From 60146bd58597cbf53c6f32fe1a6494f8ac6c479f Mon Sep 17 00:00:00 2001 From: Kazuma Watanabe Date: Sun, 19 Mar 2023 08:29:50 +0000 Subject: [PATCH] Handle sensitive values on the plugin side --- docs/developer-guide/api_compatibility.md | 5 +++ go.mod | 2 +- go.sum | 4 +-- plugin/server.go | 10 +++--- plugin/server_test.go | 17 +++++++++-- terraform/evaluator.go | 2 +- terraform/evaluator_test.go | 2 +- terraform/lang/funcs/collection_test.go | 2 +- terraform/lang/funcs/conversion.go | 2 +- terraform/lang/funcs/conversion_test.go | 2 +- terraform/lang/funcs/encoding_test.go | 2 +- terraform/lang/funcs/filesystem_test.go | 2 +- terraform/lang/funcs/number_test.go | 2 +- terraform/lang/funcs/redact.go | 2 +- terraform/lang/funcs/redact_test.go | 2 +- terraform/lang/funcs/sensitive.go | 2 +- terraform/lang/funcs/sensitive_test.go | 2 +- terraform/lang/functions_test.go | 2 +- terraform/lang/marks/marks.go | 37 ----------------------- 19 files changed, 40 insertions(+), 61 deletions(-) delete mode 100644 terraform/lang/marks/marks.go diff --git a/docs/developer-guide/api_compatibility.md b/docs/developer-guide/api_compatibility.md index ba85db67f..5711e65ac 100644 --- a/docs/developer-guide/api_compatibility.md +++ b/docs/developer-guide/api_compatibility.md @@ -23,3 +23,8 @@ TFLint version: v0.40.0+ - Expand mode is only supported by SDK v0.14.0+ and TFLint v0.42.0+. - https://github.com/terraform-linters/tflint/pull/1537 - https://github.com/terraform-linters/tflint-plugin-sdk/pull/208 +- Client-side value handling is introduced in SDK v0.16.0 and TFLint v0.46.0. TFLint v0.45.0 returns an error instead of a value. + - https://github.com/terraform-linters/tflint/pull/1700 + - https://github.com/terraform-linters/tflint/pull/1722 + - https://github.com/terraform-linters/tflint-plugin-sdk/pull/235 + - https://github.com/terraform-linters/tflint-plugin-sdk/pull/239 diff --git a/go.mod b/go.mod index e522e6303..82fda8d9d 100644 --- a/go.mod +++ b/go.mod @@ -24,7 +24,7 @@ require ( github.com/sourcegraph/go-lsp v0.0.0-20200429204803-219e11d77f5d github.com/sourcegraph/jsonrpc2 v0.1.0 github.com/spf13/afero v1.9.5 - github.com/terraform-linters/tflint-plugin-sdk v0.15.1-0.20230225141907-dd804b3671af + github.com/terraform-linters/tflint-plugin-sdk v0.15.1-0.20230319075009-18f94f9e79ff github.com/terraform-linters/tflint-ruleset-terraform v0.2.2 github.com/xeipuuv/gojsonschema v1.2.0 github.com/zclconf/go-cty v1.12.1 diff --git a/go.sum b/go.sum index 2d2d8cfe4..e58270160 100644 --- a/go.sum +++ b/go.sum @@ -457,8 +457,8 @@ github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1F github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk= github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= -github.com/terraform-linters/tflint-plugin-sdk v0.15.1-0.20230225141907-dd804b3671af h1:TAsqOUKu3DXg6ZmV3igB8ksKkHkaQrdSdZfCE3Ff7nc= -github.com/terraform-linters/tflint-plugin-sdk v0.15.1-0.20230225141907-dd804b3671af/go.mod h1:g5UIXcskejxp38JWqvYqEb/HkvIX6X6luEdS60yimTw= +github.com/terraform-linters/tflint-plugin-sdk v0.15.1-0.20230319075009-18f94f9e79ff h1:ptMeRR1hlGiQmmkzhv250LF3rCo0H8sZf4W+AMeeHUk= +github.com/terraform-linters/tflint-plugin-sdk v0.15.1-0.20230319075009-18f94f9e79ff/go.mod h1:g5UIXcskejxp38JWqvYqEb/HkvIX6X6luEdS60yimTw= github.com/terraform-linters/tflint-ruleset-terraform v0.2.2 