Pre-resolve secrets within runtime using secret resolvers

Author: VShingala

lib/runner/extensions/item.command.js

@@ -198,7 +198,8 @@ module.exports = {
                         _variables: ctxTemplate._variables,
                         data: ctxTemplate.data,
                         coords: coords,
-                        source: 'collection'
+                        source: 'collection',
+                        secretResolver: this.state.secretResolver
                     }).done(function (result, requestError) {
                         !result && (result = {});
 

lib/runner/extensions/request.command.js

@@ -1,6 +1,7 @@
 var _ = require('lodash'),
     createItemContext = require('../create-item-context'),
-    { resolveVariables } = require('../util');
+    { resolveVariables } = require('../util'),
+    { resolveSecrets } = require('../resolve-secrets');
 
 
 module.exports = {
@@ -12,38 +13,57 @@ module.exports = {
 
     process: {
         request (payload, next) {
-            var abortOnError = _.has(payload, 'abortOnError') ? payload.abortOnError : this.options.abortOnError,
+            var self = this,
+                abortOnError = _.has(payload, 'abortOnError') ? payload.abortOnError : this.options.abortOnError,
+                secretResolver = payload.secretResolver,
 
-                // helper function to trigger `response` callback anc complete the command
+                // helper function to trigger `response` callback and complete the command
                 complete = function (err, nextPayload) {
                     // nextPayload will be empty for unhandled errors
                     // trigger `response` callback
                     // nextPayload.response will be empty for error flows
                     // the `item` argument is resolved and mutated here
-                    nextPayload && this.triggers.response(err, nextPayload.coords, nextPayload.response,
+                    nextPayload && self.triggers.response(err, nextPayload.coords, nextPayload.response,
                         nextPayload.request, nextPayload.item, nextPayload.cookies, nextPayload.history);
 
                     // the error is passed twice to allow control between aborting the error vs just
                     // bubbling it up
                     return next(err && abortOnError ? err : null, nextPayload, err);
-                }.bind(this),
-                context = createItemContext(payload);
-
-            // resolve variables in item and auth
-            resolveVariables(context, payload);
-
-            // add context for use, after resolution
-            payload.context = context;
-
-            // we do not queue `httprequest` instruction here,
-            // queueing will unblock the item command to prepare for the next `event` instruction
-            // at this moment request is not fulfilled, and we want to block it
-            this.immediate('httprequest', payload)
-                .done(function (nextPayload, err) {
-                    // change signature to error first
-                    complete(err, nextPayload);
-                })
-                .catch(complete);
+                },
+
+                continueWithRequest = function () {
+                    var context = createItemContext(payload);
+
+                    // resolve variables in item and auth
+                    resolveVariables(context, payload);
+
+                    // add context for use, after resolution
+                    payload.context = context;
+
+                    // we do not queue `httprequest` instruction here,
+                    // queueing will unblock the item command to prepare for the next `event` instruction
+                    // at this moment request is not fulfilled, and we want to block it
+                    self.immediate('httprequest', payload)
+                        .done(function (nextPayload, err) {
+                            // change signature to error first
+                            complete(err, nextPayload);
+                        })
+                        .catch(complete);
+                };
+
+            // resolve secrets first before variable substitution
+            if (secretResolver) {
+                resolveSecrets(payload, secretResolver, function (err) {
+                    if (err) {
+                        console.warn('Secret resolution failed with an error:', err.message);
+                    }
+
+                    continueWithRequest();
+                });
+            }
+            else {
+                continueWithRequest();
+            }
         }
     }
 };

