func HandleReqRespSecrets()

in internal/fleet/integration_policy/secrets.go [119:180]

• 51 lines of code
• 15 McCabe index (conditional complexity)

func HandleReqRespSecrets(ctx context.Context, req kbapi.PackagePolicyRequest, resp *kbapi.PackagePolicy, private privateData) (diags diag.Diagnostics) {
	secrets, nd := newSecretStore(ctx, resp, private)
	diags.Append(nd...)
	if diags.HasError() {
		return
	}

	handleVar := func(key string, mval map[string]any, reqVars map[string]any, respVars map[string]any) {
		if v, ok := mval["isSecretRef"]; ok && v == true {
			original := reqVars[key]
			respVars[key] = original

			// Is the original also a secret ref?
			// This should only show up during importing and pre 0.11.7 migration.
			if moriginal, ok := original.(map[string]any); ok {
				if v, ok := moriginal["isSecretRef"]; ok && v == true {
					return
				}
			}

			refID := mval["id"].(string)
			secrets[refID] = original
		}
	}

	handleVars := func(reqVars map[string]any, respVars map[string]any) {
		for key, val := range respVars {
			if mval, ok := val.(map[string]any); ok {
				if wrapped, ok := mval["value"]; ok {
					respVars[key] = wrapped
					val = wrapped
				} else if v, ok := mval["isSecretRef"]; ok && v == true {
					handleVar(key, mval, reqVars, respVars)
				} else {
					// Don't keep null (missing) values
					delete(respVars, key)
					continue
				}

				if mval, ok := val.(map[string]any); ok {
					handleVar(key, mval, reqVars, respVars)
				}
			}
		}
	}

	handleVars(utils.Deref(req.Vars), utils.Deref(resp.Vars))
	for inputID, inputReq := range utils.Deref(req.Inputs) {
		inputResp := resp.Inputs[inputID]
		handleVars(utils.Deref(inputReq.Vars), utils.Deref(inputResp.Vars))
		streamsResp := utils.Deref(inputResp.Streams)
		for streamID, streamReq := range utils.Deref(inputReq.Streams) {
			streamResp := streamsResp[streamID]
			handleVars(utils.Deref(streamReq.Vars), utils.Deref(streamResp.Vars))
		}
	}

	nd = secrets.Save(ctx, private)
	diags.Append(nd...)

	return
}