cli: add local secrets override functionality

wilfriedago · Nov 4, 2022 · 6d81be4 · 6d81be4
1 parent d172ad9
commit 6d81be4
Show file tree

Hide file tree

Showing 6 changed files with 122 additions and 17 deletions.
diff --git a/cli/daemon/run/run.go b/cli/daemon/run/run.go
@@ -337,7 +337,7 @@ func (r *Run) buildAndStart(ctx context.Context, tracker *optracker.OpTracker) e
 			if r.App.PlatformID() == "" {
 				return fmt.Errorf("the app defines secrets, but is not yet linked to encore.dev; link it with `encore app link` to use secrets")
 			}
-			data, err := r.mgr.Secret.Get(ctx, r.App.PlatformID())
+			data, err := r.mgr.Secret.Get(ctx, r.App, expSet)
 			if err != nil {
 				return err
 			}

diff --git a/cli/daemon/run/tests.go b/cli/daemon/run/tests.go
@@ -100,14 +100,16 @@ type TestParams struct {
 
 // Test runs the tests.
 func (mgr *Manager) Test(ctx context.Context, params TestParams) (err error) {
-	var secrets map[string]string
-	if pid := params.App.PlatformID(); pid != "" {
-		data, err := mgr.Secret.Get(ctx, pid)
-		if err != nil {
-			return err
-		}
-		secrets = data.Values
+	expSet, err := params.App.Experiments(params.Environ)
+	if err != nil {
+		return err
+	}
+
+	secretData, err := mgr.Secret.Get(ctx, params.App, expSet)
+	if err != nil {
+		return err
 	}
+	secrets := secretData.Values
 
 	var (
 		sqlServers []*config.SQLServer
@@ -159,11 +161,6 @@ func (mgr *Manager) Test(ctx context.Context, params TestParams) (err error) {
 		return err
 	}
 
-	experiments, err := params.App.Experiments(params.Environ)
-	if err != nil {
-		return err
-	}
-
 	cfg := &compiler.Config{
 		Parse:                 params.Parse,
 		Revision:              params.Parse.Meta.AppRevision,
@@ -174,7 +171,7 @@ func (mgr *Manager) Test(ctx context.Context, params TestParams) (err error) {
 		EncoreRuntimePath:     env.EncoreRuntimePath(),
 		EncoreGoRoot:          env.EncoreGoRoot(),
 		BuildTags:             []string{"encore_local", "encore_no_gcp", "encore_no_aws", "encore_no_azure"},
-		Experiments:           experiments,
+		Experiments:           expSet,
 		Meta: &cueutil.Meta{
 			APIBaseURL: apiBaseURL,
 			EnvName:    "local",

diff --git a/cli/daemon/secret/secret.go b/cli/daemon/secret/secret.go
@@ -2,6 +2,7 @@
 package secret
 
 import (
+	"bytes"
 	"context"
 	"encoding/json"
 	"fmt"
@@ -10,10 +11,15 @@ import (
 	"sync"
 	"time"
 
+	"cuelang.org/go/cue"
+	"cuelang.org/go/cue/cuecontext"
+	"cuelang.org/go/cue/load"
 	"github.com/rs/zerolog/log"
 	"golang.org/x/sync/singleflight"
 
+	"encr.dev/cli/daemon/apps"
 	"encr.dev/cli/internal/platform"
+	"encr.dev/internal/experiments"
 )
 
 // New returns a new manager.
@@ -32,16 +38,29 @@ type Manager struct {
 
 // Data is a snapshot of an Encore app's development secret values.
 type Data struct {
-	// Synced is when the values were last synced.
+	// Synced is when the values were last synced,
+	// or the zero value if no sync has taken place.
 	Synced time.Time
 	// Values is a key-value map of defined secrets.
 	Values map[string]string
 }
 
 // Get gets the secrets for the given app.
-func (f *Manager) Get(ctx context.Context, appSlug string) (*Data, error) {
+func (f *Manager) Get(ctx context.Context, app *apps.Instance, expSet *experiments.Set) (data *Data, err error) {
 	f.pollOnce.Do(f.startPolling)
 
