feat: Add support for sensitive parameters

kevinwang5658 · kevinwang5658 · commit 98de98616ca1 · 2025-12-13T19:36:49.000-05:00
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -16,7 +16,7 @@
   "dependencies": {
     "ajv": "^8.12.0",
     "ajv-formats": "^2.1.1",
-    "codify-schemas": "1.0.77",
+    "codify-schemas": "1.0.83",
     "@npmcli/promise-spawn": "^7.0.1",
     "@homebridge/node-pty-prebuilt-multiarch": "^0.12.0-beta.5",
     "uuid": "^10.0.0",
diff --git a/src/plan/change-set.test.ts b/src/plan/change-set.test.ts
@@ -87,7 +87,7 @@ describe('Change set tests', () => {
   it('Correctly diffs two resource configs (destory)', () => {
     const cs = ChangeSet.destroy({
       propA: 'prop',
-      propB: 'propB'
+      propB: 'propB',
     });
 
     expect(cs.parameterChanges.length).to.eq(2);
diff --git a/src/plan/change-set.ts b/src/plan/change-set.ts
@@ -1,6 +1,7 @@
 import { ParameterOperation, ResourceOperation, StringIndexedObject } from 'codify-schemas';
 
 import { ParsedParameterSetting } from '../resource/parsed-resource-settings.js';
+import { ResourceSettings } from '../resource/resource-settings.js';
 
 /**
  * A parameter change describes a parameter level change to a resource.
@@ -25,6 +26,11 @@ export interface ParameterChange<T extends StringIndexedObject> {
    * The new value of the resource (the desired value)
    */
   newValue: any | null;
+
+  /**
+   * Whether the parameter is sensitive
+   */
+  isSensitive: boolean;
 }
 
 // Change set will coerce undefined values to null because undefined is not valid JSON
@@ -60,37 +66,40 @@ export class ChangeSet<T extends StringIndexedObject> {
     return new ChangeSet<T>(ResourceOperation.NOOP, []);
   }
 
-  static create<T extends StringIndexedObject>(desired: Partial<T>): ChangeSet<T> {
+  static create<T extends StringIndexedObject>(desired: Partial<T>, settings?: ResourceSettings<T>): ChangeSet<T> {
     const parameterChanges = Object.entries(desired)
       .map(([k, v]) => ({
         name: k,
         operation: ParameterOperation.ADD,
         previousValue: null,
         newValue: v ?? null,
+        isSensitive: settings?.parameterSettings?.[k]?.isSensitive ?? false,
       }))
 
     return new ChangeSet(ResourceOperation.CREATE, parameterChanges);
   }
 
-  static noop<T extends StringIndexedObject>(parameters: Partial<T>): ChangeSet<T> {
+  static noop<T extends StringIndexedObject>(parameters: Partial<T>, settings?: ResourceSettings<T>): ChangeSet<T> {
     const parameterChanges = Object.entries(parameters)
       .map(([k, v]) => ({
         name: k,
         operation: ParameterOperation.NOOP,
         previousValue: v ?? null,
         newValue: v ?? null,
+        isSensitive: settings?.parameterSettings?.[k]?.isSensitive ?? false,
       }))
 
     return new ChangeSet(ResourceOperation.NOOP, parameterChanges);
   }
 
-  static destroy<T extends StringIndexedObject>(current: Partial<T>): ChangeSet<T> {
+  static destroy<T extends StringIndexedObject>(current: Partial<T>, settings?: ResourceSettings<T>): ChangeSet<T> {
     const parameterChanges = Object.entries(current)
       .map(([k, v]) => ({
         name: k,
         operation: ParameterOperation.REMOVE,
         previousValue: v ?? null,
         newValue: null,
+        isSensitive: settings?.parameterSettings?.[k]?.isSensitive ?? false,
       }))
 
     return new ChangeSet(ResourceOperation.DESTROY, parameterChanges);
@@ -160,6 +169,7 @@ export class ChangeSet<T extends StringIndexedObject> {
           previousValue: current[k] ?? null,
           newValue: desired[k] ?? null,
           operation: ParameterOperation.NOOP,
+          isSensitive: parameterOptions?.[k]?.isSensitive ?? false,
         })
 
