Fix update of sensitive variables (#345)

Author: leg100

e2e/variables_test.go

@@ -131,6 +131,19 @@ output "foo" {
 			screenshot(t),
 			// confirm value is hidden (because it is sensitive)
 			matchText(t, `//table[@class='variables']/tbody/tr/td[2]`, "hidden"),
+			// edit variable again
+			chromedp.Click(`//a[text()='foo']`, chromedp.NodeVisible),
+			screenshot(t),
+			// update value
+			chromedp.Focus("textarea#value", chromedp.NodeVisible),
+			input.InsertText("topsecret"),
+			screenshot(t),
+			// submit form
+			chromedp.Click(`//button[text()='Save variable']`, chromedp.NodeVisible),
+			screenshot(t),
+			// confirm variable updated
+			matchText(t, ".flash-success", "updated variable: foo"),
+			screenshot(t),
 			// delete variable
 			chromedp.Click(`//button[text()='Delete']`, chromedp.NodeVisible),
 			screenshot(t),

variable/test_helpers.go

@@ -19,6 +19,10 @@ type fakeService struct {
 	Service
 }
 
+func (f *fakeService) GetVariable(ctx context.Context, variableID string) (*Variable, error) {
+	return f.variable, nil
+}
+
 func (f *fakeService) UpdateVariable(ctx context.Context, variableID string, opts UpdateVariableOptions) (*Variable, error) {
 	if err := f.variable.Update(opts); err != nil {
 		return nil, err

variable/variable.go

@@ -154,7 +154,7 @@ func (v *Variable) Update(opts UpdateVariableOptions) error {
 	}
 	if opts.HCL != nil {
 		if v.Sensitive {
-			return errors.New("toggling HCL mode on a sensitive variable is not allowed")
+			return errors.New("changing HCL mode on a sensitive variable is not allowed")
 		}
 		v.HCL = *opts.HCL
 	}

variable/variable_test.go

@@ -10,6 +10,111 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
+func TestUpdateVariable(t *testing.T) {
+	tests := []struct {
+		name   string
+		opts   UpdateVariableOptions
+		before Variable
+		after  Variable
+		err    bool // want error
+	}{
+		{
+			name: "no change",
+			opts: UpdateVariableOptions{},
+			before: Variable{
+				Key:      "foo",
+				Value:    "bar",
+				Category: CategoryTerraform,
+			},
+			after: Variable{
+				Key:      "foo",
+				Value:    "bar",
+				Category: CategoryTerraform,
+			},
+		},
+		{
+			name: "key",
+			opts: UpdateVariableOptions{Key: otf.String("teddy")},
+			before: Variable{
+				Key:      "foo",
+				Value:    "bar",
+				Category: CategoryTerraform,
+			},
+			after: Variable{
+				Key:      "teddy",
+				Value:    "bar",
+				Category: CategoryTerraform,
+			},
+		},
+		{
+			name: "value",
+			opts: UpdateVariableOptions{Value: otf.String("baz")},
+			before: Variable{
+				Key:      "foo",
+				Value:    "bar",
+				Category: CategoryTerraform,
+			},
+			after: Variable{
+				Key:      "foo",
+				Value:    "baz",
+				Category: CategoryTerraform,
+			},
+		},
+		{
+			name: "non-sensitive to sensitive",
+			opts: UpdateVariableOptions{Sensitive: otf.Bool(true)},
+			before: Variable{
+				Key:      "foo",
+				Value:    "bar",
+				Category: CategoryTerraform,
+			},
+			after: Variable{
+				Key:       "foo",
+				Value:     "bar",
+				Category:  CategoryTerraform,
+				Sensitive: true,
+			},
+		},
+		{
+			name: "non-hcl to hcl",
+			opts: UpdateVariableOptions{HCL: otf.Bool(true)},
+			before: Variable{
+				Key:      "foo",
+				Value:    "bar",
+				Category: CategoryTerraform,
+			},
+			after: Variable{
+				Key:      "foo",
+				Value:    "bar",
+				Category: CategoryTerraform,
+				HCL:      true,
+			},
+		},
+		{
+			name: "sensitive to non-sensitive",
+			opts: UpdateVariableOptions{Sensitive: otf.Bool(false)},
+			before: Variable{
+				Key:       "foo",
+				Value:     "bar",
+				Category:  CategoryTerraform,
+				Sensitive: true,
+			},
+			err: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := tt.before
+			err := got.Update(tt.opts)
+			if tt.err {
+				assert.Error(t, err)
+			} else {
+				assert.Equal(t, tt.after, got)
+			}
+		})
+	}
+}
+
 func TestWriteTerraformVariables(t *testing.T) {
 	dir := t.TempDir()
 

variable/web.go

@@ -56,7 +56,7 @@ func (h *web) new(w http.ResponseWriter, r *http.Request) {
 }
 
 func (h *web) create(w http.ResponseWriter, r *http.Request) {
-	type parameters struct {
+	var params struct {
 		Key         *string `schema:"key,required"`
 		Value       *string
 		Description *string
@@ -65,7 +65,6 @@ func (h *web) create(w http.ResponseWriter, r *http.Request) {
 		HCL         bool
 		WorkspaceID string `schema:"workspace_id,required"`
 	}
-	var params parameters
 	if err := decode.All(&params, r); err != nil {
 		html.Error(w, err.Error(), http.StatusUnprocessableEntity)
 		return
@@ -147,36 +146,63 @@ func (h *web) edit(w http.ResponseWriter, r *http.Request) {
 }
 
