feat: added schema compositionality and tests

aryanjassal · aryanjassal · commit e9abc7870bcb · 2025-07-02T16:39:26.000+10:00
[ci skip]
diff --git a/src/errors.ts b/src/errors.ts
@@ -166,6 +166,11 @@ class ErrorPolykeyCLIDuplicateEnvName<T> extends ErrorPolykeyCLI<T> {
   exitCode = sysexits.USAGE;
 }
 
+class ErrorPolykeyCLIMissingRequiredEnvName<T> extends ErrorPolykeyCLI<T> {
+  static description = 'A required environment variable is not present';
+  exitCode = sysexits.USAGE;
+}
+
 class ErrorPolykeyCLIMakeDirectory<T> extends ErrorPolykeyCLI<T> {
   static description = 'Failed to create one or more directories';
   exitCode = 1;
@@ -223,6 +228,7 @@ export {
   ErrorPolykeyCLINodePingFailed,
   ErrorPolykeyCLIInvalidEnvName,
   ErrorPolykeyCLIDuplicateEnvName,
+  ErrorPolykeyCLIMissingRequiredEnvName,
   ErrorPolykeyCLIMakeDirectory,
   ErrorPolykeyCLIRenameSecret,
   ErrorPolykeyCLIRemoveSecret,
diff --git a/src/secrets/CommandEnv.ts b/src/secrets/CommandEnv.ts
@@ -172,7 +172,7 @@ class CommandEnv extends CommandPolykey {
                 if (allKeys.includes(name)) {
                   await writer.write({
                     nameOrId: nameOrId,
-                    secretName: name,
+                    secretName: secretName!,
                     metadata: first ? auth : undefined,
                   });
                 }
@@ -201,25 +201,18 @@ class CommandEnv extends CommandPolykey {
             if (value.type === 'ErrorMessage') {
               switch (value.code) {
                 case 'EINVAL':
-                  // It is expected for the data to be populated with the offending
-                  // vault name if the vault was not found.
+                  // It is expected for the data to be populated with the
+                  // offending vault name if the vault was not found.
                   throw new Error(
                     `TMP Vault "${value.data?.nameOrId}" does not exist`,
                   );
                 case 'ENOENT':
-                  // If we have a default for this key, then don't bother
-                  // reporting the missing key.
-                  if (
-                    unwrappedSchema != null &&
-                    Object.keys(unwrappedSchema.defaults).includes(
-                      value.data!.secretName!.toString(),
-                    )
-                  ) {
-                    break;
-                  }
+                  // If we are working with schemas, then missing keys will be
+                  // validated later.
+                  if (unwrappedSchema != null) break;
 
-                  // It is expected for the data to be populated with the offending
-                  // secret and vault name if a secret was not found.
+                  // It is expected for the data to be populated with the
+                  // offending secret and vault name if a secret was not found.
                   throw new Error(
                     `TMP Secret "${value.data?.secretName}" does not exist in vault "${value.data?.nameOrId}"`,
                   );
@@ -310,7 +303,7 @@ class CommandEnv extends CommandPolykey {
 
           // Apply defaults using the schema
           const filteredEnvp: Record<string, string> = {};
-          if (unwrappedSchema != null) {
+          if (schema != null && unwrappedSchema != null) {
             // Parse the schema for manual filtering
             const { requiredKeys, allKeys, defaults } = unwrappedSchema;
 
