add more tests for nested arrays and maps

Author: strantalis

service/pkg/config/complex_decode_test.go

@@ -0,0 +1,105 @@
+package config
+
+import (
+	"context"
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+// A nested service configuration with multiple tenants and lists of credentials.
+type tenantCfg struct {
+	Credential Secret   `mapstructure:"credential"`
+	Passwords  []Secret `mapstructure:"passwords"`
+}
+
+type svcCfgComplex struct {
+	ClientSecret Secret               `mapstructure:"client_secret"`
+	Tenants      map[string]tenantCfg `mapstructure:"tenants"`
+}
+
+func TestBindServiceConfig_NestedTenants_SecretsAndLists(t *testing.T) {
+	// Prepare env vars and a temp file for fromFile
+	t.Setenv("OPENTDF_TEST_CLIENT_SECRET", "client-secret")
+	t.Setenv("OPENTDF_TENANT_A_CRED", "tenant-a-cred")
+	t.Setenv("OPENTDF_PASS1", "p1")
+
+	dir := t.TempDir()
+	filePath := filepath.Join(dir, "pass.txt")
+	if err := os.WriteFile(filePath, []byte("from-file\n"), 0o600); err != nil {
+		t.Fatalf("write temp file: %v", err)
+	}
+
+	in := ServiceConfig{
+		"client_secret": "env:OPENTDF_TEST_CLIENT_SECRET",
+		"tenants": map[string]any{
+			"tenantA": map[string]any{
+				"credential": "env:OPENTDF_TENANT_A_CRED",
+				"passwords": []any{
+					"env:OPENTDF_PASS1",
+					"literal:abc",
+					map[string]any{"fromFile": filePath},
+				},
+			},
+			"tenantB": map[string]any{
+				"credential": "literal:credB",
+			},
+		},
+	}
+
+	var out svcCfgComplex
+	// Eagerly resolve to validate that nested secrets are materialized
+	if err := BindServiceConfig(context.Background(), in, &out, WithEagerSecretResolution()); err != nil {
+		t.Fatalf("bind: %v", err)
+	}
+
+	// Assert top-level secret
+	v, err := out.ClientSecret.Resolve(context.Background())
+	if err != nil || v != "client-secret" {
+		t.Fatalf("client_secret resolve: %v %q", err, v)
+	}
+
+	// Assert tenant map
+	tenantA, ok := out.Tenants["tenantA"]
+	if !ok {
+		t.Fatalf("expected tenant 'tenantA' present")
+	}
+	credA, err := tenantA.Credential.Resolve(context.Background())
+	if err != nil || credA != "tenant-a-cred" {
+		t.Fatalf("credential resolve: %v %q", err, credA)
+	}
+	if len(tenantA.Passwords) != 3 {
+		t.Fatalf("expected 3 passwords, got %d", len(tenantA.Passwords))
+	}
+	p0, _ := tenantA.Passwords[0].Resolve(context.Background())
+	p1, _ := tenantA.Passwords[1].Resolve(context.Background())
+	p2, _ := tenantA.Passwords[2].Resolve(context.Background())
+	if p0 != "p1" || p1 != "abc" || p2 != "from-file" {
+		t.Fatalf("passwords mismatch: %q, %q, %q", p0, p1, p2)
+	}
+
+	// Second tenant literal credential
+	tenantB, ok := out.Tenants["tenantB"]
+	if !ok {
+		t.Fatalf("expected tenant 'tenantB' present")
+	}
+	credB, err := tenantB.Credential.Resolve(context.Background())
+	if err != nil || credB != "credB" {
+		t.Fatalf("credential resolve (tenantB): %v %q", err, credB)
+	}
+}
+
+func TestBindServiceConfig_NestedTenants_EagerFailureOnMissingEnv(t *testing.T) {
+	in := ServiceConfig{
+		"tenants": map[string]any{
+			"tenantA": map[string]any{
+				// Missing env value should cause eager resolution to fail
+				"credential": "env:OPENTDF_TEST_MISSING_ENV_ABC123",
+			},
+		},
+	}
+	var out svcCfgComplex
+	if err := BindServiceConfig(context.Background(), in, &out, WithEagerSecretResolution()); err == nil {
+		t.Fatalf("expected bind failure on missing env in eager resolution")
+	}
+}

service/pkg/config/decode.go

@@ -42,15 +42,20 @@ func secretDecodeHook(from, to reflect.Type, data any) (any, error) {
 			return NewLiteralSecret(s), nil
 		}
 	case reflect.Map:
-		// Must be map[string]any
+		// Must be map[string]any (case-insensitive key handling)
 		m, okm := data.(map[string]any)
 		if !okm {
 			return nil, fmt.Errorf("invalid secret map type: %T", data)
 		}
-		if env, ok := m["fromEnv"].(string); ok && env != "" {
+		// Normalize keys to lowercase for robust matching (Viper may lowercase keys)
+		lower := make(map[string]any, len(m))
+		for k, v := range m {
+			lower[strings.ToLower(k)] = v
+		}
+		if env, ok := lower["fromenv"].(string); ok && env != "" {
 			return NewEnvSecret(env), nil
 		}
-		if file, ok2 := m["fromFile"].(string); ok2 && file != "" {
+		if file, ok2 := lower["fromfile"].(string); ok2 && file != "" {
 			return NewFileSecret(file), nil
 		}
 		// Future: support {"fromURI":"aws-secretsmanager://..."}

service/pkg/config/walk.go

@@ -25,17 +25,21 @@ func walkValue(rv reflect.Value, fn func(*Secret) error) error {
 		rv = rv.Elem()
 	}
 