lib/runner/index.js

@@ -97,6 +97,7 @@ _.assign(Runner.prototype, {
      * @param {String} [options.entrypoint.lookupStrategy=idOrName] strategy to lookup the entrypoint [idOrName, path]
      * @param {Array<String>} [options.entrypoint.path] path to lookup
      * @param {Object} [options.run] Run-specific options, such as options related to the host
+     * @param {Function} [options.secretResolver] - Async function to resolve variables with `ref` property.
      *
      * @param {Function} callback -
      */
@@ -147,7 +148,8 @@ _.assign(Runner.prototype, {
                 collectionVariables: collection.variables,
                 localVariables: options.localVariables,
                 certificates: options.certificates,
-                proxies: options.proxies
+                proxies: options.proxies,
+                secretResolver: options.secretResolver
             }, runOptions)));
         });
     }

lib/runner/resolve-secrets.js

@@ -0,0 +1,136 @@
+var _ = require('lodash'),
+    async = require('async');
+
+/**
+ * Extract all variables that have a `ref` property from a variable scope.
+ *
+ * @param {VariableScope|Object} scope - scope
+ * @returns {Array} - variables
+ */
+function extractRefVariables (scope) {
+    if (!scope) {
+        return [];
+    }
+
+    var values = _.get(scope, 'values'),
+        refVariables = [];
+
+    if (!values) {
+        return [];
+    }
+
+    if (values.members && Array.isArray(values.members)) {
+        values.members.forEach(function (variable) {
+            if (variable && variable.ref && variable.type === 'secret') {
+                refVariables.push(variable);
+            }
+        });
+    }
+    else if (Array.isArray(values)) {
+        values.forEach(function (variable) {
+            if (variable && variable.ref && variable.type === 'secret') {
+                refVariables.push(variable);
+            }
+        });
+    }
+
+    return refVariables;
+}
+
+/**
+ * Scans variable scopes for `ref` property and resolves them using resolver.
+ *
+ * @param {Object} payload - Request payload
+ * @param {Function} secretResolver - Async resolver func
+ * @param {Function} callback - callback
+ */
+function resolveSecrets (payload, secretResolver, callback) {
+    if (!secretResolver || typeof secretResolver !== 'function') {
+        return callback();
+    }
+
+    var scopesToScan = [
+            { name: 'environment', scope: payload.environment },
+            { name: 'globals', scope: payload.globals },
+            { name: 'collectionVariables', scope: payload.collectionVariables },
+            { name: '_variables', scope: payload._variables }
+        ],
+        variablesToResolve = [];
+
+    scopesToScan.forEach(function (scopeInfo) {
+        var refVars = extractRefVariables(scopeInfo.scope);
+
+        refVars.forEach(function (variable) {
+            variablesToResolve.push({
+                scopeName: scopeInfo.name,
+                scope: scopeInfo.scope,
+                variable: variable
+            });
+        });
+    });
+
+    if (variablesToResolve.length === 0) {
+        return callback();
+    }
+
+    async.each(variablesToResolve, function (item, next) {
+        var variable = item.variable,
+            ref = variable.ref,
+            resolved = false,
+            result;
+
+        /**
+         * Handle the resolved value and call next accordingly
+         *
+         * @param {Error} err - error
+         * @param {*} resolvedValue - resolved secret value
+         */
+        function handleResolution (err, resolvedValue) {
+            if (resolved) {
+                return;
+            }
+            resolved = true;
+
+            if (err) {
+                console.warn('Secret resolution failed for variable:', variable.key, err.message);
+
+                return next();
+            }
+
+            if (!_.isNil(resolvedValue)) {
+                if (typeof variable.set === 'function') {
+                    variable.set(resolvedValue);
+                }
+                else {
+                    variable.value = resolvedValue;
+                }
+            }
+
+            return next();
+        }
+
+        try {
+            result = secretResolver(ref, handleResolution);
+
+            if (result && typeof result.then === 'function') {
+                result
+                    .then(function (resolvedValue) {
+                        handleResolution(null, resolvedValue);
+                    })
+                    .catch(function (err) {
+                        handleResolution(err);
+                    });
+            }
+        }
+        catch (err) {
+            handleResolution(err);
+        }
+    }, function (err) {
+        callback(err);
+    });
+}
+
+module.exports = {
+    resolveSecrets,
+    extractRefVariables
+};