         continue;
@@ -171,6 +181,7 @@ export class ChangeSet<T extends StringIndexedObject> {
           previousValue: current[k] ?? null,
           newValue: null,
           operation: ParameterOperation.REMOVE,
+          isSensitive: parameterOptions?.[k]?.isSensitive ?? false,
         })
 
         continue;
@@ -182,6 +193,7 @@ export class ChangeSet<T extends StringIndexedObject> {
           previousValue: null,
           newValue: desired[k] ?? null,
           operation: ParameterOperation.ADD,
+          isSensitive: parameterOptions?.[k]?.isSensitive ?? false,
         })
 
         continue;
@@ -192,6 +204,7 @@ export class ChangeSet<T extends StringIndexedObject> {
         previousValue: current[k] ?? null,
         newValue: desired[k] ?? null,
         operation: ParameterOperation.MODIFY,
+        isSensitive: parameterOptions?.[k]?.isSensitive ?? false,
       })
     }
 
diff --git a/src/plan/plan.ts b/src/plan/plan.ts
@@ -118,7 +118,7 @@ export class Plan<T extends StringIndexedObject> {
     if (!filteredCurrentParameters && desired) {
       return new Plan(
         uuidV4(),
-        ChangeSet.create(desired),
+        ChangeSet.create(desired, settings),
         core,
         isStateful,
       )
@@ -130,15 +130,15 @@ export class Plan<T extends StringIndexedObject> {
       if (!settings.canDestroy) {
         return new Plan(
           uuidV4(),
-          ChangeSet.noop(filteredCurrentParameters),
+          ChangeSet.noop(filteredCurrentParameters, settings),
           core,
           isStateful,
         )
       }
 
       return new Plan(
         uuidV4(),
-        ChangeSet.destroy(filteredCurrentParameters),
+        ChangeSet.destroy(filteredCurrentParameters, settings),
         core,
         isStateful,
       )
@@ -171,7 +171,10 @@ export class Plan<T extends StringIndexedObject> {
       uuidV4(),
       new ChangeSet<T>(
         data.operation,
-        data.parameters
+        data.parameters.map((p) => ({
+          ...p,
+          isSensitive: p.isSensitive ?? false,
+        })),
       ),
       {
         type: data.resourceType,
diff --git a/src/plugin/plugin.ts b/src/plugin/plugin.ts
@@ -62,11 +62,14 @@ export class Plugin {
         .map((r) => ({
           dependencies: r.dependencies,
           type: r.typeId,
+          sensitiveParameters: Object.entries(r.settings.parameterSettings ?? {})
+            .filter(([, v]) => v?.isSensitive)
+            .map(([k]) => k),
         }))
     }
   }
 
-  async getResourceInfo(data: GetResourceInfoRequestData): Promise<GetResourceInfoResponseData> {
+  getResourceInfo(data: GetResourceInfoRequestData): GetResourceInfoResponseData {
     if (!this.resourceControllers.has(data.type)) {
       throw new Error(`Cannot get info for resource ${data.type}, resource doesn't exist`);
     }
@@ -84,6 +87,10 @@ export class Plugin {
     const allowMultiple = resource.settings.allowMultiple !== undefined
       && resource.settings.allowMultiple !== false;
 
