feat: check user config for redacted creds

aiven · Sep 12, 2024 · 5c226fd · 5c226fd
1 parent 934ab19
commit 5c226fd
Show file tree

Hide file tree

Showing 3 changed files with 68 additions and 0 deletions.
diff --git a/internal/schemautil/service.go b/internal/schemautil/service.go
@@ -1,7 +1,9 @@
 package schemautil
 
 import (
+	"bytes"
 	"context"
+	"encoding/json"
 	"errors"
 	"fmt"
 	"strconv"
@@ -334,6 +336,12 @@ func ResourceServiceRead(ctx context.Context, d *schema.ResourceData, m interfac
 		return nil
 	}
 
+	// The GET with include_secrets=true must not return redacted creds
+	err = ContainsRedactedCreds(s.UserConfig)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
 	servicePlanParams, err := GetServicePlanParametersFromServiceResponse(ctx, client, projectName, s)
 	if err != nil {
 		return diag.Errorf("unable to get service plan parameters: %s", err)
@@ -964,3 +972,20 @@ func ExpandService(name string, d *schema.ResourceData) (map[string]any, error)
 func FlattenService(name string, d *schema.ResourceData, dto map[string]any) error {
 	return converters.Flatten(converters.ServiceUserConfig, name, d, dto)
 }
+
+const redactedSubstr = `\u003credacted\u003e`
+
+var errContainsRedactedCreds = fmt.Errorf("unexpected redacted credentials")
+
+// ContainsRedactedCreds looks for redactedSubstr in the given config
+func ContainsRedactedCreds(config map[string]any) error {
+	b, err := json.Marshal(&config)
+	if err != nil {
+		return err
+	}
+
+	if bytes.Contains(b, []byte(redactedSubstr)) {
+		return errContainsRedactedCreds
+	}
+	return nil
+}
diff --git a/internal/schemautil/service_test.go b/internal/schemautil/service_test.go
@@ -0,0 +1,38 @@
+package schemautil
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestContainsRedactedCreds(t *testing.T) {
+	cases := []struct {
+		name     string
+		hash     map[string]any
+		expected error
+	}{
+		{
+			name:     "contains redacted",
+			hash:     map[string]any{"password": "<redacted>"},
+			expected: errContainsRedactedCreds,
+		},
+		{
+			name:     "contains invalid redacted",
+			hash:     map[string]any{"password": "<REDACTED>"},
+			expected: nil,
+		},
+		{
+			name:     "does not contain redacted",
+			hash:     map[string]any{"password": "123"},
+			expected: nil,
+		},
+	}
+
+	for _, opt := range cases {
+		t.Run(opt.name, func(t *testing.T) {
+			err := ContainsRedactedCreds(opt.hash)
+			assert.Equal(t, err, opt.expected)
+		})
+	}
+}
diff --git a/internal/sdkprovider/service/serviceintegration/service_integration_endpoint.go b/internal/sdkprovider/service/serviceintegration/service_integration_endpoint.go
@@ -116,6 +116,11 @@ func resourceServiceIntegrationEndpointRead(ctx context.Context, d *schema.Resou
 		return schemautil.ResourceReadHandleNotFound(err, d)
 	}
 
+	err = schemautil.ContainsRedactedCreds(endpoint.EndpointConfig)
+	if err != nil {
+		return err
+	}
+
 	err = copyServiceIntegrationEndpointPropertiesFromAPIResponseToTerraform(d, endpoint, projectName)
 	if err != nil {
 		return err