Re: [PR] NIFI-15667 - Support plain text secrets in AWS Secrets Manager Parameter Provider [nifi]

via GitHub Tue, 10 Mar 2026 07:18:52 -0700


exceptionfactory commented on code in PR #10962:
URL: https://github.com/apache/nifi/pull/10962#discussion_r2912076528



##########
nifi-extension-bundles/nifi-aws-bundle/nifi-aws-parameter-providers/src/test/java/org/apache/nifi/parameter/aws/TestAwsSecretsManagerParameterProvider.java:
##########
@@ -310,6 +310,87 @@ public void 
testFetchParametersWithMultipleSecretsAndTags() throws Initializatio
         }
     }
 
+    @Test
+    public void testFetchPlainTextSecretEnumeration() throws 
InitializationException {
+        final String pemContent = "-----BEGIN ENCRYPTED PRIVATE 
KEY-----\nMIIE6TAbBgkqhkiG9w0BBQ0wDjANBgkqhkiG\n-----END ENCRYPTED PRIVATE 
KEY-----";
+
+        final SecretsManagerClient secretsManager = 
mock(SecretsManagerClient.class);
+
+        final GetSecretValueResponse response = 
GetSecretValueResponse.builder()
+                .name("my-pem-key")
+                .secretString(pemContent)
+                .build();
+        
when(secretsManager.getSecretValue(argThat(matchesGetSecretValueRequest("my-pem-key")))).thenReturn(response);
+
+        final DescribeSecretResponse describeResponse = 
DescribeSecretResponse.builder()
+                .name("my-pem-key")
+                .build();
+        
when(secretsManager.describeSecret(argThat(matchesDescribeSecretRequest("my-pem-key")))).thenReturn(describeResponse);
+
+        final List<ParameterGroup> parameterGroups = 
runProviderTest(secretsManager, 1,
+                ConfigVerificationResult.Outcome.SUCCESSFUL, "ENUMERATION", 
"my-pem-key");
+
+        assertEquals(1, parameterGroups.size());
+        final ParameterGroup group = parameterGroups.get(0);
+        assertEquals("my-pem-key", group.getGroupName());
+        assertEquals(1, group.getParameters().size());
+
+        final Parameter parameter = group.getParameters().get(0);
+        assertEquals("my-pem-key", parameter.getDescriptor().getName());
+        assertEquals(pemContent, parameter.getValue());
+    }
+
+    @Test
+    public void testFetchMixedJsonAndPlainTextSecretsPattern() throws 
InitializationException {
+        final String pemContent = "-----BEGIN RSA PRIVATE 
KEY-----\nMIIBog==\n-----END RSA PRIVATE KEY-----";
+        final String jsonContent = "{ \"dbUser\": \"admin\", \"dbPassword\": 
\"secret\" }";

Review Comment:
   Similar to the PEM, I recommend avoid using the word `dbPassword` and 
instead using some other word.



##########
nifi-extension-bundles/nifi-aws-bundle/nifi-aws-parameter-providers/src/test/java/org/apache/nifi/parameter/aws/TestAwsSecretsManagerParameterProvider.java:
##########
@@ -310,6 +310,87 @@ public void 
testFetchParametersWithMultipleSecretsAndTags() throws Initializatio
         }
     }
 
+    @Test
+    public void testFetchPlainTextSecretEnumeration() throws 
InitializationException {
+        final String pemContent = "-----BEGIN ENCRYPTED PRIVATE 
KEY-----\nMIIE6TAbBgkqhkiG9w0BBQ0wDjANBgkqhkiG\n-----END ENCRYPTED PRIVATE 
KEY-----";
+
+        final SecretsManagerClient secretsManager = 
mock(SecretsManagerClient.class);
+
+        final GetSecretValueResponse response = 
GetSecretValueResponse.builder()
+                .name("my-pem-key")

Review Comment:
   Recommend declaring `my-pem-key` secret name once and reusing across this 
method.