 func (h *web) update(w http.ResponseWriter, r *http.Request) {
-	type parameters struct {
-		Key         *string `schema:"key,required"`
+	variableID, err := decode.Param("variable_id", r)
+	if err != nil {
+		html.Error(w, err.Error(), http.StatusUnprocessableEntity)
+		return
+	}
+
+	variable, err := h.svc.GetVariable(r.Context(), variableID)
+	if err != nil {
+		html.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	// Handle updates to sensitive variables in a separate handler.
+	if variable.Sensitive {
+		h.updateSensitive(w, r, variable)
+		return
+	}
+
+	var params struct {
+		Key         *string
 		Value       *string
 		Description *string
-		Category    *VariableCategory `schema:"category,required"`
-		Sensitive   bool
-		HCL         bool
-		VariableID  string `schema:"variable_id,required"`
+		Category    *VariableCategory
+		Sensitive   *bool // form checkbox can only be true/false, not nil
+		HCL         *bool // form checkbox can only be true/false, not nil
 	}
-	var params parameters
 	if err := decode.All(&params, r); err != nil {
 		html.Error(w, err.Error(), http.StatusUnprocessableEntity)
 		return
 	}
 
-	// sensitive variable's value form field is deliberately empty, so avoid
-	// updating value with empty string (this does mean users cannot set
-	// a sensitive variable's value to an empty string but there unlikely to be
-	// a valid reason to want to do that...)
-	if params.Sensitive && params.Value != nil && *params.Value == "" {
-		params.Value = nil
-	}
-
-	variable, err := h.svc.UpdateVariable(r.Context(), params.VariableID, UpdateVariableOptions{
+	variable, err = h.svc.UpdateVariable(r.Context(), variableID, UpdateVariableOptions{
 		Key:         params.Key,
 		Value:       params.Value,
 		Description: params.Description,
 		Category:    params.Category,
-		Sensitive:   &params.Sensitive,
-		HCL:         &params.HCL,
+		Sensitive:   params.Sensitive,
+		HCL:         params.HCL,
+	})
+	if err != nil {
+		html.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	html.FlashSuccess(w, "updated variable: "+variable.Key)
+	http.Redirect(w, r, paths.Variables(variable.WorkspaceID), http.StatusFound)
+}
+
+func (h *web) updateSensitive(w http.ResponseWriter, r *http.Request, variable *Variable) {
+	value, err := decode.Param("value", r)
+	if err != nil {
+		html.Error(w, err.Error(), http.StatusUnprocessableEntity)
+		return
+	}
+
+	variable, err = h.svc.UpdateVariable(r.Context(), variable.ID, UpdateVariableOptions{
+		Value: otf.String(value),
 	})
 	if err != nil {
 		html.Error(w, err.Error(), http.StatusInternalServerError)

variable/web_test.go

@@ -17,7 +17,7 @@ func TestVariable_Update(t *testing.T) {
 	tests := []struct {
 		name     string
 		existing CreateVariableOptions
-		form     url.Values
+		updated  url.Values
 		want     func(t *testing.T, got *Variable)
 	}{
 		{
@@ -27,7 +27,7 @@ func TestVariable_Update(t *testing.T) {
 				Value:    otf.String("bar"),
 				Category: VariableCategoryPtr(CategoryTerraform),
 			},
-			form: url.Values{
+			updated: url.Values{
 				"key":       {"new-key"},
 				"value":     {"new-value"},
 				"category":  {"env"},
@@ -43,21 +43,18 @@ func TestVariable_Update(t *testing.T) {
 			},
 		},
 		{
-			name: "skip sensitive variable empty value",
+			name: "update sensitive value",
 			existing: CreateVariableOptions{
-				Key:      otf.String("foo"),
-				Value:    otf.String("bar"),
-				Category: VariableCategoryPtr(CategoryTerraform),
+				Key:       otf.String("foo"),
+				Value:     otf.String("topsecret"),
+				Category:  VariableCategoryPtr(CategoryTerraform),
+				Sensitive: otf.Bool(true),
 			},
-			form: url.Values{
-				"key":       {"foo"},
-				"value":     {""},
-				"sensitive": {"on"},
-				"category":  {"terraform"},
+			updated: url.Values{
+				"value": {"evenmoretopsecret"},
 			},
 			want: func(t *testing.T, got *Variable) {
-				// should get original value
-				assert.Equal(t, "bar", got.Value)
+				assert.Equal(t, "evenmoretopsecret", got.Value)
 			},
 		},
 	}
@@ -66,13 +63,13 @@ func TestVariable_Update(t *testing.T) {
 			// create existing variable for test to update
 			v := NewTestVariable(t, "ws-123", tt.existing)
 
-			r := httptest.NewRequest("POST", "/?variable_id="+v.ID, strings.NewReader(tt.form.Encode()))
+			r := httptest.NewRequest("POST", "/?variable_id="+v.ID, strings.NewReader(tt.updated.Encode()))
 			r.Header.Add("Content-Type", "application/x-www-form-urlencoded")
 			w := httptest.NewRecorder()
 
 			fakeHTMLApp(t, v).update(w, r)
 
-			if assert.Equal(t, 302, w.Code) {
+			if assert.Equal(t, 302, w.Code, "got body: %s", w.Body.String()) {
 				redirect, err := w.Result().Location()
 				require.NoError(t, err)
 				assert.Equal(t, paths.Variables(v.WorkspaceID), redirect.Path)