@@ -326,12 +319,20 @@ class CommandEnv extends CommandPolykey {
                 requiredKeys.includes(key) &&
                 (value == null || value === '')
               ) {
-                throw new Error('TMP missing required variable');
+                throw new binErrors.ErrorPolykeyCLIMissingRequiredEnvName(
+                  `Expected definition for ${key}`,
+                );
               }
               if (value != null) {
                 filteredEnvp[key] = value.toString();
               }
             }
+
+            // Validate the schema using ajv. All defaults have already been
+            // applied. This is now the final state of the exported variables.
+            const ajv = new Ajv({ allErrors: true });
+            const validate = ajv.compile(schema);
+            validate(envp);
           }
 
           return [
diff --git a/src/utils/utils.ts b/src/utils/utils.ts
@@ -457,7 +457,9 @@ function outputFormatterError(err: any): string {
           output += '\n';
         }
       }
-      output += `${indent}cause: `;
+      if (err.cause) {
+        output += `${indent}cause: `;
+      }
       err = err.cause;
     } else if (err instanceof ErrorPolykey) {
       output += `${err.name}: ${err.description}`;
diff --git a/tests/secrets/env.test.ts b/tests/secrets/env.test.ts
@@ -953,4 +953,290 @@ describe('commandEnv', () => {
       expect(result.stdout).toEqual(formatResult[format]);
     },
   );
+
+  describe('should apply json schema to control secrets egress', () => {
+    test('should filter secrets based on a schema', async () => {
+      // Write secrets to vault
+      const vaultName = 'vault';
+      const vaultId = await polykeyAgent.vaultManager.createVault(vaultName);
+      const secretName1 = 'SECRET1';
+      const secretName2 = 'SECRET2';
+      const secretName3 = 'SECRET3';
+      await polykeyAgent.vaultManager.withVaults([vaultId], async (vault) => {
+        await vaultOps.addSecret(vault, secretName1, secretName1);
+        await vaultOps.addSecret(vault, secretName2, secretName2);
+        await vaultOps.addSecret(vault, secretName3, secretName3);
+      });
+
+      // Write schema to file
+      const schema = {
+        type: 'object',
+        properties: {
+          SECRET1: { type: 'string' },
+          SECRET2: { type: 'string' },
+        },
+        required: ['SECRET1', 'SECRET2'],
+      };
+      const schemaPath = path.join(dataDir, 'egress.schema.json');
+      await fs.promises.writeFile(schemaPath, JSON.stringify(schema, null, 2));
+
+      // Run command with the schema
+      const command = [
+        'secrets',
+        'env',
+        '-np',
+        dataDir,
+        '--env-format',
+        'unix',
+        '--egress-schema',
+        schemaPath,
+        vaultName,
+      ];
+      const result = await testUtils.pkExec(command, {
+        env: { PK_PASSWORD: password },
+      });
+      expect(result.exitCode).toBe(0);
+
+      // Confirm only the specified secrets were exported
+      expect(result.stdout).toContain("SECRET1='SECRET1'");
+      expect(result.stdout).toContain("SECRET2='SECRET2'");
+      expect(result.stdout).not.toContain("SECRET3='SECRET3'");
+    });
+
+    test('should apply schema to secrets from multiple vaults', async () => {
+      // Write secrets to vault
+      const vaultName1 = 'vault1';
+      const vaultName2 = 'vault2';
+      const vaultId1 = await polykeyAgent.vaultManager.createVault(vaultName1);
+      const vaultId2 = await polykeyAgent.vaultManager.createVault(vaultName2);
+      const secretName1 = 'SECRET1';
+      const secretName2 = 'SECRET2';
+      const secretName3 = 'SECRET3';
+      await polykeyAgent.vaultManager.withVaults(
+        [vaultId1, vaultId2],
+        async (vault1, vault2) => {
+          await vaultOps.addSecret(vault1, secretName1, secretName1);
+          await vaultOps.addSecret(vault2, secretName2, secretName2);
