Merge pull request #440 from hashicorp/pselle/mark-objs

Mark objects with keys that are sensitive
2021-01-05 16:11:54 -05:00 · 2021-01-05 16:11:54 -05:00 · e0dbad0dba
commit e0dbad0dba
parent 29a3c5edf7 b6fc34e719
2 changed files with 44 additions and 34 deletions
--- a/hclsyntax/expression.go
+++ b/hclsyntax/expression.go
@ -788,6 +788,7 @@ func (e *ObjectConsExpr) walkChildNodes(w internalWalkFunc) {
 func (e *ObjectConsExpr) Value(ctx *hcl.EvalContext) (cty.Value, hcl.Diagnostics) {
 	var vals map[string]cty.Value
 	var diags hcl.Diagnostics
 	var marks []cty.ValueMarks
 	// This will get set to true if we fail to produce any of our keys,
 	// either because they are actually unknown or if the evaluation produces
@ -825,18 +826,8 @@ func (e *ObjectConsExpr) Value(ctx *hcl.EvalContext) (cty.Value, hcl.Diagnostics
 			continue
 		}
-		if key.IsMarked() {
+		key, keyMarks := key.Unmark()
-			diags = append(diags, &hcl.Diagnostic{
+		marks = append(marks, keyMarks)
 				Severity:    hcl.DiagError,
 				Summary:     "Marked value as key",
 				Detail:      "Can't use a marked value as a key.",
 				Subject:     item.ValueExpr.Range().Ptr(),
 				Expression:  item.KeyExpr,
 				EvalContext: ctx,
 			})
 			known = false
 			continue
 		}
 		var err error
 		key, err = convert.Convert(key, cty.String)
@ -867,7 +858,7 @@ func (e *ObjectConsExpr) Value(ctx *hcl.EvalContext) (cty.Value, hcl.Diagnostics
 		return cty.DynamicVal, diags
 	}
-	return cty.ObjectVal(vals), diags
+	return cty.ObjectVal(vals).WithMarks(marks...), diags
 }
 func (e *ObjectConsExpr) Range() hcl.Range {
@ -997,6 +988,7 @@ type ForExpr struct {
 func (e *ForExpr) Value(ctx *hcl.EvalContext) (cty.Value, hcl.Diagnostics) {
 	var diags hcl.Diagnostics
 	var marks []cty.ValueMarks
 	collVal, collDiags := e.CollExpr.Value(ctx)
 	diags = append(diags, collDiags...)
@ -1018,7 +1010,8 @@ func (e *ForExpr) Value(ctx *hcl.EvalContext) (cty.Value, hcl.Diagnostics) {
 	}
 	// Unmark collection before checking for iterability, because marked
 	// values cannot be iterated
-	collVal, marks := collVal.Unmark()
+	collVal, collMarks := collVal.Unmark()
 	marks = append(marks, collMarks)
 	if !collVal.CanIterateElements() {
 		diags = append(diags, &hcl.Diagnostic{
 			Severity: hcl.DiagError,
@ -1198,18 +1191,8 @@ func (e *ForExpr) Value(ctx *hcl.EvalContext) (cty.Value, hcl.Diagnostics) {
 				continue
 			}
-			if key.IsMarked() {
+			key, keyMarks := key.Unmark()
-				diags = append(diags, &hcl.Diagnostic{
+			marks = append(marks, keyMarks)
 					Severity:    hcl.DiagError,
 					Summary:     "Invalid object key",
 					Detail:      "Marked values cannot be used as object keys.",
 					Subject:     e.KeyExpr.Range().Ptr(),
 					Context:     &e.SrcRange,
 					Expression:  e.KeyExpr,
 					EvalContext: childCtx,
 				})
 				continue
 			}
 			val, valDiags := e.ValExpr.Value(childCtx)
 			diags = append(diags, valDiags...)
@ -1249,7 +1232,7 @@ func (e *ForExpr) Value(ctx *hcl.EvalContext) (cty.Value, hcl.Diagnostics) {
 			}
 		}
-		return cty.ObjectVal(vals).WithMarks(marks), diags
+		return cty.ObjectVal(vals).WithMarks(marks...), diags
 	} else {
 		// Producing a tuple
@ -1335,7 +1318,7 @@ func (e *ForExpr) Value(ctx *hcl.EvalContext) (cty.Value, hcl.Diagnostics) {
 			return cty.DynamicVal, diags
 		}
-		return cty.TupleVal(vals).WithMarks(marks), diags
+		return cty.TupleVal(vals).WithMarks(marks...), diags
 	}
 }
--- a/hclsyntax/expression_test.go
+++ b/hclsyntax/expression_test.go
@ -516,8 +516,11 @@ upper(
 					}),
 				},
 			},
-			cty.DynamicVal,
+			cty.ObjectVal(map[string]cty.Value{
-			1,
+				"hello":   cty.StringVal("world"),
 				"goodbye": cty.StringVal("earth"),
 			}).Mark("marked"),
 			0,
 		},
 		{
 			`{"${var.greeting}" = "world"}`,
@ -918,20 +921,44 @@ upper(
 			}),
 			0,
 		},
-		{ // Error when using marked value as object key
+		{
 			// Mark object if keys include marked values, members retain
 			// their original marks in their values
 			`{for v in things: v => "${v}-friend"}`,
 			&hcl.EvalContext{
 				Variables: map[string]cty.Value{
 					"things": cty.MapVal(map[string]cty.Value{
-						"a": cty.StringVal("rosie").Mark("sensitive"),
+						"a": cty.StringVal("rosie").Mark("marked"),
 						"b": cty.StringVal("robin"),
 						// Check for double-marking when a key val has a duplicate mark
 						"c": cty.StringVal("rowan").Mark("marked"),
 						"d": cty.StringVal("ruben").Mark("also-marked"),
 					}),
 				},
 			},
 			cty.ObjectVal(map[string]cty.Value{
 				"rosie": cty.StringVal("rosie-friend").Mark("marked"),
 				"robin": cty.StringVal("robin-friend"),
-			}),
+				"rowan": cty.StringVal("rowan-friend").Mark("marked"),
-			1,
+				"ruben": cty.StringVal("ruben-friend").Mark("also-marked"),
 			}).WithMarks(cty.NewValueMarks("marked", "also-marked")),
 			0,
 		},
 		{ // object itself is marked, contains marked value
 			`{for v in things: v => "${v}-friend"}`,
 			&hcl.EvalContext{
 				Variables: map[string]cty.Value{
 					"things": cty.MapVal(map[string]cty.Value{
 						"a": cty.StringVal("rosie").Mark("marked"),
 						"b": cty.StringVal("robin"),
 					}).Mark("marks"),
 				},
 			},
 			cty.ObjectVal(map[string]cty.Value{
 				"rosie": cty.StringVal("rosie-friend").Mark("marked"),
 				"robin": cty.StringVal("robin-friend"),
 			}).WithMarks(cty.NewValueMarks("marked", "marks")),
 			0,
 		},
 		{ // Sequence for loop with marked conditional expression
 			`[for x in things: x if x != secret]`,