Better handling of key_provider references (#1921)

Signed-off-by: Christian Mesh <christianmesh1@gmail.com>
2025-02-25 18:45:20 -06:00 · 2024-08-29 10:32:01 -04:00 · 2024-08-29 10:32:01 -04:00 · ffeded20a4
commit ffeded20a4
parent 2e4f76452b
2 changed files with 50 additions and 4 deletions
--- a/internal/encryption/keyprovider.go
+++ b/internal/encryption/keyprovider.go
@ -127,15 +127,27 @@ func (e *targetBuilder) setupKeyProvider(cfg config.KeyProviderConfig, stack []c
 			continue
 		}

-		// TODO this should be more defensive
+		// This will always be a TraverseRoot, panic is OK if that's not the case
 		depRoot := (dep[0].(hcl.TraverseRoot)).Name
-		depType := (dep[1].(hcl.TraverseAttr)).Name
-		depName := (dep[2].(hcl.TraverseAttr)).Name
-
 		if depRoot != "key_provider" {
 			nonKeyProviderDeps = append(nonKeyProviderDeps, dep)
 			continue
 		}
+		depTypeAttr, typeOk := dep[1].(hcl.TraverseAttr)
+		depNameAttr, nameOk := dep[2].(hcl.TraverseAttr)
+
+		if !typeOk || !nameOk {
+			diags = append(diags, &hcl.Diagnostic{
+				Severity: hcl.DiagError,
+				Summary:  "Invalid Key Provider expression format",
+				Detail:   "Expected key_provider.<type>.<name>",
+				Subject:  dep.SourceRange().Ptr(),
+			})
+			continue
+		}
+
+		depType := depTypeAttr.Name
+		depName := depNameAttr.Name

 		kpc, ok := e.cfg.GetKeyProvider(depType, depName)
 		if !ok {
--- a/internal/encryption/targets_test.go
+++ b/internal/encryption/targets_test.go
@ -131,6 +131,22 @@ func TestBaseEncryption_buildTargetMethods(t *testing.T) {
 				aesgcm.Is,
 			},
 		},
+		"key-from-complex-vars": {
+			rawConfig: `
+				key_provider "static" "basic" {
+					key = var.obj[0].key
+				}
+				method "aes_gcm" "example" {
+					keys = key_provider.static.basic
+				}
+				state {
+					method = method.aes_gcm.example
+				}
+			`,
+			wantMethods: []func(method.Method) bool{
+				aesgcm.Is,
+			},
+		},
 		"undefined-key-from-vars": {
 			rawConfig: `
 				key_provider "static" "basic" {
@ -145,6 +161,20 @@ func TestBaseEncryption_buildTargetMethods(t *testing.T) {
 			`,
 			wantErr: "Test Config Source:3,12-28: Undefined variable; Undefined variable var.undefinedkey",
 		},
+		"bad-keyprovider-format": {
+			rawConfig: `
+				key_provider "static" "basic" {
+					key = key_provider.static[0]
+				}
+				method "aes_gcm" "example" {
+					keys = key_provider.static.basic
+				}
+				state {
+					method = method.aes_gcm.example
+				}
+			`,
+			wantErr: "Test Config Source:3,12-34: Invalid Key Provider expression format; Expected key_provider.<type>.<name>",
+		},
 	}

 	reg := lockingencryptionregistry.New()
@ -165,6 +195,10 @@ func TestBaseEncryption_buildTargetMethods(t *testing.T) {
 				Default: cty.StringVal("6f6f706830656f67686f6834616872756f3751756165686565796f6f72653169"),
 				Type:    cty.String,
 			},
+			"obj": {
+				Name:    "obj",
+				Default: cty.ListVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"key": cty.StringVal("6f6f706830656f67686f6834616872756f3751756165686565796f6f72653169")})}),
+			},
 		},
 	}