h1:iTE09KkaZ0DE29xvp6IIM1/gmas9V0h8CER28SyBmQ8= github.com/terraform-linters/tflint-ruleset-terraform v0.2.2/go.mod h1:bCkvH8Vqzr16bWEE3e6Q3hvdZlmSAOR8i6G3M5y+M+k= github.com/ulikunitz/xz v0.5.10 h1:t92gobL9l3HE202wg3rlk19F6X+JOxl9BBrCCMYEYd8= diff --git a/plugin/server.go b/plugin/server.go index 7793a74b0..c491bb016 100644 --- a/plugin/server.go +++ b/plugin/server.go @@ -127,6 +127,11 @@ func (s *GRPCServer) EvaluateExpr(expr hcl.Expression, opts sdk.EvaluateExprOpti return val, diags } + // SDK v0.16+ introduces client-side handling of unknown/NULL/sensitive values. + if s.clientSDKVersion != nil && s.clientSDKVersion.GreaterThanOrEqual(version.Must(version.NewVersion("0.16.0"))) { + return val, nil + } + if val.ContainsMarked() { err := fmt.Errorf( "sensitive value found in %s:%d%w", @@ -138,11 +143,6 @@ func (s *GRPCServer) EvaluateExpr(expr hcl.Expression, opts sdk.EvaluateExprOpti return cty.NullVal(cty.NilType), err } - // SDK v0.16+ introduces client-side handling of unknown and NULL values. - if s.clientSDKVersion != nil && s.clientSDKVersion.GreaterThanOrEqual(version.Must(version.NewVersion("0.16.0"))) { - return val, nil - } - if *opts.WantType == cty.DynamicPseudoType { return val, nil } diff --git a/plugin/server_test.go b/plugin/server_test.go index 8220df444..44ae7b820 100644 --- a/plugin/server_test.go +++ b/plugin/server_test.go @@ -14,6 +14,7 @@ import ( "github.com/spf13/afero" "github.com/terraform-linters/tflint-plugin-sdk/hclext" "github.com/terraform-linters/tflint-plugin-sdk/plugin/host2plugin" + "github.com/terraform-linters/tflint-plugin-sdk/terraform/lang/marks" sdk "github.com/terraform-linters/tflint-plugin-sdk/tflint" "github.com/terraform-linters/tflint/tflint" "github.com/zclconf/go-cty/cty" @@ -543,18 +544,28 @@ variable "foo" { Args: func() (hcl.Expression, sdk.EvaluateExprOption) { return hclExpr(`var.sensitive`), sdk.EvaluateExprOption{WantType: &cty.String, ModuleCtx: sdk.SelfModuleCtxType} }, - Want: cty.NullVal(cty.NilType), + Want: cty.StringVal("foo").Mark(marks.Sensitive), + ErrCheck: neverHappend, + }, + { + Name: "sensitive value (SDK v0.15)", + Args: func() (hcl.Expression, sdk.EvaluateExprOption) { + return hclExpr(`var.sensitive`), sdk.EvaluateExprOption{WantType: &cty.String, ModuleCtx: sdk.SelfModuleCtxType} + }, + Want: cty.NullVal(cty.NilType), + SDKVersion: sdkv15, ErrCheck: func(err error) bool { return err == nil || !errors.Is(err, sdk.ErrSensitive) }, }, { - Name: "sensitive value in object", + Name: "sensitive value in object (SDK v0.15)", Args: func() (hcl.Expression, sdk.EvaluateExprOption) { ty := cty.Object(map[string]cty.Type{"value": cty.String}) return hclExpr(`{ value = var.sensitive }`), sdk.EvaluateExprOption{WantType: &ty, ModuleCtx: sdk.SelfModuleCtxType} }, - Want: cty.NullVal(cty.NilType), + Want: cty.NullVal(cty.NilType), + SDKVersion: sdkv15, ErrCheck: func(err error) bool { return err == nil || !errors.Is(err, sdk.ErrSensitive) }, diff --git a/terraform/evaluator.go b/terraform/evaluator.go index d076d1a5c..e46f0dafc 100644 --- a/terraform/evaluator.go +++ b/terraform/evaluator.go @@ -9,9 +9,9 @@ import ( "github.com/agext/levenshtein" "github.com/hashicorp/hcl/v2" "github.com/terraform-linters/tflint-plugin-sdk/hclext" + "github.com/terraform-linters/tflint-plugin-sdk/terraform/lang/marks" "github.com/terraform-linters/tflint/terraform/addrs" "github.com/terraform-linters/tflint/terraform/lang" - "github.com/terraform-linters/tflint/terraform/lang/marks" "github.com/zclconf/go-cty/cty" "github.com/zclconf/go-cty/cty/convert" ) diff --git a/terraform/evaluator_test.go b/terraform/evaluator_test.go index 03fa6c4ba..f5ae47ff8 100644 --- a/terraform/evaluator_test.go +++ b/terraform/evaluator_test.go @@ -13,7 +13,7 @@ import ( "github.com/hashicorp/hcl/v2/hclsyntax" "github.com/spf13/afero" "github.com/terraform-linters/tflint-plugin-sdk/hclext" - "github.com/terraform-linters/tflint/terraform/lang/marks" + "github.com/terraform-linters/tflint-plugin-sdk/terraform/lang/marks" "github.com/zclconf/go-cty/cty" ) diff --git a/terraform/lang/funcs/collection_test.go b/terraform/lang/funcs/collection_test.go index 26ff74a51..4de28b1f2 100644 --- a/terraform/lang/funcs/collection_test.go +++ b/terraform/lang/funcs/collection_test.go @@ -5,7 +5,7 @@ import ( "math" "testing" - "github.com/terraform-linters/tflint/terraform/lang/marks" + "github.com/terraform-linters/tflint-plugin-sdk/terraform/lang/marks" "github.com/zclconf/go-cty/cty" ) diff --git a/terraform/lang/funcs/conversion.go b/terraform/lang/funcs/conversion.go index 8783a5932..c65849d1b 100644 --- a/terraform/lang/funcs/conversion.go +++ b/terraform/lang/funcs/conversion.go @@ -3,7 +3,7 @@ package funcs import ( "strconv" - "github.com/terraform-linters/tflint/terraform/lang/marks" + "github.com/terraform-linters/tflint-plugin-sdk/terraform/lang/marks" "github.com/zclconf/go-cty/cty" "github.com/zclconf/go-cty/cty/convert" "github.com/zclconf/go-cty/cty/function" diff --git a/terraform/lang/funcs/conversion_test.go b/terraform/lang/funcs/conversion_test.go index 985d4f698..0727f48c7 100644 --- a/terraform/lang/funcs/conversion_test.go +++ b/terraform/lang/funcs/conversion_test.go @@ -4,7 +4,7 @@ import ( "fmt" "testing" - "github.com/terraform-linters/tflint/terraform/lang/marks" + "github.com/terraform-linters/tflint-plugin-sdk/terraform/lang/marks" "github.com/zclconf/go-cty/cty" ) diff --git a/terraform/lang/funcs/encoding_test.go b/terraform/lang/funcs/encoding_test.go index b3aa7217f..625eb8c8a 100644 --- a/terraform/lang/funcs/encoding_test.go +++ b/terraform/lang/funcs/encoding_test.go @@ -4,7 +4,7 @@ import ( "fmt" "testing" - "github.com/terraform-linters/tflint/terraform/lang/marks" + "github.com/terraform-linters/tflint-plugin-sdk/terraform/lang/marks" "github.com/zclconf/go-cty/cty" ) diff --git a/terraform/lang/funcs/filesystem_test.go b/terraform/lang/funcs/filesystem_test.go index 624066fa9..ec694be80 100644 --- a/terraform/lang/funcs/filesystem_test.go +++ b/terraform/lang/funcs/filesystem_test.go @@ -8,7 +8,7 @@ import ( "testing" homedir "github.com/mitchellh/go-homedir" - "github.com/terraform-linters/tflint/terraform/lang/marks" + "github.com/terraform-linters/tflint-plugin-sdk/terraform/lang/marks" "github.com/zclconf/go-cty/cty" "github.com/zclconf/go-cty/cty/function" "github.com/zclconf/go-cty/cty/function/stdlib" diff --git a/terraform/lang/funcs/number_test.go b/terraform/lang/funcs/number_test.go index ff784fd9a..5ebe6304f 100644 --- a/terraform/lang/funcs/number_test.go +++ b/terraform/lang/funcs/number_test.go @@ -4,7 +4,7 @@ import ( "fmt" "testing" - "github.com/terraform-linters/tflint/terraform/lang/marks" + "github.com/terraform-linters/tflint-plugin-sdk/terraform/lang/marks" "github.com/zclconf/go-cty/cty" ) diff --git a/terraform/lang/funcs/redact.go b/terraform/lang/funcs/redact.go index 5a5bf0eb7..9ba809dd0 100644 --- a/terraform/lang/funcs/redact.go +++ b/terraform/lang/funcs/redact.go @@ -3,7 +3,7 @@ package funcs import ( "fmt" - "github.com/terraform-linters/tflint/terraform/lang/marks" + "github.com/terraform-linters/tflint-plugin-sdk/terraform/lang/marks" "github.com/zclconf/go-cty/cty" ) diff --git a/terraform/lang/funcs/redact_test.go b/terraform/lang/funcs/redact_test.go index f63a2c312..54d4eafa4 100644 --- a/terraform/lang/funcs/redact_test.go +++ b/terraform/lang/funcs/redact_test.go @@ -3,7 +3,7 @@ package funcs import ( "testing" - "github.com/terraform-linters/tflint/terraform/lang/marks" + "github.com/terraform-linters/tflint-plugin-sdk/terraform/lang/marks" "github.com/zclconf/go-cty/cty" ) diff --git a/terraform/lang/funcs/sensitive.go b/terraform/lang/funcs/sensitive.go index 0e25b4a8d..ec01c442e 100644 --- a/terraform/lang/funcs/sensitive.go +++ b/terraform/lang/funcs/sensitive.go @@ -1,7 +1,7 @@ package funcs import ( - "github.com/terraform-linters/tflint/terraform/lang/marks" + "github.com/terraform-linters/tflint-plugin-sdk/terraform/lang/marks" "github.com/zclconf/go-cty/cty" "github.com/zclconf/go-cty/cty/function" ) diff --git a/terraform/lang/funcs/sensitive_test.go b/terraform/lang/funcs/sensitive_test.go index 530b73ba3..b047b48b9 100644 --- a/terraform/lang/funcs/sensitive_test.go +++ b/terraform/lang/funcs/sensitive_test.go @@ -4,7 +4,7 @@ import ( "fmt" "testing" - "github.com/terraform-linters/tflint/terraform/lang/marks" + "github.com/terraform-linters/tflint-plugin-sdk/terraform/lang/marks" "github.com/zclconf/go-cty/cty" ) diff --git a/terraform/lang/functions_test.go b/terraform/lang/functions_test.go index 7af6bf34d..726f747f1 100644 --- a/terraform/lang/functions_test.go +++ b/terraform/lang/functions_test.go @@ -9,7 +9,7 @@ import ( "github.com/hashicorp/hcl/v2" "github.com/hashicorp/hcl/v2/hclsyntax" homedir "github.com/mitchellh/go-homedir" - "github.com/terraform-linters/tflint/terraform/lang/marks" + "github.com/terraform-linters/tflint-plugin-sdk/terraform/lang/marks" "github.com/zclconf/go-cty/cty" ) diff --git a/terraform/lang/marks/marks.go b/terraform/lang/marks/marks.go deleted file mode 100644 index bc253463f..000000000 --- a/terraform/lang/marks/marks.go +++ /dev/null @@ -1,37 +0,0 @@ -package marks - -import ( - "github.com/zclconf/go-cty/cty" -) - -// valueMarks allow creating strictly typed values for use as cty.Value marks. -// Each distinct mark value must be a constant in this package whose value -// is a valueMark whose underlying string matches the name of the variable. -type valueMark string - -func (m valueMark) GoString() string { - return "marks." + string(m) -} - -// Has returns true if and only if the cty.Value has the given mark. -func Has(val cty.Value, mark valueMark) bool { - return val.HasMark(mark) -} - -// Contains returns true if the cty.Value or any any value within it contains -// the given mark. -func Contains(val cty.Value, mark valueMark) bool { - ret := false - cty.Walk(val, func(_ cty.Path, v cty.Value) (bool, error) { - if v.HasMark(mark) { - ret = true - return false, nil - } - return true, nil - }) - return ret -} - -// Sensitive indicates that this value is marked as sensitive in the context of -// Terraform. -const Sensitive = valueMark("Sensitive")