postman-runtime 7.52.0-beta.3 → 7.52.0

package/lib/runner/extensions/event.command.js

@@ -39,18 +39,18 @@ var _ = require('lodash'),
     getCookieDomain, // fn
     postProcessContext, // fn
     sanitizeFiles, // fn
-    maskUnsafeSecrets; // fn
+    maskForbiddenSecrets; // fn
 
 /**
- * Clones variable scopes and masks variables in unsafeSecretKeys (Set of "scopeName:variableKey").
- * Used to hide non-safe secret values from scripts while keeping them available for request substitution.
+ * Clones variable scopes and masks variables in forbiddenSecretKeys (Set of "scopeName:variableKey").
+ * Used to hide secrets not allowed in scripts while keeping them available for request substitution.
  *
  * @param {Object} context - Context with environment, globals, collectionVariables
- * @param {Set} unsafeSecretKeys - Set of "scopeName:variableKey" for secrets with safe=false
+ * @param {Set} forbiddenSecretKeys - Set of "scopeName:variableKey" for secrets with allowedInScript=false
  * @returns {Object} - Context with cloned, masked scopes
  */
-maskUnsafeSecrets = function (context, unsafeSecretKeys) {
-    if (!unsafeSecretKeys || unsafeSecretKeys.size === 0) {
+maskForbiddenSecrets = function (context, forbiddenSecretKeys) {
+    if (!forbiddenSecretKeys || forbiddenSecretKeys.size === 0) {
         return context;
     }
 
@@ -68,7 +68,7 @@ maskUnsafeSecrets = function (context, unsafeSecretKeys) {
         maskedScope = new sdk.VariableScope(scope.toJSON ? scope.toJSON() : scope);
 
         maskedScope.values.each(function (variable) {
-            if (variable && unsafeSecretKeys.has(scopeName + ':' + variable.key)) {
+            if (variable && forbiddenSecretKeys.has(scopeName + ':' + variable.key)) {
                 variable.set(undefined);
             }
         });
@@ -555,8 +555,8 @@ module.exports = {
                     executeScript = ({ resolvedPackages }, done) => {
                         var contextToUse = _.pick(payload.context, SAFE_CONTEXT_VARIABLES);
 
-                        if (payload.context._unsafeSecretKeys) {
-                            contextToUse = maskUnsafeSecrets(contextToUse, payload.context._unsafeSecretKeys);
+                        if (payload.context._forbiddenSecretKeys) {
+                            contextToUse = maskForbiddenSecrets(contextToUse, payload.context._forbiddenSecretKeys);
                         }
 
                         // finally execute the script

package/lib/runner/extensions/item.command.js

@@ -3,6 +3,7 @@ var _ = require('lodash'),
     Response = require('postman-collection').Response,
     visualizer = require('../../visualizer'),
     resolveSecrets = require('../resolve-secrets').resolveSecrets,
+    { resolveUrlString } = require('../util'),
 
     /**
      * List of request properties which can be mutated via pre-request
@@ -140,21 +141,26 @@ module.exports = {
             this.triggers.beforeItem(null, coords, item);
 
             // Build payload for secret resolution
-            // Only scan environment, globals, and collectionVariables for secrets
             secretResolutionPayload = {
                 item,
                 environment,
                 globals,
-                collectionVariables
+                collectionVariables,
+                vaultSecrets,
+                _variables,
+                data
             };
 
             /**
              * Execute the main item flow (delay, prerequest, request, test)
              *
              * @param {Array} [secretResolutionErrors] - Errors from partial secret resolution
-             * @param {Set} [unsafeSecretKeys] - Set of scopeName:variableKey for secrets with safe=false
+             * @param {Set} [forbiddenSecretKeys] - Set of scopeName:variableKey for secrets with allowedInScript=false
              */
-            executeItemFlow = function (secretResolutionErrors, unsafeSecretKeys) {
+            executeItemFlow = function (secretResolutionErrors, forbiddenSecretKeys) {
+                var baselineUrl = secretResolver ?
+                    resolveUrlString(item, secretResolutionPayload) : '';
+
                 self.queueDelay(function () {
                 // create the context object for scripts to run
                     ctxTemplate = {
@@ -165,7 +171,7 @@ module.exports = {
                         environment: environment,
                         data: data,
                         request: item.request,
-                        _unsafeSecretKeys: unsafeSecretKeys
+                        _forbiddenSecretKeys: forbiddenSecretKeys
                     };
 
