fix: passing secret as sensitive config (#6006)

pkg/expressions/generic.go

@@ -212,11 +212,6 @@ func resolve(v reflect.Value, t tagData, m []Machine, force bool, finalize bool)
 				vv, _ = expr2.Static().StringValue()
 			} else {
 				vv = expr.Template()
-				if t.value == "template" && !IsTemplateStringWithoutExpressions(str) {
-					if IsTemplateStringWithInternalFnCall(vv) {
-						vv = CleanTemplateStringInternalFnCall(vv)
-					}
-				}
 			}
 			changed = vv != str
 			if ptr.Kind() == reflect.String {

pkg/expressions/parse.go

@@ -255,11 +255,3 @@ func CompileAndResolveTemplate(tpl string, m ...Machine) (Expression, error) {
 func IsTemplateStringWithoutExpressions(tpl string) bool {
 	return !strings.Contains(tpl, "{{")
 }
-
-func IsTemplateStringWithInternalFnCall(tpl string) bool {
-	return strings.Contains(tpl, "{{\"{{\"}}"+InternalFnCall)
-}
-
-func CleanTemplateStringInternalFnCall(tpl string) string {
-	return strings.ReplaceAll(tpl, "{{\"{{\"}}"+InternalFnCall, "{{")
-}

pkg/expressions/stdlib.go

@@ -17,8 +17,7 @@ import (
 )
 
 const (
-	RFC3339Millis  = "2006-01-02T15:04:05.000Z07:00"
-	InternalFnCall = "__internal__fn__call__"
+	RFC3339Millis = "2006-01-02T15:04:05.000Z07:00"
 )
 
 type StdFunction struct {

pkg/testworkflows/testworkflowprocessor/processor.go

@@ -166,7 +166,7 @@ func (p *processor) Bundle(ctx context.Context, workflow *testworkflowsv1.TestWo
 	secrets := append(layer.Secrets(), options.Secrets...)
 	for i := range secrets {
 		AnnotateControlledBy(&secrets[i], options.Config.Resource.RootId, options.Config.Resource.Id)
-		err = expressions.FinalizeForce(&secrets[i], machines...)
+		err = expressions.SimplifyForce(&secrets[i], machines...)
 		if err != nil {
 			return nil, errors.Wrap(err, "finalizing Secret")
 		}

pkg/testworkflows/testworkflowprocessor/secretmachine.go

@@ -48,8 +48,8 @@ func createSecretMachine(mapEnvs map[string]corev1.EnvVarSource) expressions.Mac
 					Key: keyName,
 				},
 			}
-
-			return expressions.NewValue(fmt.Sprintf("{{%senv.%s}}", expressions.InternalFnCall, envName)), true, nil
+			v, err := expressions.Compile("env." + envName)
+			return v, true, err
 		})
 
 }

pkg/testworkflows/testworkflowprocessor/secretmachine_test.go

@@ -12,7 +12,9 @@ import (
 func TestSecret(t *testing.T) {
 	mapEnvs := make(map[string]corev1.EnvVarSource)
 	machine := createSecretMachine(mapEnvs)
-	assert.Equal(t, "{{"+expressions.InternalFnCall+"env.name_0_one_1_two_K_key_0_three_1_four}}", expressions.MustCall(machine, "secret", "name-one.two", "key-three.four"))
+	call, err := expressions.CompileAndResolve(`secret("name-one.two", "key-three.four")`, machine)
+	assert.NoError(t, err)
+	assert.Equal(t, "env.name_0_one_1_two_K_key_0_three_1_four", call.String())
 	assert.EqualValues(t, map[string]corev1.EnvVarSource{
 		"_02S_name_0_one_1_two_K_key_0_three_1_four": {
 			SecretKeyRef: &corev1.SecretKeySelector{
@@ -28,7 +30,9 @@ func TestSecret(t *testing.T) {
 func TestSecretComputed(t *testing.T) {
 	mapEnvs := make(map[string]corev1.EnvVarSource)
 	machine := createSecretMachine(mapEnvs)
-	assert.Equal(t, "{{"+expressions.InternalFnCall+"env.name_0_one_1_two_K_key_0_three_1_four}}", expressions.MustCall(machine, "secret", "name-one.two", "key-three.four", true))
+	call, err := expressions.CompileAndResolve(`secret("name-one.two", "key-three.four", true)`, machine)
+	assert.NoError(t, err)
+	assert.Equal(t, "env.name_0_one_1_two_K_key_0_three_1_four", call.String())
 	assert.EqualValues(t, map[string]corev1.EnvVarSource{
 		"_02CS_name_0_one_1_two_K_key_0_three_1_four": {
 			SecretKeyRef: &corev1.SecretKeySelector{

pkg/testworkflows/testworkflowresolver/config.go

@@ -83,7 +83,7 @@ func getSecretCallExpression(expr expressions.Expression, k string, externalize
 		return nil, errors.Wrap(err, "config."+k)
 	}
 	if envVar.SecretKeyRef != nil {
-		expr = expressions.NewValue(fmt.Sprintf("{{%ssecret(\"%s\", \"%s\", true)}}", expressions.InternalFnCall,
+		return expressions.Compile(fmt.Sprintf("secret(\"%s\", \"%s\", true)",
 			envVar.SecretKeyRef.Name, envVar.SecretKeyRef.Key))
 	}