+          await vaultOps.addSecret(vault1, secretName3, secretName3);
+        },
+      );
+
+      // Write schema to file
+      const schema = {
+        type: 'object',
+        properties: {
+          SECRET1: { type: 'string' },
+          SECRET2: { type: 'string' },
+        },
+        required: ['SECRET1', 'SECRET2'],
+      };
+      const schemaPath = path.join(dataDir, 'egress.schema.json');
+      await fs.promises.writeFile(schemaPath, JSON.stringify(schema, null, 2));
+
+      // Run command with the schema
+      const command = [
+        'secrets',
+        'env',
+        '-np',
+        dataDir,
+        '--env-format',
+        'unix',
+        '--egress-schema',
+        schemaPath,
+        vaultName1,
+        vaultName2,
+      ];
+      const result = await testUtils.pkExec(command, {
+        env: { PK_PASSWORD: password },
+      });
+      expect(result.exitCode).toBe(0);
+
+      // Confirm only the specified secrets were exported
+      expect(result.stdout).toContain("SECRET1='SECRET1'");
+      expect(result.stdout).toContain("SECRET2='SECRET2'");
+      expect(result.stdout).not.toContain("SECRET3='SECRET3'");
+    });
+
+    test('should handle secret renames', async () => {
+      // Write secrets to vault
+      const vaultName = 'vault';
+      const vaultId = await polykeyAgent.vaultManager.createVault(vaultName);
+      const secretName1 = 'SECRET1';
+      const secretName2 = 'SECRET2';
+      const secretName3 = 'SECRET3';
+      const secretRename = 'RENAMED';
+      await polykeyAgent.vaultManager.withVaults([vaultId], async (vault) => {
+        await vaultOps.addSecret(vault, secretName1, secretName1);
+        await vaultOps.addSecret(vault, secretName2, secretName2);
+        await vaultOps.addSecret(vault, secretName3, secretName3);
+      });
+
+      // Write schema to file
+      const schema = {
+        type: 'object',
+        properties: {
+          SECRET1: { type: 'string' },
+          RENAMED: { type: 'string' },
+        },
+        required: ['SECRET1', 'RENAMED'],
+      };
+      const schemaPath = path.join(dataDir, 'egress.schema.json');
+      await fs.promises.writeFile(schemaPath, JSON.stringify(schema, null, 2));
+
+      // Run command with the schema. Should first export all relevant secrets
+      // from the vault, then process the renamed secret.
+      const command = [
+        'secrets',
+        'env',
+        '-np',
+        dataDir,
+        '--env-format',
+        'unix',
+        '--egress-schema',
+        schemaPath,
+        vaultName,
+        `${vaultName}:${secretName2}=${secretRename}`,
+      ];
+      const result = await testUtils.pkExec(command, {
+        env: { PK_PASSWORD: password },
+      });
+      expect(result.exitCode).toBe(0);
+
+      // Confirm only the specified secrets were exported
+      expect(result.stdout).toContain("SECRET1='SECRET1'");
+      expect(result.stdout).toContain("RENAMED='SECRET2'");
+      expect(result.stdout).not.toContain("SECRET2='SECRET2'");
+      expect(result.stdout).not.toContain("SECRET3='SECRET3'");
+    });
+
+    test('should not fail when missing non-required secret', async () => {
+      // Write secrets to vault
+      const vaultName = 'vault';
+      const vaultId = await polykeyAgent.vaultManager.createVault(vaultName);
+      const secretName1 = 'SECRET1';
+      await polykeyAgent.vaultManager.withVaults([vaultId], async (vault) => {
+        await vaultOps.addSecret(vault, secretName1, secretName1);
+      });
+
+      // Write schema to file
+      const schema = {
+        type: 'object',
+        properties: {
+          SECRET1: { type: 'string' },
+          SECRET2: { type: 'string' },
+        },
+        required: ['SECRET1'],
+      };
+      const schemaPath = path.join(dataDir, 'egress.schema.json');
+      await fs.promises.writeFile(schemaPath, JSON.stringify(schema, null, 2));
+