                     // @todo make it less nested by coding Instruction.thenQueue
@@ -211,104 +217,165 @@ module.exports = {
                             }
                         });
 
-                        this.queue('request', {
-                            item: item,
-                            vaultSecrets: ctxTemplate.vaultSecrets,
-                            globals: ctxTemplate.globals,
-                            environment: ctxTemplate.environment,
-                            collectionVariables: ctxTemplate.collectionVariables,
-                            _variables: ctxTemplate._variables,
-                            data: ctxTemplate.data,
-                            coords: coords,
-                            source: 'collection'
-                        }).done(function (result, requestError) {
-                            !result && (result = {});
-
-                            var request = result.request,
-                                response = result.response,
-                                cookies = result.cookies;
-
-                            if ((stopOnError || stopOnFailure) && requestError) {
-                                this.triggers.item(null, coords, item); // @todo - should this trigger receive error?
-
-                                return callback && callback.call(this, requestError, {
-                                    request
-                                });
-                            }
-
-                            // also the test object requires the updated request object
-                            // (since auth helpers may modify it)
-                            request && (ctxTemplate.request = request);
-
-                            // @note convert response instance to plain object.
-                            // we want to avoid calling Response.toJSON() which triggers
-                            // toJSON on Response.stream buffer.
-                            // Because that increases the size of stringified object by 3 times.
-                            // Also, that increases the total number of tokens (buffer.data) whereas Buffer.toString
-                            // generates a single string that is easier to stringify and sent over the UVM bridge.
-                            response && (ctxTemplate.response = getResponseJSON(response));
-
-                            // set cookies for this transaction
-                            cookies && (ctxTemplate.cookies = cookies);
-
-                            // the context template also has a test object to store assertions
-                            ctxTemplate.tests = {}; // @todo remove
-
-                            this.queue('event', {
-                                name: 'test',
-                                item: item,
-                                coords: coords,
-                                context: ctxTemplate,
-                                // No need to include vaultSecrets here as runtime takes care of tracking internally
-                                trackContext: ['tests', 'globals', 'environment', 'collectionVariables'],
-                                stopOnScriptError: stopOnError,
-                                abortOnFailure: abortOnFailure,
-                                stopOnFailure: stopOnFailure
-                            }).done(function (testExecutions, testExecutionError) {
-                                var visualizerData = extractVisualizerData(prereqExecutions, testExecutions),
-                                    visualizerResult;
-
-                                if (visualizerData) {
-                                    visualizer.processTemplate(visualizerData.template,
-                                        visualizerData.data,
-                                        visualizerData.options,
-                                        function (err, processedTemplate) {
-                                            visualizerResult = {
-                                            // bubble up the errors while processing template through visualizer result
-                                                error: err,
-
-                                                // add processed template and data to visualizer result
-                                                processedTemplate: processedTemplate,
-                                                data: visualizerData.data
-                                            };
-
-                                            // trigger an event saying that item has been processed
-                                            this.triggers.item(null, coords, item, visualizerResult,
+                        var postPreReqPayload,
+                            postPreReqUrl,
+                            proceedWithRequest = function () {
+                                this.queue('request', {
+                                    item: item,
+                                    vaultSecrets: ctxTemplate.vaultSecrets,
+                                    globals: ctxTemplate.globals,
+                                    environment: ctxTemplate.environment,
+                                    collectionVariables: ctxTemplate.collectionVariables,
+                                    _variables: ctxTemplate._variables,
+                                    data: ctxTemplate.data,
+                                    coords: coords,
+                                    source: 'collection'
+                                }).done(function (result, requestError) {
+                                    !result && (result = {});
+
+                                    var request = result.request,
+                                        response = result.response,
+                                        cookies = result.cookies;
+
+                                    if ((stopOnError || stopOnFailure) && requestError) {
+                                        // @todo - should this trigger receive error?
+                                        this.triggers.item(null, coords, item);
+
+                                        return callback && callback.call(this, requestError, {
+                                            request
+                                        });
+                                    }
+
+                                    // also the test object requires the updated request object
+                                    // (since auth helpers may modify it)
+                                    request && (ctxTemplate.request = request);
+
+                                    // @note convert response instance to plain object.
+                                    // we want to avoid calling Response.toJSON() which triggers
+                                    // toJSON on Response.stream buffer.
+                                    // Because that increases the size of stringified object by 3 times.
+                                    // Also, that increases the total number of tokens
+                                    // (buffer.data) whereas Buffer.toString generates a single
+                                    // string that is easier to stringify and sent over the
+                                    // UVM bridge.
+                                    response && (ctxTemplate.response = getResponseJSON(response));
+
+                                    // set cookies for this transaction
+                                    cookies && (ctxTemplate.cookies = cookies);
+
+                                    // the context template also has a test object to store assertions
+                                    ctxTemplate.tests = {}; // @todo remove
+
+                                    this.queue('event', {
+                                        name: 'test',
+                                        item: item,
+                                        coords: coords,
+                                        context: ctxTemplate,