+    const sensitiveParameters = Object.entries(resource.settings.parameterSettings ?? {})
+      .filter(([, v]) => v?.isSensitive)
+      .map(([k]) => k);
+
     return {
       plugin: this.name,
       type: data.type,
@@ -96,6 +103,7 @@ export class Plugin {
       import: {
         requiredParameters: requiredPropertyNames,
       },
+      sensitiveParameters,
       allowMultiple
     }
   }
diff --git a/src/resource/resource-controller-stateful-mode.test.ts b/src/resource/resource-controller-stateful-mode.test.ts
@@ -142,19 +142,23 @@ describe('Resource tests for stateful plans', () => {
             name: "propA",
             newValue: "propA",
             previousValue: "propA",
-            operation: ParameterOperation.NOOP
+            operation: ParameterOperation.NOOP,
+            isSensitive: false,
+
           },
           {
             name: "propB",
             newValue: 10,
             previousValue: null,
-            operation: ParameterOperation.ADD
+            operation: ParameterOperation.ADD,
+            isSensitive: false,
           },
           {
             name: "propC",
             newValue: 'propC',
             previousValue: 'propC',
-            operation: ParameterOperation.NOOP
+            operation: ParameterOperation.NOOP,
+            isSensitive: false,
           },
         ])
       },
@@ -214,25 +218,29 @@ describe('Resource tests for stateful plans', () => {
             name: "propA",
             newValue: "propA",
             previousValue: "propA",
-            operation: ParameterOperation.NOOP
+            operation: ParameterOperation.NOOP,
+            isSensitive: false,
           },
           {
             name: "propB",
             newValue: 10,
             previousValue: null,
-            operation: ParameterOperation.ADD
+            operation: ParameterOperation.ADD,
+            isSensitive: false,
           },
           {
             name: "propC",
             newValue: 'propC',
             previousValue: 'propC',
-            operation: ParameterOperation.NOOP
+            operation: ParameterOperation.NOOP,
+            isSensitive: false,
           },
           {
             name: "propD",
             newValue: 'propD',
             previousValue: null,
-            operation: ParameterOperation.ADD
+            operation: ParameterOperation.ADD,
+            isSensitive: false,
           },
         ])
       },
diff --git a/src/resource/resource-controller.test.ts b/src/resource/resource-controller.test.ts
@@ -80,13 +80,15 @@ describe('Resource tests', () => {
       name: 'propA',
       previousValue: 'propABefore',
       newValue: 'propA',
-      operation: 'modify'
+      operation: 'modify',
+      isSensitive: false,
     })
     expect(result.changeSet.parameterChanges[1]).to.deep.eq({
       name: 'propB',
       previousValue: 10,
       newValue: 10,
-      operation: 'noop'
+      operation: 'noop',
+      isSensitive: false,
     })
   })
 
diff --git a/src/resource/resource-settings.test.ts b/src/resource/resource-settings.test.ts
@@ -717,12 +717,14 @@ describe('Resource parameter tests', () => {
           operation: ParameterOperation.NOOP,
           previousValue: null,
           newValue: 'setting',
+          isSensitive: false,
         },
         {
           name: 'propB',
           operation: ParameterOperation.NOOP,
           previousValue: 64,
           newValue: 64,
+          isSensitive: false,
         }
       ])
     )
diff --git a/src/resource/resource-settings.ts b/src/resource/resource-settings.ts
@@ -163,7 +163,7 @@ export interface ResourceSettings<T extends StringIndexedObject> {
      * @param input
      * @param context
      */
-    refreshMapper?: (input: Partial<T>, context: RefreshContext<T>) => Partial<T>
+    refreshMapper?: (input: Partial<T>, context: RefreshContext<T>) => Partial<T>;
   }
 }
 
@@ -207,6 +207,13 @@ export interface DefaultParameterSetting {
    */
   type?: ParameterSettingType;
 
+  /**
+   * Mark the field as sensitive. Defaults to false. This has two side effects:
+   * 1. When displaying this field in the plan, it will be replaced with asterisks
+   * 2. When importing, resources with sensitive fields will be skipped unless the user explicitly allows it.
+   */
+  isSensitive?: boolean;
+
   /**
    * Default value for the parameter. If a value is not provided in the config, then this value will be used.
    */

Original file line number	Diff line number	Diff line change
`@@ -717,12 +717,14 @@ describe('Resource parameter tests', () => {`
`717`	`717`	`operation: ParameterOperation.NOOP,`
`718`	`718`	`previousValue: null,`
`719`	`719`	`newValue: 'setting',`
	`720`	`+ isSensitive: false,`
`720`	`721`	`},`
`721`	`722`	`{`
`722`	`723`	`name: 'propB',`
`723`	`724`	`operation: ParameterOperation.NOOP,`
`724`	`725`	`previousValue: 64,`
`725`	`726`	`newValue: 64,`
	`727`	`+ isSensitive: false,`
`726`	`728`	`}`
`727`	`729`	`])`
`728`	`730`	`)`