fix: allow null setting for sensitive string (#5402)

ndr-brt · web-flow · commit 1810922daa4c · 2025-12-09T17:23:21.000+01:00
diff --git a/core/common/participant-context-config-core/src/main/java/org/eclipse/edc/participantcontext/config/ParticipantContextConfigImpl.java b/core/common/participant-context-config-core/src/main/java/org/eclipse/edc/participantcontext/config/ParticipantContextConfigImpl.java
@@ -85,7 +85,10 @@ public Boolean getBoolean(String participantContextId, String key, Boolean defau
 
     @Override
     public String getSensitiveString(String participantContextId, String key) {
-        var encryptedValue = privateConfig(participantContextId).getString(key);
+        var encryptedValue = privateConfig(participantContextId).getString(key, null);
+        if (encryptedValue == null) {
+            return null;
+        }
         return encryptionService.decrypt(encryptedValue)
                 .orElseThrow(f -> new EdcException(format("Failed to decrypt sensitive config value for key %s and participant context %s", key, participantContextId)));
     }
diff --git a/core/common/participant-context-config-core/src/test/java/org/eclipse/edc/participantcontext/config/ParticipantContextConfigImplTest.java b/core/common/participant-context-config-core/src/test/java/org/eclipse/edc/participantcontext/config/ParticipantContextConfigImplTest.java
@@ -21,6 +21,7 @@
 import org.eclipse.edc.spi.EdcException;
 import org.eclipse.edc.spi.result.Result;
 import org.eclipse.edc.transaction.spi.NoopTransactionContext;
+import org.junit.jupiter.api.Nested;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtensionContext;
 import org.junit.jupiter.params.ParameterizedTest;
@@ -31,9 +32,11 @@
 import java.util.Map;
 import java.util.stream.Stream;
 
+import static java.util.Collections.emptyMap;
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatThrownBy;
 import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.verifyNoInteractions;
 import static org.mockito.Mockito.when;
 
 public class ParticipantContextConfigImplTest {
@@ -85,23 +88,38 @@ void notFound(SettingCall setting, String key, String value, Object expectedValu
 
     }
 
-    @Test
-    void shouldGetPrivateSetting() {
+    @Nested
+    class GetSensitiveString {
 
-        var cfg = ParticipantContextConfiguration.Builder.newInstance().participantContextId(PARTICIPANT_CONTEXT_ID)
-                .entries(Map.of("key", "value"))
-                .privateEntries(Map.of("private.key", "encryptedValue"))
-                .build();
+        @Test
+        void shouldGetPrivateSetting() {
+            var cfg = ParticipantContextConfiguration.Builder.newInstance().participantContextId(PARTICIPANT_CONTEXT_ID)
+                    .entries(Map.of("key", "value"))
+                    .privateEntries(Map.of("private.key", "encryptedValue"))
+                    .build();
 
-        when(encryptionService.decrypt("encryptedValue")).thenReturn(Result.success("decryptedValue"));
-        when(store.get(PARTICIPANT_CONTEXT_ID)).thenReturn(cfg);
+            when(encryptionService.decrypt("encryptedValue")).thenReturn(Result.success("decryptedValue"));
+            when(store.get(PARTICIPANT_CONTEXT_ID)).thenReturn(cfg);
 
-        var result = contextConfig.getSensitiveString(PARTICIPANT_CONTEXT_ID, "private.key");
+            var result = contextConfig.getSensitiveString(PARTICIPANT_CONTEXT_ID, "private.key");
 
+            assertThat(result).isNotNull()
+                    .isEqualTo("decryptedValue");
+        }
 