+                                        // No need to include vaultSecrets here as runtime
+                                        // takes care of tracking internally
+                                        trackContext: ['tests', 'globals', 'environment', 'collectionVariables'],
+                                        stopOnScriptError: stopOnError,
+                                        abortOnFailure: abortOnFailure,
+                                        stopOnFailure: stopOnFailure
+                                    }).done(function (testExecutions, testExecutionError) {
+                                        var visualizerData = extractVisualizerData(prereqExecutions, testExecutions),
+                                            visualizerResult;
+
+                                        if (visualizerData) {
+                                            visualizer.processTemplate(visualizerData.template,
+                                                visualizerData.data,
+                                                visualizerData.options,
+                                                function (err, processedTemplate) {
+                                                    visualizerResult = {
+                                                        // bubble up the errors while processing
+                                                        // template through visualizer result
+                                                        error: err,
+
+                                                        // add processed template and data to visualizer result
+                                                        processedTemplate: processedTemplate,
+                                                        data: visualizerData.data
+                                                    };
+
+                                                    // trigger an event saying that item has been processed
+                                                    this.triggers.item(null, coords, item, visualizerResult,
+                                                        secretResolutionErrors && secretResolutionErrors.length ?
+                                                            { secretResolutionErrors } : undefined);
+                                                }.bind(this));
+                                        }
+                                        else {
+                                        // trigger an event saying that item has been processed
+                                        // @todo - should this trigger receive error?
+                                            this.triggers.item(null, coords, item, null,
                                                 secretResolutionErrors && secretResolutionErrors.length ?
                                                     { secretResolutionErrors } : undefined);
-                                        }.bind(this));
-                                }
-                                else {
-                                // trigger an event saying that item has been processed
-                                // @todo - should this trigger receive error?
-                                    this.triggers.item(null, coords, item, null,
-                                        secretResolutionErrors && secretResolutionErrors.length ?
-                                            { secretResolutionErrors } : undefined);
-                                }
-
-                                // reset mutated request with original request instance
-                                // @note request mutations are not persisted across iterations
-                                item.request = originalRequest;
-
-                                callback && callback.call(this, ((stopOnError || stopOnFailure) && testExecutionError) ?
-                                    testExecutionError : null, {
-                                    prerequest: prereqExecutions,
-                                    request: request,
-                                    response: response,
-                                    test: testExecutions
+                                        }
+
+                                        // reset mutated request with original request instance
+                                        // @note request mutations are not persisted across iterations
+                                        item.request = originalRequest;
+
+                                        callback && callback.call(this, ((stopOnError || stopOnFailure) &&
+                                        testExecutionError) ?
+                                            testExecutionError : null, {
+                                            prerequest: prereqExecutions,
+                                            request: request,
+                                            response: response,
+                                            test: testExecutions
+                                        });
+                                    });
                                 });
-                            });
-                        });
+                            }.bind(this);
+
+                        if (secretResolver) {
+                            postPreReqPayload = {
+                                item: item,
+                                environment: ctxTemplate.environment,
+                                globals: ctxTemplate.globals,
+                                collectionVariables: ctxTemplate.collectionVariables,
+                                vaultSecrets: ctxTemplate.vaultSecrets,
+                                _variables: ctxTemplate._variables,
+                                data: ctxTemplate.data
+                            };
+                            postPreReqUrl = resolveUrlString(item, postPreReqPayload);
+
+                            if (postPreReqUrl !== baselineUrl) {
+                                return resolveSecrets(postPreReqPayload, secretResolver,
+                                    function (err, secErrors, newForbiddenKeys) {
+                                        if (err) {
+                                            self.triggers.item(err, coords, item, null,
+                                                { hasSecretResolutionFailed: true });
+
+                                            callback && callback.call(self, err, {
+                                                request: null
+                                            });
+
+                                            return;
+                                        }
+
+                                        if (secErrors && secErrors.length) {
+                                            secretResolutionErrors = (secretResolutionErrors || [])
+                                                .concat(secErrors);
+                                        }
+
+                                        if (newForbiddenKeys && newForbiddenKeys.size > 0) {
+                                            if (!forbiddenSecretKeys) {
+                                                forbiddenSecretKeys = newForbiddenKeys;
+                                            }
+                                            else {
+                                                newForbiddenKeys.forEach(function (key) {
+                                                    forbiddenSecretKeys.add(key);
+                                                });
+                                            }
+
+                                            ctxTemplate._forbiddenSecretKeys = forbiddenSecretKeys;
+                                        }
+
+                                        proceedWithRequest();
+                                    });
+                            }
+                        }
+
+                        proceedWithRequest();
                     });
                 }.bind(self), {
                     time: delay,
@@ -319,20 +386,21 @@ module.exports = {
 
