"$env": "X" mechanism now works with nested lists, closes #837

tests/fixtures.py

@@ -408,6 +408,7 @@ METADATA = {
     "plugins": {
         "name-of-plugin": {"depth": "root"},
         "env-plugin": {"foo": {"$env": "FOO_ENV"}},
+        "env-plugin-list": [{"in_a_list": {"$env": "FOO_ENV"}}],
         "file-plugin": {"foo": {"$file": TEMP_PLUGIN_SECRET_FILE}},
     },
     "databases": {

tests/test_plugins.py

@@ -173,6 +173,19 @@ def test_plugin_config_env(app_client):
     del os.environ["FOO_ENV"]
 
 
+def test_plugin_config_env_from_list(app_client):
+    os.environ["FOO_ENV"] = "FROM_ENVIRONMENT"
+    assert [{"in_a_list": "FROM_ENVIRONMENT"}] == app_client.ds.plugin_config(
+        "env-plugin-list"
+    )
+    # Ensure secrets aren't visible in /-/metadata.json
+    metadata = app_client.get("/-/metadata.json")
+    assert [{"in_a_list": {"$env": "FOO_ENV"}}] == metadata.json["plugins"][
+        "env-plugin-list"
+    ]
+    del os.environ["FOO_ENV"]
+
+
 def test_plugin_config_file(app_client):
     open(TEMP_PLUGIN_SECRET_FILE, "w").write("FROM_FILE")
     assert {"foo": "FROM_FILE"} == app_client.ds.plugin_config("file-plugin")

tests/test_utils.py

@@ -503,3 +503,17 @@ def test_multi_params(data, should_raise):
 )
 def test_actor_matches_allow(actor, allow, expected):
     assert expected == utils.actor_matches_allow(actor, allow)
+
+
+@pytest.mark.parametrize(
+    "config,expected",
+    [
+        ({"foo": "bar"}, {"foo": "bar"}),
+        ({"$env": "FOO"}, "x"),
+        ({"k": {"$env": "FOO"}}, {"k": "x"}),
+        ([{"k": {"$env": "FOO"}}, {"z": {"$env": "FOO"}}], [{"k": "x"}, {"z": "x"}]),
+        ({"k": [{"in_a_list": {"$env": "FOO"}}]}, {"k": [{"in_a_list": "x"}]}),
+    ],
+)
+def test_resolve_env_secrets(config, expected):
+    assert expected == utils.resolve_env_secrets(config, {"FOO": "x"})