Merge pull request #778 from ystia/feature/GH-777_nested_tosca_functi…

…ons_in_get_secret Support nested tosca functions in get_secret
ystia · Feb 3, 2022 · 5fc4019 · 5fc4019
2 parents d64fcd8 + 57d8eef
commit 5fc4019
Show file tree

Hide file tree

Showing 17 changed files with 46 additions and 8 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,7 @@
 
 ### FEATURES
 
+* Support nested TOSCA functions in get_secret (added a get_vault_secret function) ([GH-777](https://github.com/ystia/yorc/issues/777))
 * Allow to replay workflow steps even if they are not in error ([GH-771](https://github.com/ystia/yorc/issues/771))
 * Workflows steps replays on error ([GH-753](https://github.com/ystia/yorc/issues/753))
 

diff --git a/commands/bootstrap/tosca_resources.go b/commands/bootstrap/tosca_resources.go
@@ -12,6 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
+//go:build !testing
 // +build !testing
 
 package bootstrap

diff --git a/commands/bootstrap/tosca_resources_testing.go b/commands/bootstrap/tosca_resources_testing.go
@@ -12,6 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
+//go:build testing
 // +build testing
 
 package bootstrap

diff --git a/deployments/resolver_test.go b/deployments/resolver_test.go
@@ -278,6 +278,15 @@ func testResolveSecret(t *testing.T) {
 		{"ResolvePropWithVault", data{"JDK", "", ""}, &vaultClientMock{"/secrets/myapp/javahome", "mysupersecret", []string{"java_opt1=1", "java_opt2=2"}}, func(data data) (*TOSCAValue, error) {
 			return GetNodePropertyValue(ctx, deploymentID, data.nodeName, "java_home")
 		}, false, true, "mysupersecret"},
+		{"ResolvePropWithVaultAndNestedFn1", data{"JDK", "", ""}, &vaultClientMock{"/secrets/myapp/javahome", "mysupersecret", []string{"java_opt1=1", "java_opt2=2"}}, func(data data) (*TOSCAValue, error) {
+			return GetNodePropertyValue(ctx, deploymentID, data.nodeName, "java_home2")
+		}, false, true, "mysupersecret"},
+		{"ResolvePropWithVaultAndNestedFn2", data{"JDK", "", ""}, &vaultClientMock{"/secrets/myapp/javahome", "mysupersecret", []string{"java_opt1=1", "java_opt2=2"}}, func(data data) (*TOSCAValue, error) {
+			return GetNodePropertyValue(ctx, deploymentID, data.nodeName, "java_home3")
+		}, false, true, "mysupersecret"},
+		{"ResolvePropWithVaultAndNestedFn3", data{"JDK", "", ""}, &vaultClientMock{"/secrets/myapp/javahome", "mysupersecret", []string{"java_opt1=1", "java_opt2=2"}}, func(data data) (*TOSCAValue, error) {
+			return GetNodePropertyValue(ctx, deploymentID, data.nodeName, "java_home4")
+		}, false, true, "mysupersecret"},
 		{"ResolveCapabilityPropWithoutVault", data{"Tomcat", "", ""}, &vaultClientMock{"/secrets/myapp/tomcatport", "443", []string{"tom_opt1=1", "tom_opt2=2"}}, func(data data) (*TOSCAValue, error) {
 			return GetCapabilityPropertyValue(ctx, deploymentID, data.nodeName, "data_endpoint", "port")
 		}, false, true, "443"},

diff --git a/deployments/testdata/get_secrets.yaml b/deployments/testdata/get_secrets.yaml
@@ -15,6 +15,13 @@ topology_template:
       properties:
         java_url: "https://edelivery.oracle.com/otn-pub/java/jdk/8u131-b11/d54c1d3a095b4ff2b6607d096fa80163/jdk-8u131-linux-x64.tar.gz"
         java_home: { get_secret: ["/secrets/myapp/javahome", java_opt1=1, java_opt2=2]}
+        java_home2: { get_vault_secret: [ concat: ["/secrets", "/myapp", "/javahome"], java_opt1=1, java_opt2=2]}
+        java_home3: { get_secret: [ concat: ["/secrets", "/myapp", "/javahome"], java_opt1=1, java_opt2=2]}
+        java_home4:
+          get_vault_secret:
+            - concat: ["/secrets", "/myapp", "/javahome"]
+            - java_opt1=1
+            - java_opt2=2
         component_version: "8.101"
       requirements:
         - host:

diff --git a/deployments/update_store_oss_test.go b/deployments/update_store_oss_test.go
@@ -12,6 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
+//go:build !premium
 // +build !premium
 
 package deployments

diff --git a/helper/executil/cmd_kill_group.go b/helper/executil/cmd_kill_group.go
@@ -12,7 +12,8 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-//+build !windows
+//go:build !windows
+// +build !windows
 
 package executil
 

diff --git a/helper/executil/cmd_standard.go b/helper/executil/cmd_standard.go
@@ -1,4 +1,5 @@
-//+build windows
+//go:build windows
+// +build windows
 