             // Resolve secrets before pre-request scripts so scripts can access resolved values via related pm APIs
             if (secretResolver) {
-                resolveSecrets(secretResolutionPayload, secretResolver, function (err, secErrors, unsafeKeys) {
-                    if (err) {
-                        // Fatal: stop immediately, request is never executed
-                        self.triggers.item(err, coords, item, null, { hasSecretResolutionFailed: true });
-
-                        callback && callback.call(self, err, {
-                            request: null
-                        });
+                resolveSecrets(secretResolutionPayload, secretResolver,
+                    function (err, secErrors, forbiddenSecretKeys) {
+                        if (err) {
+                            // Fatal: stop immediately, request is never executed
+                            self.triggers.item(err, coords, item, null, { hasSecretResolutionFailed: true });
+
+                            callback && callback.call(self, err, {
+                                request: null
+                            });
 
-                        return next();
-                    }
+                            return next();
+                        }
 
-                    executeItemFlow(secErrors, unsafeKeys);
-                });
+                        executeItemFlow(secErrors, forbiddenSecretKeys);
+                    });
             }
             else {
                 executeItemFlow();

package/lib/runner/index.js

@@ -97,16 +97,16 @@ _.assign(Runner.prototype, {
      * @param {String} [options.entrypoint.lookupStrategy=idOrName] strategy to lookup the entrypoint [idOrName, path]
      * @param {Array<String>} [options.entrypoint.path] path to lookup
      * @param {Object} [options.run] Run-specific options, such as options related to the host
-     * @param {Function} [options.secretResolver] - Function({ secrets, payload }, callback) that resolves secrets.
-     * Receives: secrets (array of { scopeName, scope, variable, context }), payload ({ item, environment,
-     * globals, collectionVariables }). Callback is (err, result).
+     * @param {Function} [options.secretResolver] - Function({ secrets, url }, callback) that resolves secrets.
+     * Receives: secrets (array of { scopeName, scope, variable, context }), url (request URL without query).
+     * Callback is (err, result).
      * On fatal error: callback(err) — request execution stops.
      * On success: callback(null, result) where result is Array<{ resolvedValue?: string,
-     *  error?: Error, safe?: boolean }>;
+     *  error?: Error, allowedInScript?: boolean }>;
      * result[i] corresponds to secrets[i].
      * resolvedValue: resolved string (undefined if failed/skipped).
      * error: Error when resolution failed for particular secret.
-     * safe: if true, value is exposed to scripts via pm.environment/pm.variables;
+     * allowedInScript: if true, value is exposed to scripts via pm.environment/pm.variables;
      *       if false/undefined, masked from scripts. Runtime applies values.
      *
      * @param {Function} callback -