+	defer func() {
+		if err == nil && experiments.LocalSecretsOverride.Enabled(expSet) {
+			// Return a new data object so we don't write the overrides to the cache.
+			data, err = f.applyLocalOverrides(app, data)
+		}
+	}()
+
+	appSlug := app.PlatformID()
+	if appSlug == "" {
+		return &Data{}, nil
+	}
+
 	// Do we have the secrets in our cache?
 	f.mu.Lock()
 	data, ok := f.cache[appSlug]
@@ -201,3 +220,55 @@ func (f *Manager) secretsPath(appSlug string) (string, error) {
 	}
 	return filepath.Join(dir, "encore", "secrets", appSlug+".json"), nil
 }
+
+// applyLocalOverrides parses the local secrets override file, if any,
+// and returns a new Data object with the overrides applied.
+//
+// If there are no overrides src is returned directly.
+// The original src data object is never modified.
+func (f *Manager) applyLocalOverrides(app *apps.Instance, src *Data) (*Data, error) {
+	const name = ".secrets.local.cue"
+	data, err := os.ReadFile(filepath.Join(app.Root(), name))
+	if err != nil {
+		if os.IsNotExist(err) {
+			return src, nil
+		}
+		return nil, err
+	}
+
+	updated := &Data{
+		Synced: src.Synced,
+		Values: make(map[string]string, len(src.Values)),
+	}
+	for k, v := range src.Values {
+		updated.Values[k] = v
+	}
+
+	ctx := cuecontext.New()
+	loadCfg := &load.Config{
+		Stdin: bytes.NewReader(data),
+	}
+
+	inst := load.Instances([]string{"-"}, loadCfg)[0]
+	if inst.Err != nil {
+		return nil, fmt.Errorf("parse local secrets: %v", inst.Err)
+	}
+	secrets := ctx.BuildInstance(inst)
+	if err := secrets.Err(); err != nil {
+		return nil, fmt.Errorf("parse local secrets: %v", err)
+	}
+
+	it, err := secrets.Fields(cue.Hidden(false), cue.Concrete(true))
+	if err != nil {
+		return nil, fmt.Errorf("parse local secrets: %v", err)
+	}
+	for it.Next() {
+		key := it.Selector().String()
+		val, err := it.Value().String()
+		if err != nil {
+			return nil, fmt.Errorf("parse local secrets: secret key %s is not a string", key)
+		}
+		updated.Values[key] = val
+	}
+	return updated, nil
+}
diff --git a/e2e-tests/app_test.go b/e2e-tests/app_test.go
@@ -74,6 +74,10 @@ func RunApp(c testing.TB, appRoot string, logger RunLogger, env []string) *RunAp
 	expSet, err := experiments.NewSet(nil, env)
 	assertNil(err)
 
+	secrets := secret.New()
+	secretData, err := secrets.Get(ctx, app, expSet)
+	assertNil(err)
+
 	p, err := run.StartProc(&StartProcParams{
 		Ctx:            ctx,
 		BuildDir:       build.Dir,
@@ -87,6 +91,7 @@ func RunApp(c testing.TB, appRoot string, logger RunLogger, env []string) *RunAp
 		Redis:          redisSrv,
 		ServiceConfigs: build.Configs,
 		Experiments:    expSet,
+		Secrets:        secretData.Values,
 	})
 	assertNil(err)
 	c.Cleanup(p.Close)

diff --git a/e2e-tests/testdata/testscript/experiment_local_secrets_override.txtar b/e2e-tests/testdata/testscript/experiment_local_secrets_override.txtar
@@ -0,0 +1,25 @@
+env ENCORE_EXPERIMENT=local-secrets-override
+run
+call GET /svc.GetFoo
+checkresp '{"Data": "bar"}'
+
+-- svc/svc.go --
+package svc
+
+import "context"
+
+type Resp struct {
+	Data string
+}
+
+var secrets struct {
+	Foo string
+}
+
+//encore:api public
+func GetFoo(ctx context.Context) (*Resp, error) {
+	return &Resp{Data: secrets.Foo}, nil
+}
+
+-- .secrets.local.cue --
+Foo: "bar"
diff --git a/internal/experiments/experiment.go b/internal/experiments/experiment.go
@@ -12,11 +12,18 @@ const envName = "ENCORE_EXPERIMENT"
 type Name string
 
 const (
-/* Current experiments are listed here */
+	/* Current experiments are listed here */
+
+	// LocalSecretsOverride is an experiment to allow for secrets
+	// to be overridden with values from a ".secrets.local" file.
+	LocalSecretsOverride Name = "local-secrets-override"
 )
 
+// Valid reports whether the given name is a known experiment.
 func (x Name) Valid() bool {
 	switch x {
+	case LocalSecretsOverride:
+		return true
 	default:
 		return false
 	}