 package executil
 

diff --git a/prov/ansible/scripts_output_handler_oss.go b/prov/ansible/scripts_output_handler_oss.go
@@ -12,6 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
+//go:build !premium
 // +build !premium
 
 package ansible

diff --git a/rest/deployments_oss_test.go b/rest/deployments_oss_test.go
@@ -12,6 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
+//go:build !premium
 // +build !premium
 
 package rest

diff --git a/rest/updates_oss.go b/rest/updates_oss.go
@@ -12,6 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
+//go:build !premium
 // +build !premium
 
 package rest

diff --git a/server/builtin_types.go b/server/builtin_types.go
@@ -12,6 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
+//go:build !testing
 // +build !testing
 
 package server

diff --git a/server/builtin_types_testing.go b/server/builtin_types_testing.go
@@ -12,6 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
+//go:build testing
 // +build testing
 
 package server

diff --git a/tasks/workflow/worker_oss.go b/tasks/workflow/worker_oss.go
@@ -12,6 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
+//go:build !premium
 // +build !premium
 
 package workflow

diff --git a/tools.go b/tools.go
@@ -12,6 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
+//go:build tools
 // +build tools
 
 package main

diff --git a/tosca/tosca_functions.go b/tosca/tosca_functions.go
@@ -17,10 +17,10 @@ package tosca
 import (
 	"bytes"
 	"fmt"
-	"gopkg.in/yaml.v2"
 	"strconv"
 
 	"github.com/pkg/errors"
+	"gopkg.in/yaml.v2"
 
 	"github.com/ystia/yorc/v4/log"
 )
@@ -47,14 +47,17 @@ const (
 	GetSecretOperator Operator = "get_secret"
 )
 
+const getVaultSecretOperator = "get_vault_secret"
+
 // IsOperator checks if a given token is a known TOSCA function keyword
 func IsOperator(op string) bool {
 	return op == string(GetPropertyOperator) ||
 		op == string(GetAttributeOperator) ||
 		op == string(GetInputOperator) ||
 		op == string(GetOperationOutputOperator) ||
 		op == string(ConcatOperator) ||
-		op == string(GetSecretOperator)
+		op == string(GetSecretOperator) ||
+		op == getVaultSecretOperator
 }
 
 func parseOperator(op string) (Operator, error) {
@@ -69,7 +72,7 @@ func parseOperator(op string) (Operator, error) {
 		return GetOperationOutputOperator, nil
 	case op == string(ConcatOperator):
 		return ConcatOperator, nil
-	case op == string(GetSecretOperator):
+	case op == string(GetSecretOperator), op == getVaultSecretOperator:
 		return GetSecretOperator, nil
 	default:
 		return GetPropertyOperator, errors.Errorf("%q is not a known or supported TOSCA operator", op)
@@ -118,7 +121,7 @@ func (f Function) String() string {
 	var b bytes.Buffer
 	b.WriteString(string(f.Operator))
 	b.WriteString(": ")
-	if len(f.Operands) == 1 {
+	if len(f.Operands) == 1 && f.Operands[0].IsLiteral() {
 		// Shortcut
 		b.WriteString(f.Operands[0].String())
 		return b.String()

diff --git a/tosca/tosca_functions_test.go b/tosca/tosca_functions_test.go
@@ -16,6 +16,7 @@ package tosca
 
 import (
 	"reflect"
+	"strings"
 	"testing"
 
 	yaml "gopkg.in/yaml.v2"
@@ -41,6 +42,8 @@ func TestFunctionParsing(t *testing.T) {
 		{"TestConcatFunction", inputs{yml: "concat: [get_property: [SELF, ip_address], get_attribute: [SELF, port]]"}, false},
 		{"TestGetInputFunction", inputs{yml: "get_input: ip_address"}, false},
 		{"TestConcatFunctionQuoting", inputs{yml: `concat: ["http://", get_property: [SELF, ip_address], get_attribute: [SELF, port], "\"ff\""]`}, false},
+		{"TestComplexNestedFunctions", inputs{yml: `get_secret: [concat: [/secrets/data/credentials/, get_input: user_name]]`}, false},
+		{"TestComplexNestedFunctions2", inputs{yml: `get_vault_secret: [concat: [/secrets/data/credentials/, get_input: user_name]]`}, false},
 	}
 
 	for _, tt := range tests {
@@ -52,8 +55,11 @@ func TestFunctionParsing(t *testing.T) {
 				return
 			}
 			if err == nil {
-				if resultFn.String() != tt.inputs.yml {
-					t.Errorf("Function.Unmarshal() expecting = %v, got %v", tt.inputs.yml, resultFn)
+				expecting := tt.inputs.yml
+				// get_vault_secret is an alias to get_secret
+				expecting = strings.Replace(expecting, "get_vault_secret", "get_secret", -1)
+				if resultFn.String() != expecting {
+					t.Errorf("Function.Unmarshal() expecting = %v, got %v", expecting, resultFn)
 				}
 			}
 		})