package/lib/runner/resolve-secrets.js

@@ -1,4 +1,5 @@
-var _ = require('lodash');
+var _ = require('lodash'),
+    { resolveUrlString } = require('./util');
 
 /**
  * Extract all variables with secret === true from a variable scope.
@@ -43,16 +44,20 @@ function buildResolverContext (payload, variableKey) {
 
 /**
  * Scans variable scopes for secrets and invokes the secretResolver with them.
- * Consumer returns array of { resolvedValue, error, safe }; runtime applies values.
+ * Consumer returns array of { resolvedValue, error, allowedInScript }; runtime applies values.
  *
  * @param {Object} payload - Request payload
  * @param {Object} payload.item - The request item
  * @param {Object} payload.environment - Environment scope
  * @param {Object} payload.globals - Globals scope
  * @param {Object} payload.collectionVariables - Collection variables scope
- * @param {Function} secretResolver - Function({ secrets, payload }, callback) that resolves secrets.
- *   Callback is (err, result) where result is Array<{ resolvedValue?: string, error?: Error, safe?: boolean }>.
- * @param {Function} callback - callback(err, secretResolutionErrors, unsafeSecretKeys)
+ * @param {Object} payload.vaultSecrets - Vault secrets scope
+ * @param {Object} payload._variables - Local variables scope
+ * @param {Object} payload.data - Iteration data
+ * @param {Function} secretResolver - Function({ secrets, urlString }, callback) that resolves secrets.
+ *   Callback is (err, result) where result is Array<{ resolvedValue?: string, error?: Error,
+ *   allowedInScript?: boolean }>.
+ * @param {Function} callback - callback(err, secretResolutionErrors, forbiddenSecretKeys)
  */
 function resolveSecrets (payload, secretResolver, callback) {
     if (!secretResolver || typeof secretResolver !== 'function') {
@@ -64,7 +69,9 @@ function resolveSecrets (payload, secretResolver, callback) {
             { name: 'globals', scope: payload.globals },
             { name: 'collectionVariables', scope: payload.collectionVariables }
         ],
-        secrets = [];
+        secrets = [],
+        url = resolveUrlString(payload.item, payload),
+        urlString = typeof url.toString === 'function' ? url.toString() : String(url);
 
     scopesToScan.forEach(function (scopeInfo) {
         var secretVars = extractSecretVariables(scopeInfo.scope);
@@ -83,7 +90,7 @@ function resolveSecrets (payload, secretResolver, callback) {
         return callback();
     }
 
-    secretResolver({ secrets, payload }, function (err, result) {
+    secretResolver({ secrets, urlString }, function (err, result) {
         if (err) {
             return callback(err);
         }
@@ -103,17 +110,17 @@ function resolveSecrets (payload, secretResolver, callback) {
                 result.filter(function (entry) { return entry && entry.error; })
                     .map(function (entry) { return entry.error; }) :
                 [],
-            unsafeSecretKeys = new Set();
+            forbiddenSecretKeys = new Set();
 
         if (result && Array.isArray(result)) {
             result.forEach(function (entry, i) {
-                if (i < secrets.length && entry && entry.safe === false) {
-                    unsafeSecretKeys.add(secrets[i].scopeName + ':' + secrets[i].variable.key);
+                if (i < secrets.length && entry && entry.allowedInScript === false) {
+                    forbiddenSecretKeys.add(secrets[i].scopeName + ':' + secrets[i].variable.key);
                 }
             });
         }
 
-        callback(null, secretResolutionErrors, unsafeSecretKeys);
+        callback(null, secretResolutionErrors, forbiddenSecretKeys);
     });
 }