+      // Run command with the schema. Should first export all relevant secrets
+      // from the vault, then process the renamed secret.
+      const command = [
+        'secrets',
+        'env',
+        '-np',
+        dataDir,
+        '--env-format',
+        'unix',
+        '--egress-schema',
+        schemaPath,
+        vaultName,
+      ];
+      const result = await testUtils.pkExec(command, {
+        env: { PK_PASSWORD: password },
+      });
+      expect(result.exitCode).toBe(0);
+
+      // Confirm only the specified secrets were exported
+      expect(result.stdout).toContain("SECRET1='SECRET1'");
+      expect(result.stdout).not.toContain('SECRET2');
+    });
+
+    test('should fail when missing required secret', async () => {
+      // Write secrets to vault
+      const vaultName = 'vault';
+      const vaultId = await polykeyAgent.vaultManager.createVault(vaultName);
+      const secretName1 = 'SECRET1';
+      await polykeyAgent.vaultManager.withVaults([vaultId], async (vault) => {
+        await vaultOps.addSecret(vault, secretName1, secretName1);
+      });
+
+      // Write schema to file
+      const schema = {
+        type: 'object',
+        properties: {
+          SECRET1: { type: 'string' },
+          SECRET2: { type: 'string' },
+        },
+        required: ['SECRET1', 'SECRET2'],
+      };
+      const schemaPath = path.join(dataDir, 'egress.schema.json');
+      await fs.promises.writeFile(schemaPath, JSON.stringify(schema, null, 2));
+
+      // Run command with the schema
+      const command = [
+        'secrets',
+        'env',
+        '-np',
+        dataDir,
+        '--env-format',
+        'unix',
+        '--egress-schema',
+        schemaPath,
+        vaultName,
+      ];
+      const result = await testUtils.pkExec(command, {
+        env: { PK_PASSWORD: password },
+      });
+      expect(result.exitCode).toBe(64);
+
+      // Confirm the validity of the error
+      expect(result.stderr).toInclude('ErrorPolykeyCLIMissingRequiredEnvName');
+      expect(result.stderr).toInclude('SECRET2');
+    });
+
+    test('should replace variable with default if present', async () => {
+      // Write secrets to vault
+      const vaultName = 'vault';
+      const vaultId = await polykeyAgent.vaultManager.createVault(vaultName);
+      const secretName1 = 'SECRET1';
+      await polykeyAgent.vaultManager.withVaults([vaultId], async (vault) => {
+        await vaultOps.addSecret(vault, secretName1, secretName1);
+      });
+
+      // Write schema to file
+      const schema = {
+        type: 'object',
+        properties: {
+          SECRET1: { type: 'string' },
+          SECRET2: { type: 'string', default: 'abc' },
+        },
+        required: ['SECRET1', 'SECRET2'],
+      };
+      const schemaPath = path.join(dataDir, 'egress.schema.json');
+      await fs.promises.writeFile(schemaPath, JSON.stringify(schema, null, 2));
+
+      // Run command with the schema
+      const command = [
+        'secrets',
+        'env',
+        '-np',
+        dataDir,
+        '--env-format',
+        'unix',
+        '--egress-schema',
+        schemaPath,
+        vaultName,
+      ];
+      const result = await testUtils.pkExec(command, {
+        env: { PK_PASSWORD: password },
+      });
+      expect(result.exitCode).toBe(0);
+
+      // Confirm only the specified secrets were exported
+      expect(result.stdout).toInclude("SECRET1='SECRET1'");
+      expect(result.stdout).toInclude("SECRET2='abc");
+    });
+  });
 });

Original file line number	Diff line number	Diff line change
`@@ -457,7 +457,9 @@ function outputFormatterError(err: any): string {`
`457`	`457`	`output += '\n';`
`458`	`458`	`}`
`459`	`459`	`}`
`460`		- output += `${indent}cause: `;
	`460`	`+ if (err.cause) {`
	`461`	+ output += `${indent}cause: `;
	`462`	`+ }`
`461`	`463`	`err = err.cause;`
`462`	`464`	`} else if (err instanceof ErrorPolykey) {`
`463`	`465`	output += `${err.name}: ${err.description}`;