Add support for lazily fetching vault access status

postmanlabs · Oct 23, 2024 · a42c65b · a42c65b
1 parent fa9bad0
commit a42c65b
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 22 deletions.
diff --git a/CHANGELOG.yaml b/CHANGELOG.yaml
@@ -1,3 +1,7 @@
+unreleased:
+  new features:
+    - GH-1478 Added support for lazily fetching vault access status
+
 7.42.0:
   date: 2024-09-04
   new features:

diff --git a/lib/runner/extensions/event.command.js b/lib/runner/extensions/event.command.js
@@ -239,12 +239,15 @@ module.exports = {
                 // @todo: find a better home for this option processing
                 abortOnFailure = payload.abortOnFailure,
                 stopOnFailure = payload.stopOnFailure,
-                vaultSecrets = payload.context.vaultSecrets,
-                isVaultAccessInScriptsAllowed = _.get(vaultSecrets, '_.allowScriptAccess'),
+
                 packageResolver = _.get(this, 'options.script.packageResolver'),
-                events,
-                isVaultAccessAllowed;
 
+                vaultSecrets = payload.context.vaultSecrets,
+                // Do not assign any initial value here as it will be used
+                // to determine if the vault access check was done or not
+                hasVaultAccess,
+
+                events;
 
             // @todo: find a better place to code this so that event is not aware of such options
             if (abortOnFailure) {
@@ -392,39 +395,33 @@ module.exports = {
                     }.bind(this));
 
                 this.host.on(EXECUTION_VAULT_BASE + executionId, async function (id, cmd, ...args) {
-                    let currentIsVaultAccessAllowed = false;
-
-                    if (isVaultAccessAllowed === undefined) {
+                    if (hasVaultAccess === undefined) {
                         try {
-                            currentIsVaultAccessAllowed = Boolean(await isVaultAccessInScriptsAllowed(item.id));
+                            // eslint-disable-next-line require-atomic-updates
+                            hasVaultAccess = Boolean(await vaultSecrets?._?.allowScriptAccess(item.id));
                         }
-                        catch (error) {
-                            currentIsVaultAccessAllowed = false;
+                        catch (_) {
+                            // eslint-disable-next-line require-atomic-updates
+                            hasVaultAccess = false;
                         }
-                        // eslint-disable-next-line require-atomic-updates
-                        isVaultAccessAllowed = currentIsVaultAccessAllowed;
-                    }
-                    else {
-                        currentIsVaultAccessAllowed = isVaultAccessAllowed;
                     }
 
-                    // Explicitly enable tracking for vault secrets here as this will
-                    // not be sent to sandbox who otherwise takes care of mutation tracking
-                    if (currentIsVaultAccessAllowed) {
-                        vaultSecrets.enableTracking({ autoCompact: true });
-                    }
                     // Ensure error is string
                     // TODO identify why error objects are not being serialized correctly
                     const dispatch = (e, r) => { this.host.dispatch(EXECUTION_VAULT_BASE + executionId, id, e, r); };
 
-                    if (!currentIsVaultAccessAllowed) {
+                    if (!hasVaultAccess) {
                         return dispatch('Vault access denied');
                     }
 
                     if (!['get', 'set', 'unset'].includes(cmd)) {
                         return dispatch(`Invalid vault command: ${cmd}`);
                     }
 
+                    // Explicitly enable tracking for vault secrets here as this will
+                    // not be sent to sandbox who otherwise takes care of mutation tracking
+                    vaultSecrets.enableTracking({ autoCompact: true });
+
                     dispatch(null, vaultSecrets[cmd](...args));
                 }.bind(this));
 
@@ -570,7 +567,7 @@ module.exports = {
                             result && result.request && (result.request = new sdk.Request(result.request));
 
                             // vault secrets are not sent to sandbox, thus using the scope from run context.
-                            if (isVaultAccessAllowed && vaultSecrets) {
+                            if (hasVaultAccess && vaultSecrets) {
                                 result.vaultSecrets = vaultSecrets;
 
                                 // Prevent mutations from being carry-forwarded to subsequent events