-	//nolint:exhaustive // Only handling relevant kinds for Secret traversal
+	//nolint:exhaustive // We only need to traverse struct, map, slice, and array kinds for secrets
 	switch rv.Kind() {
 	case reflect.Struct:
 		rt := rv.Type()
 		// Handle Secret itself
 		if rt == reflect.TypeOf(Secret{}) {
 			if rv.CanAddr() {
-				s, ok := rv.Addr().Interface().(*Secret)
-				if ok {
+				if s, ok := rv.Addr().Interface().(*Secret); ok {
 					return fn(s)
 				}
+				return nil
+			}
+			// For non-addressable Secret values (e.g., map index), operate on a copy.
+			if s, ok := rv.Interface().(Secret); ok {
+				return fn(&s)
 			}
 			return nil
 		}

service/pkg/config/yaml_array_test.go

@@ -0,0 +1,98 @@
+package config
+
+import (
+	"bytes"
+	"context"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/spf13/viper"
+)
+
+type arrayCfg struct {
+	Secrets []Secret `mapstructure:"secrets"`
+}
+
+type provider struct {
+	Name     string `mapstructure:"name"`
+	Password Secret `mapstructure:"password"`
+}
+
+type providersCfg struct {
+	Providers []provider `mapstructure:"providers"`
+}
+
+func TestBind_FromYAMLArray_SecretsSlice(t *testing.T) {
+	t.Setenv("OPENTDF_YAML_ARR", "arr-env")
+	dir := t.TempDir()
+	fp := filepath.Join(dir, "s.txt")
+	if err := os.WriteFile(fp, []byte("from-file\n"), 0o600); err != nil {
+		t.Fatalf("write: %v", err)
+	}
+
+	yaml := "" +
+		"secrets:\n" +
+		"  - \"env:OPENTDF_YAML_ARR\"\n" +
+		"  - { fromFile: \"" + fp + "\" }\n" +
+		"  - \"literal:abc\"\n"
+
+	v := viper.New()
+	v.SetConfigType("yaml")
+	if err := v.ReadConfig(bytes.NewBufferString(yaml)); err != nil {
+		t.Fatalf("read yaml: %v", err)
+	}
+
+	in := ServiceConfig{
+		"secrets": v.Get("secrets"),
+	}
+	var out arrayCfg
+	if err := BindServiceConfig(context.Background(), in, &out, WithEagerSecretResolution()); err != nil {
+		t.Fatalf("bind: %v", err)
+	}
+	if len(out.Secrets) != 3 {
+		t.Fatalf("expected 3 secrets, got %d", len(out.Secrets))
+	}
+	s0, _ := out.Secrets[0].Resolve(context.Background())
+	s1, _ := out.Secrets[1].Resolve(context.Background())
+	s2, _ := out.Secrets[2].Resolve(context.Background())
+	if s0 != "arr-env" || s1 != "from-file" || s2 != "abc" {
+		t.Fatalf("values mismatch: %q %q %q", s0, s1, s2)
+	}
+}
+
+func TestBind_FromYAMLArray_StructsWithSecretFields(t *testing.T) {
+	t.Setenv("OPENTDF_PROVIDER_B_PASS", "b-pass")
+
+	yaml := "" +
+		"providers:\n" +
+		"  - name: a\n" +
+		"    password: \"literal:alpha\"\n" +
+		"  - name: b\n" +
+		"    password: \"env:OPENTDF_PROVIDER_B_PASS\"\n"
+
+	v := viper.New()
+	v.SetConfigType("yaml")
+	if err := v.ReadConfig(bytes.NewBufferString(yaml)); err != nil {
+		t.Fatalf("read yaml: %v", err)
+	}
+
+	in := ServiceConfig{
+		"providers": v.Get("providers"),
+	}
+	var out providersCfg
+	if err := BindServiceConfig(context.Background(), in, &out, WithEagerSecretResolution()); err != nil {
+		t.Fatalf("bind: %v", err)
+	}
+	if len(out.Providers) != 2 {
+		t.Fatalf("expected 2 providers, got %d", len(out.Providers))
+	}
+	if out.Providers[0].Name != "a" || out.Providers[1].Name != "b" {
+		t.Fatalf("names mismatch: %q %q", out.Providers[0].Name, out.Providers[1].Name)
+	}
+	p0, _ := out.Providers[0].Password.Resolve(context.Background())
+	p1, _ := out.Providers[1].Password.Resolve(context.Background())
+	if p0 != "alpha" || p1 != "b-pass" {
+		t.Fatalf("passwords mismatch: %q %q", p0, p1)
+	}
+}