##########
nifi-extension-bundles/nifi-aws-bundle/nifi-aws-parameter-providers/src/test/java/org/apache/nifi/parameter/aws/TestAwsSecretsManagerParameterProvider.java:
##########
@@ -310,6 +310,87 @@ public void 
testFetchParametersWithMultipleSecretsAndTags() throws Initializatio
         }
     }
 
+    @Test
+    public void testFetchPlainTextSecretEnumeration() throws 
InitializationException {
+        final String pemContent = "-----BEGIN ENCRYPTED PRIVATE 
KEY-----\nMIIE6TAbBgkqhkiG9w0BBQ0wDjANBgkqhkiG\n-----END ENCRYPTED PRIVATE 
KEY-----";
+
+        final SecretsManagerClient secretsManager = 
mock(SecretsManagerClient.class);
+
+        final GetSecretValueResponse response = 
GetSecretValueResponse.builder()
+                .name("my-pem-key")
+                .secretString(pemContent)
+                .build();
+        
when(secretsManager.getSecretValue(argThat(matchesGetSecretValueRequest("my-pem-key")))).thenReturn(response);
+
+        final DescribeSecretResponse describeResponse = 
DescribeSecretResponse.builder()
+                .name("my-pem-key")
+                .build();
+        
when(secretsManager.describeSecret(argThat(matchesDescribeSecretRequest("my-pem-key")))).thenReturn(describeResponse);
+
+        final List<ParameterGroup> parameterGroups = 
runProviderTest(secretsManager, 1,
+                ConfigVerificationResult.Outcome.SUCCESSFUL, "ENUMERATION", 
"my-pem-key");
+
+        assertEquals(1, parameterGroups.size());
+        final ParameterGroup group = parameterGroups.get(0);
+        assertEquals("my-pem-key", group.getGroupName());
+        assertEquals(1, group.getParameters().size());
+
+        final Parameter parameter = group.getParameters().get(0);
+        assertEquals("my-pem-key", parameter.getDescriptor().getName());
+        assertEquals(pemContent, parameter.getValue());
+    }
+
+    @Test
+    public void testFetchMixedJsonAndPlainTextSecretsPattern() throws 
InitializationException {
+        final String pemContent = "-----BEGIN RSA PRIVATE 
KEY-----\nMIIBog==\n-----END RSA PRIVATE KEY-----";
+        final String jsonContent = "{ \"dbUser\": \"admin\", \"dbPassword\": 
\"secret\" }";
+
+        final SecretsManagerClient secretsManager = 
mock(SecretsManagerClient.class);
+
+        final SecretListEntry pemEntry = 
SecretListEntry.builder().name("pem-secret").build();
+        final SecretListEntry jsonEntry = 
SecretListEntry.builder().name("json-secret").build();

Review Comment:
   Is in the other method, I recommend declaring the secret names and reusing 
the variable references.



##########
nifi-extension-bundles/nifi-aws-bundle/nifi-aws-parameter-providers/src/test/java/org/apache/nifi/parameter/aws/TestAwsSecretsManagerParameterProvider.java:
##########
@@ -310,6 +310,87 @@ public void 
testFetchParametersWithMultipleSecretsAndTags() throws Initializatio
         }
     }
 
+    @Test
+    public void testFetchPlainTextSecretEnumeration() throws 
InitializationException {
+        final String pemContent = "-----BEGIN ENCRYPTED PRIVATE 
KEY-----\nMIIE6TAbBgkqhkiG9w0BBQ0wDjANBgkqhkiG\n-----END ENCRYPTED PRIVATE 
KEY-----";

Review Comment:
   Some simplistic secret scanners may flag this string, even as a test value. 
To avoid a confusion, I recommend replacing this and the other reference with a 
simple [Lorem ipsum](loremipsum.io/generator/) sentence.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Re: [PR] NIFI-15667 - Support plain text secrets in AWS Secrets Manager Parameter Provider [nifi]

Reply via email to