Skip to content

Commit

Permalink
ppl: handle unknown state (#28)
Browse files Browse the repository at this point in the history
If PPL block was referencing some values that were unknown, it still
tried to parse the PPL. Instead, it should return an unknown state as
well.
Similarly for null values. 

Fixes https://linear.app/pomerium/issue/ENG-1936
  • Loading branch information
wasaga authored Jan 24, 2025

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
1 parent 53f0835 commit 59e119d
Showing 3 changed files with 36 additions and 14 deletions.
28 changes: 18 additions & 10 deletions example/main.tf
Original file line number Diff line number Diff line change
@@ -2,7 +2,7 @@ terraform {
required_providers {
pomerium = {
source = "pomerium/pomerium"
version = "0.0.2"
version = "0.0.5"
}
}
}
@@ -50,22 +50,30 @@ resource "pomerium_settings" "settings" {

log_level = "info"
proxy_log_level = "info"
# tracing_provider = "jaeger"
# tracing_sample_rate = 1
# tracing_jaeger_collector_endpoint = "http://localhost:14268/api/traces"
# tracing_jaeger_agent_endpoint = "localhost:6831"

timeout_idle = "5m"
}

resource "pomerium_service_account" "test_sa" {
namespace_id = pomerium_namespace.test_namespace.id
name = "test-service-account"
}

resource "pomerium_policy" "test_policy" {
depends_on = [pomerium_service_account.test_sa]
name = "test-policy"
namespace_id = pomerium_namespace.test_namespace.id
ppl = <<EOF
- allow:
and:
- authenticated_user: true
EOF
ppl = yamlencode({
allow = {
and = [
{
user = {
is = pomerium_service_account.test_sa.id
}
}
]
}
})
}

resource "pomerium_route" "test_route" {
16 changes: 13 additions & 3 deletions internal/provider/policy_types.go
Original file line number Diff line number Diff line change
@@ -11,6 +11,7 @@ import (
"github.com/hashicorp/terraform-plugin-framework/diag"
"github.com/hashicorp/terraform-plugin-framework/types/basetypes"
"github.com/hashicorp/terraform-plugin-go/tftypes"
"github.com/hashicorp/terraform-plugin-log/tflog"

"github.com/pomerium/pomerium/pkg/policy/parser"
)
@@ -42,7 +43,14 @@ func (p PolicyLanguageType) Equal(o attr.Type) bool {

func (PolicyLanguageType) Parse(src basetypes.StringValue) (PolicyLanguage, error) {
if src.IsNull() {
return PolicyLanguage{}, nil
return PolicyLanguage{
StringValue: basetypes.NewStringNull(),
}, nil
}
if src.IsUnknown() {
return PolicyLanguage{
StringValue: basetypes.NewStringUnknown(),
}, nil
}

ppl, err := parser.New().ParseYAML(strings.NewReader(src.ValueString()))
@@ -61,13 +69,14 @@ func (PolicyLanguageType) Parse(src basetypes.StringValue) (PolicyLanguage, erro
}

func (PolicyLanguageType) ValueFromString(
_ context.Context,
ctx context.Context,
in basetypes.StringValue,
) (basetypes.StringValuable, diag.Diagnostics) {
tflog.Info(ctx, "PPL.ValueFromString", map[string]any{"in": in})
var diag diag.Diagnostics
v, err := PolicyLanguageType{}.Parse(in)
if err != nil {
diag.AddError("failed to parse PPL", err.Error()+">>"+in.ValueString()+"<<")
diag.AddError("failed to parse PPL", err.Error())
return nil, diag
}
return v, nil
@@ -77,6 +86,7 @@ func (p PolicyLanguageType) ValueFromTerraform(
ctx context.Context,
in tftypes.Value,
) (attr.Value, error) {
tflog.Info(ctx, "PPL.ValueFromTerraform", map[string]any{"in": in})
attrValue, err := p.StringType.ValueFromTerraform(ctx, in)
if err != nil {
return nil, err
6 changes: 5 additions & 1 deletion internal/provider/policy_types_test.go
Original file line number Diff line number Diff line change
@@ -35,7 +35,11 @@ func TestPolicyTypes(t *testing.T) {
},
"null": {
in: tftypes.NewValue(tftypes.String, nil),
expected: provider.PolicyLanguage{},
expected: provider.PolicyLanguage{StringValue: basetypes.NewStringNull()},
},
"unknown": {
in: tftypes.NewValue(tftypes.String, tftypes.UnknownValue),
expected: provider.PolicyLanguage{StringValue: basetypes.NewStringUnknown()},
},
}
for name, testCase := range testCases {

0 comments on commit 59e119d

Please sign in to comment.