-        assertThat(result).isNotNull()
-                .isEqualTo("decryptedValue");
+        @Test
+        void shouldReturnNull_whenNoSettingFound() {
+            var cfg = ParticipantContextConfiguration.Builder.newInstance().participantContextId(PARTICIPANT_CONTEXT_ID)
+                    .entries(emptyMap())
+                    .privateEntries(emptyMap())
+                    .build();
+            when(store.get(PARTICIPANT_CONTEXT_ID)).thenReturn(cfg);
+
+            var result = contextConfig.getSensitiveString(PARTICIPANT_CONTEXT_ID, "any");
 
+            assertThat(result).isNull();
+            verifyNoInteractions(encryptionService);
+        }
     }
 
     @FunctionalInterface
diff --git a/extensions/common/vault/vault-hashicorp/src/main/java/org/eclipse/edc/vault/hashicorp/HashicorpVault.java b/extensions/common/vault/vault-hashicorp/src/main/java/org/eclipse/edc/vault/hashicorp/HashicorpVault.java
@@ -88,30 +88,24 @@ public Result<Void> deleteSecret(String vaultPartition, String key) {
                 .deleteSecret(key);
     }
 
+    /**
+     * creates a new HashicorpVaultClient specific configuration / auth settings for the given vault partition.
+     * If no vault config is found for the given partition, the default is returned.
+     */
     private @NotNull HashicorpVaultClient getVaultClient(String vaultPartition) {
         if (vaultPartition == null) {
             return createDefault();
         }
-        var client = createForPartition(vaultPartition);
-        if (client == null) {
-            if (vaultConfig.isAllowFallback()) {
-                return createDefault();
-            }
-            throw new IllegalArgumentException("No vault config found for partition '%s' and falling back to the default vault is not allowed".formatted(vaultPartition));
-        }
-        return client;
-    }
 
-    /**
-     * creates a new HashicorpVaultClient specific configuration / auth settings for the given vault partition.
-     * If no vault config is found for the given partition, null is returned.
-     */
-    private @Nullable HashicorpVaultClient createForPartition(String vaultPartition) {
         var settings = forParticipant(vaultPartition, participantContextConfig);
-        if (settings == null) {
-            return null;
+        if (settings != null) {
+            return new HashicorpVaultClient(monitor, settings.config(), edcHttpClient, mapper, settings.tokenProvider(edcHttpClient));
+        }
+
+        if (vaultConfig.isAllowFallback()) {
+            return createDefault();
         }
-        return new HashicorpVaultClient(monitor, settings.config(), edcHttpClient, mapper, settings.tokenProvider(edcHttpClient));
+        throw new IllegalArgumentException("No vault config found for partition '%s' and falling back to the default vault is not allowed".formatted(vaultPartition));
     }
 
     /**
diff --git a/spi/common/participant-context-config-spi/src/main/java/org/eclipse/edc/participantcontext/spi/config/ParticipantContextConfig.java b/spi/common/participant-context-config-spi/src/main/java/org/eclipse/edc/participantcontext/spi/config/ParticipantContextConfig.java
@@ -106,8 +106,8 @@ public interface ParticipantContextConfig {
      *
      * @param participantContextId the participant context identifier
      * @param key                  of the setting
-     * @return a String representation of the setting
-     * @throws EdcException if no setting is found
+     * @return a String representation of the setting, null if the setting does not exist
+     * @throws EdcException if the setting cannot be decrypted
      */
     String getSensitiveString(String participantContextId, String key);
 }

Original file line number	Diff line number	Diff line change
`@@ -106,8 +106,8 @@ public interface ParticipantContextConfig {`
`106`	`106`	`*`
`107`	`107`	`* @param participantContextId the participant context identifier`
`108`	`108`	`* @param key of the setting`
`109`		`- * @return a String representation of the setting`
`110`		`- * @throws EdcException if no setting is found`
	`109`	`+ * @return a String representation of the setting, null if the setting does not exist`
	`110`	`+ * @throws EdcException if the setting cannot be decrypted`
`111`	`111`	`*/`
`112`	`112`	`String getSensitiveString(String participantContextId, String key);`
`113`	`113`	`}`