Skip to content

Commit

Permalink
Integrated async access to vault secrets (#1452)
Browse files Browse the repository at this point in the history 
* Integrate async access to vault secrets

* Add and fix tests for vault secrets

* Fix errors for pm.vault

* Fix mutation tracking for vault secrets

* Update dependencies

---------

Co-authored-by: Pranav Joglekar <[email protected]>
  • Loading branch information
@appurva21 @Pranav2612000
appurva21 and Pranav2612000 authored Sep 4, 2024
1 parent 7c6debc commit 7ddff0f
Show file tree
Hide file tree
Showing 8 changed files with 253 additions and 56 deletions.
5 changes: 4 additions & 1 deletion CHANGELOG.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,9 @@
unreleased:
unreleased:
new features:
- GH-1452 Enabled async access to vault secrets
- GH-1413 Added support for initializing local variables
chores:
- GH-1452 Update dependencies

7.41.2:
date: 2024-08-16
Expand Down
44 changes: 37 additions & 7 deletions lib/runner/extensions/event.command.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,8 @@ var _ = require('lodash'),
EXECUTION_COOKIES_EVENT_BASE = 'execution.cookies.',
EXECUTION_SKIP_REQUEST_EVENT_BASE = 'execution.skipRequest.',

EXECUTION_VAULT_BASE = 'execution.vault.',

COOKIES_EVENT_STORE_ACTION = 'store',
COOKIE_STORE_PUT_METHOD = 'putCookie',
COOKIE_STORE_UPDATE_METHOD = 'updateCookie',
Expand Down Expand Up @@ -240,8 +242,17 @@ module.exports = {

packageResolver = _.get(this, 'options.script.packageResolver'),

vaultSecrets = payload.context.vaultSecrets,
allowVaultAccess = _.get(vaultSecrets, '_.allowScriptAccess'),

events;

// Explicitly enable tracking for vault secrets here as this will
// not be sent to sandbox who otherwise takes care of mutation tracking
if (allowVaultAccess) {
vaultSecrets.enableTracking({ autoCompact: true });
}

// @todo: find a better place to code this so that event is not aware of such options
if (abortOnFailure) {
abortOnError = true;
Expand Down Expand Up @@ -387,6 +398,22 @@ module.exports = {
}
}.bind(this));

this.host.on(EXECUTION_VAULT_BASE + executionId, function (id, cmd, ...args) {
// Ensure error is string
// TODO identify why error objects are not being serialized correctly
const dispatch = (e, r) => { this.host.dispatch(EXECUTION_VAULT_BASE + executionId, id, e, r); };

if (!allowVaultAccess) {
return dispatch('Vault access denied');
}

if (!['get', 'set', 'unset'].includes(cmd)) {
return dispatch(`Invalid vault command: ${cmd}`);
}

dispatch(null, vaultSecrets[cmd](...args));
}.bind(this));

this.host.on(EXECUTION_REQUEST_EVENT_BASE + executionId,
function (scriptCursor, id, requestId, request) {
// remove files in request body if any
Expand Down Expand Up @@ -458,11 +485,7 @@ module.exports = {
// @todo: Expose this as a property in Collection SDK's Script
timeout: payload.scriptTimeout,
cursor: scriptCursor,
context: {
..._.pick(payload.context, SAFE_CONTEXT_VARIABLES),
vaultSecrets: _.get(payload.context.vaultSecrets, '_.allowScriptAccess') ?
payload.context.vaultSecrets : undefined
},
context: _.pick(payload.context, SAFE_CONTEXT_VARIABLES),
resolvedPackages: resolvedPackages,

// legacy options
Expand All @@ -479,6 +502,7 @@ module.exports = {
this.host.removeAllListeners(EXECUTION_COOKIES_EVENT_BASE + executionId);
this.host.removeAllListeners(EXECUTION_ERROR_EVENT_BASE + executionId);
this.host.removeAllListeners(EXECUTION_SKIP_REQUEST_EVENT_BASE + executionId);
this.host.removeAllListeners(EXECUTION_VAULT_BASE + executionId);

// Handle async errors as well.
// If there was an error running the script itself, that takes precedence
Expand Down Expand Up @@ -529,10 +553,16 @@ module.exports = {
result && result.globals && (result.globals = new sdk.VariableScope(result.globals));
result && result.collectionVariables &&
(result.collectionVariables = new sdk.VariableScope(result.collectionVariables));
result && result.vaultSecrets &&
(result.vaultSecrets = new sdk.VariableScope(result.vaultSecrets));
result && result.request && (result.request = new sdk.Request(result.request));

// vault secrets are not sent to sandbox, thus using the scope from run context.
if (allowVaultAccess && vaultSecrets) {
result.vaultSecrets = vaultSecrets;

// Prevent mutations from being carry-forwarded to subsequent events
vaultSecrets.disableTracking();
}

