringly typed values were not subject to ConfigEncoding, I think.
They weren't, but this means that string values cannot be secret if they are encoded like other values. This seems pretty suspect to me.
This code was not designed to handle secrets, but the change does more than introduce secret handling.
This code does need to handle secrets, with or without #2410.
Now for something of type string that "looks like" JSON without any secrets, the new code will try to parse it and in case of success introduce changes that might be unwanted?
Only if the thing that "looks like" JSON looks like a JSON encoded secret or computed string. If we trust that pulumi signifier keys don't appear in the wild1, then this is safe.
Footnotes
-
We already make this assumption on the wire. ↩
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is suspect in indeed but this is the production behavior. Is your change needed to fix the listed issue? How so? Is this a change that's a refactor for reasons separate from pulumi/pulumi-gcp#2405 ?
return p.GrpcProvider.Configure(ctx, req) | ||
} | ||
|
||
func removeSecrets(pMap resource.PropertyMap) resource.PropertyMap { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nope, I didn't see that.
@@ -80,5 +81,41 @@ func (p providerThunk) Configure( | |||
if ctx.Value(setupConfigureKey) != nil { | |||
return plugin.ConfigureResponse{}, nil | |||
} | |||
req.Inputs = removeSecrets(req.Inputs) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm confused here, is the panic we're trying to fix scoped to PF, or SDKv2, or both?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just PF (and muxed providers that use PF).
This PR relies on unreverting #2410. |
Fixes pulumi/pulumi-gcp#2405