Merge branch 'release/7.43.0'

postmanlabs · Oct 30, 2024 · b4f8101 · b4f8101
2 parents 90a805b + f21b654
commit b4f8101
Show file tree

Hide file tree

Showing 7 changed files with 289 additions and 20 deletions.
diff --git a/CHANGELOG.yaml b/CHANGELOG.yaml
@@ -1,3 +1,12 @@
+7.43.0:
+  date: 2024-10-30
+  new features:
+    - GH-1478 Added support for lazily fetching vault access status
+  fixed bugs:
+    - >-
+      GH-1480 Fixed a bug where vault domain matching did not work with port in
+      URL
+
 7.42.0:
   date: 2024-09-04
   new features:

diff --git a/lib/runner/extensions/event.command.js b/lib/runner/extensions/event.command.js
@@ -243,16 +243,12 @@ module.exports = {
                 packageResolver = _.get(this, 'options.script.packageResolver'),
 
                 vaultSecrets = payload.context.vaultSecrets,
-                allowVaultAccess = _.get(vaultSecrets, '_.allowScriptAccess'),
+                // Do not assign any initial value here as it will be used
+                // to determine if the vault access check was done or not
+                hasVaultAccess,
 
                 events;
 
-            // Explicitly enable tracking for vault secrets here as this will
-            // not be sent to sandbox who otherwise takes care of mutation tracking
-            if (allowVaultAccess) {
-                vaultSecrets.enableTracking({ autoCompact: true });
-            }
-
             // @todo: find a better place to code this so that event is not aware of such options
             if (abortOnFailure) {
                 abortOnError = true;
@@ -398,19 +394,34 @@ module.exports = {
                         }
                     }.bind(this));
 
-                this.host.on(EXECUTION_VAULT_BASE + executionId, function (id, cmd, ...args) {
+                this.host.on(EXECUTION_VAULT_BASE + executionId, async function (id, cmd, ...args) {
+                    if (hasVaultAccess === undefined) {
+                        try {
+                            // eslint-disable-next-line require-atomic-updates
+                            hasVaultAccess = Boolean(await vaultSecrets?._?.allowScriptAccess(item.id));
+                        }
+                        catch (_) {
+                            // eslint-disable-next-line require-atomic-updates
+                            hasVaultAccess = false;
+                        }
+                    }
+
                     // Ensure error is string
                     // TODO identify why error objects are not being serialized correctly
                     const dispatch = (e, r) => { this.host.dispatch(EXECUTION_VAULT_BASE + executionId, id, e, r); };
 
-                    if (!allowVaultAccess) {
+                    if (!hasVaultAccess) {
                         return dispatch('Vault access denied');
                     }
 
                     if (!['get', 'set', 'unset'].includes(cmd)) {
                         return dispatch(`Invalid vault command: ${cmd}`);
                     }
 
+                    // Explicitly enable tracking for vault secrets here as this will
+                    // not be sent to sandbox who otherwise takes care of mutation tracking
+                    vaultSecrets.enableTracking({ autoCompact: true });
+
                     dispatch(null, vaultSecrets[cmd](...args));
                 }.bind(this));
 
@@ -556,7 +567,7 @@ module.exports = {
                             result && result.request && (result.request = new sdk.Request(result.request));
 
                             // vault secrets are not sent to sandbox, thus using the scope from run context.
-                            if (allowVaultAccess && vaultSecrets) {
+                            if (hasVaultAccess && vaultSecrets) {
                                 result.vaultSecrets = vaultSecrets;
 
                                 // Prevent mutations from being carry-forwarded to subsequent events

diff --git a/lib/runner/util.js b/lib/runner/util.js
@@ -201,7 +201,7 @@ module.exports = {
                 const url = new Url(domain);
 
                 // @note URL path is ignored
-                return `${url.protocol || 'https'}://${url.getRemote()}/*`;
+                return `${url.protocol || 'https'}://${url.getRemote()}:*/*`;
             }));
         });
 

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "postman-runtime",
-  "version": "7.42.0",
+  "version": "7.43.0",
   "description": "Underlying library of executing Postman Collections",
   "author": "Postman Inc.",
   "license": "Apache-2.0",

diff --git a/test/integration/sanity/variable-changes.test.js b/test/integration/sanity/variable-changes.test.js
@@ -9,7 +9,7 @@ describe('variable changes', function () {
             requester: { followRedirects: false },
             vaultSecrets: {
                 id: 'vault',
-                _allowScriptAccess: true,
+                _allowScriptAccess: function () { return true; },
                 values: [
                     { key: 'vault:key5', value: 'vault-value-5', enabled: true },
                     { key: 'vault:key6', value: 'vault-value-6', enabled: true }