// @note Since [email protected], response object is not included in the execution
// result.
// Refer: https://github.com/postmanlabs/postman-sandbox/pull/512
Expand Down
6 changes: 4 additions & 2 deletions lib/runner/extensions/item.command.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -152,7 +152,8 @@ module.exports = {
item: item,
coords: coords,
context: ctxTemplate,
trackContext: ['globals', 'environment', 'collectionVariables', 'vaultSecrets'],
// No need to include vaultSecrets here as runtime takes care of tracking internally
trackContext: ['globals', 'environment', 'collectionVariables'],
stopOnScriptError: stopOnError,
stopOnFailure: stopOnFailure
}).done(function (prereqExecutions, prereqExecutionError, shouldSkipExecution) {
Expand Down Expand Up @@ -234,7 +235,8 @@ module.exports = {
item: item,
coords: coords,
context: ctxTemplate,
trackContext: ['tests', 'globals', 'environment', 'collectionVariables', 'vaultSecrets'],
// No need to include vaultSecrets here as runtime takes care of tracking internally
trackContext: ['tests', 'globals', 'environment', 'collectionVariables'],
stopOnScriptError: stopOnError,
abortOnFailure: abortOnFailure,
stopOnFailure: stopOnFailure
Expand Down
30 changes: 16 additions & 14 deletions package-lock.json
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,8 +55,8 @@
"node-oauth1": "1.3.0",
"performance-now": "2.1.0",
"postman-collection": "4.5.0",
"postman-request": "2.88.1-postman.39",
"postman-sandbox": "5.1.1",
"postman-request": "2.88.1-postman.40",
"postman-sandbox": "5.1.2",
"postman-url-encoder": "3.0.5",
"serialised-error": "1.1.3",
"strip-json-comments": "3.1.1",
Expand Down
24 changes: 8 additions & 16 deletions test/integration/inherited-entities/pm-variables.test.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -105,9 +105,8 @@ describe('pm.variables', function () {
'key-2': 'coll-value-2',
'key-3': 'env-value-3',
'key-4': 'data-value-4',
'key-7': 'local-value-7',
'vault:key5': 'global-value-5',
'vault:key6': 'vault-value-6'
'key-7': 'local-value-7'
});
});
});
Expand Down Expand Up @@ -241,9 +240,8 @@ describe('pm.variables', function () {
'key-2': 'modified-1',
'key-3': 'env-value-3',
'key-4': 'data-value-4',
'key-7': 'local-value-7',
'vault:key5': 'global-value-5',
'vault:key6': 'vault-value-6'
'key-7': 'local-value-7'
}
]);

Expand All @@ -254,9 +252,8 @@ describe('pm.variables', function () {
'key-2': 'modified-2',
'key-3': 'modified-2',
'key-4': 'data-value-4',
'key-7': 'local-value-7',
'vault:key5': 'global-value-5',
'vault:key6': 'vault-value-6'
'key-7': 'local-value-7'
}
]);

Expand All @@ -267,9 +264,8 @@ describe('pm.variables', function () {
'key-2': 'modified-2',
'key-3': 'modified-3',
'key-4': 'modified-3',
'key-7': 'local-value-7',
'vault:key5': 'global-value-5',
'vault:key6': 'vault-value-6'
'key-7': 'local-value-7'
}
]);

Expand All @@ -280,9 +276,8 @@ describe('pm.variables', function () {
'key-2': 'modified-2',
'key-3': 'modified-3',
'key-4': 'modified-4',
'key-7': 'local-value-7',
'vault:key5': 'global-value-5',
'vault:key6': 'vault-value-6'
'key-7': 'local-value-7'
}
]);

Expand All @@ -293,9 +288,8 @@ describe('pm.variables', function () {
'key-2': 'modified-1',
'key-3': 'modified-3',
'key-4': 'modified-4',
'key-7': 'local-value-7',
'vault:key5': 'global-value-5',
'vault:key6': 'vault-value-6'
'key-7': 'local-value-7'
}
]);

Expand All @@ -306,9 +300,8 @@ describe('pm.variables', function () {
'key-2': 'modified-1',
'key-3': 'modified-3',
'key-4': 'modified-3',
'key-7': 'local-value-7',
'vault:key5': 'global-value-5',
'vault:key6': 'vault-value-6'
'key-7': 'local-value-7'
}
]);
});
Expand Down Expand Up @@ -374,9 +367,8 @@ describe('pm.variables', function () {
'key-2': 'coll-value-2',
'key-3': 'env-value-3',
'key-4': 'data-value-4',
'key-7': 'local-value-7',
'vault:key5': 'global-value-5',
'vault:key6': 'vault-value-6'
'key-7': 'local-value-7'
}
]);
});
Expand Down
4 changes: 2 additions & 2 deletions test/integration/sanity/variable-changes.test.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ describe('variable changes', function () {
pm.environment.set('environment', 'environment value');
pm.globals.set('globals', 'globals value');
pm.collectionVariables.set('collection', 'collection value');
pm.vault.set('secret1', 'vault value');
await pm.vault.set('secret1', 'vault value');
`
}
}, {
Expand All @@ -35,7 +35,7 @@ describe('variable changes', function () {
exec: `
pm.environment.set("environment", "environment updated value");
pm.collectionVariables.set("collection", "collection updated value");
pm.vault.set('secret1', 'vault updated value');
await pm.vault.set('secret1', 'vault updated value');
`
}
}],
Expand Down
Loading

0 comments on commit 7ddff0f

Please sign in to comment.