Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Strip secret values from Configure #2437

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

iwahbe
Copy link
Member

@iwahbe iwahbe commented Sep 24, 2024

@iwahbe iwahbe self-assigned this Sep 24, 2024
@iwahbe iwahbe force-pushed the iwahbe/2405/strip-configure-secrets branch from 276ac8e to 90e406e Compare September 24, 2024 09:40
@iwahbe iwahbe marked this pull request as draft September 24, 2024 09:40
Copy link

codecov bot commented Sep 24, 2024

Codecov Report

Attention: Patch coverage is 94.54545% with 3 lines in your changes missing coverage. Please review.

Project coverage is 57.44%. Comparing base (22452e6) to head (4acb843).

Files with missing lines Patch % Lines
pf/internal/plugin/provider_server.go 90.32% 3 Missing ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##           master    #2437      +/-   ##
==========================================
+ Coverage   57.40%   57.44%   +0.03%     
==========================================
  Files         369      369              
  Lines       50250    50299      +49     
==========================================
+ Hits        28848    28894      +46     
- Misses      19822    19825       +3     
  Partials     1580     1580              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@iwahbe iwahbe force-pushed the iwahbe/2405/strip-configure-secrets branch from b18ba93 to 2b3f3c7 Compare September 24, 2024 11:36
@iwahbe iwahbe marked this pull request as ready for review September 24, 2024 11:36
@iwahbe iwahbe requested review from guineveresaenger and a team September 24, 2024 11:36
@iwahbe iwahbe force-pushed the iwahbe/2405/strip-configure-secrets branch 2 times, most recently from 1b2a5ce to 8989436 Compare September 24, 2024 11:53
Copy link
Contributor

@guineveresaenger guineveresaenger left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since pulumi/pulumi-gcp#2405 doesn't really have any context on why this happened, can we add some background in the PR description?

pf/internal/plugin/provider_server.go Outdated Show resolved Hide resolved
pf/internal/plugin/provider_server.go Show resolved Hide resolved
pf/internal/plugin/provider_server.go Show resolved Hide resolved
pkg/tfbridge/config_encoding.go Outdated Show resolved Hide resolved
@iwahbe iwahbe force-pushed the iwahbe/2405/strip-configure-secrets branch from 8989436 to da54c20 Compare September 24, 2024 17:50
@iwahbe iwahbe force-pushed the iwahbe/2405/strip-configure-secrets branch from da54c20 to 4acb843 Compare September 24, 2024 17:55
@t0yv0
Copy link
Member

t0yv0 commented Sep 24, 2024

I'm not comfortable here.

Is it the case that Configure started receiving secrets in req.GetArgs() where it didn't do that before? If so was it an unintended change in #2410 ?

@@ -68,19 +68,33 @@ func (*ConfigEncoding) tryUnwrapSecret(encoded any) (any, bool) {
}

func (enc *ConfigEncoding) convertStringToPropertyValue(s string, typ shim.ValueType) (resource.PropertyValue, error) {
// If the schema expects a string, we can just return this as-is.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems rather risky. The former behavior of treating strings plainly was there for a reason, and in my last archaeology round I couldn't fully recover it so I left it as-is. Stringly typed values were not subject to ConfigEncoding, I think. This code was not designed to handle secrets, but the change does more than introduce secret handling.

Now for something of type string that "looks like" JSON without any secrets, the new code will try to parse it and in case of success introduce changes that might be unwanted?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Stringly typed values were not subject to ConfigEncoding, I think.

They weren't, but this means that string values cannot be secret if they are encoded like other values. This seems pretty suspect to me.

This code was not designed to handle secrets, but the change does more than introduce secret handling.

This code does need to handle secrets, with or without #2410.

Now for something of type string that "looks like" JSON without any secrets, the new code will try to parse it and in case of success introduce changes that might be unwanted?

Only if the thing that "looks like" JSON looks like a JSON encoded secret or computed string. If we trust that pulumi signifier keys don't appear in the wild1, then this is safe.

Footnotes

  1. We already make this assumption on the wire.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is suspect in indeed but this is the production behavior. Is your change needed to fix the listed issue? How so? Is this a change that's a refactor for reasons separate from pulumi/pulumi-gcp#2405 ?

return p.GrpcProvider.Configure(ctx, req)
}

func removeSecrets(pMap resource.PropertyMap) resource.PropertyMap {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nope, I didn't see that.

@@ -80,5 +81,41 @@ func (p providerThunk) Configure(
if ctx.Value(setupConfigureKey) != nil {
return plugin.ConfigureResponse{}, nil
}
req.Inputs = removeSecrets(req.Inputs)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm confused here, is the panic we're trying to fix scoped to PF, or SDKv2, or both?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just PF (and muxed providers that use PF).

@iwahbe
Copy link
Member Author

iwahbe commented Sep 25, 2024

This PR relies on unreverting #2410.

iwahbe added a commit that referenced this pull request Sep 26, 2024
This test is borrowed from #2437. It
would have caught prevented #2439.
iwahbe added a commit that referenced this pull request Sep 26, 2024
This test is borrowed from
#2437. These tests
would have prevented
#2439.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

v8.2.0 seeing failed assertions leading to panics in terraform bridge
3 participants