fix(config): resolve secrets only from selected context

Signed-off-by: Sergio <c@rct.ai>

Author: SergioChan

pkg/config/loader.go

@@ -15,6 +15,7 @@ import (
 	"github.com/osteele/liquid/render"
 	"github.com/spf13/viper"
 	"go.opentelemetry.io/otel/attribute"
+	"gopkg.in/yaml.v3"
 )
 
 var _ DataStoreLoaderFunc = NoopDataLoader
@@ -175,6 +176,10 @@ func LoadFromViper(viperCfg func(v *viper.Viper), cobraCfg func(v *viper.Viper))
 				return log.Error(err)
 			}
 
+			// Scope template variables to the selected context only so that
+			// `${secret.*}` from other contexts are not resolved.
+			cfg.templateVariables = listTemplateVariablesForContext(contextConfigMap)
+
 			ctxViper := viper.New()
 			ctxViper.SetFs(cfg.FileSystem)
 			if err := setDefaultsFrom(ctxViper, cfg.Data); err != nil {
@@ -275,6 +280,26 @@ func listTemplateVariables(tmpl *liquid.Template) []string {
 	return results
 }
 
+func listTemplateVariablesForContext(contextConfigMap map[string]interface{}) []string {
+	if len(contextConfigMap) == 0 {
+		return nil
+	}
+
+	cfgContents, err := yaml.Marshal(contextConfigMap)
+	if err != nil {
+		return nil
+	}
+
+	engine := liquid.NewEngine()
+	engine.Delims("${", "}", "${%", "%}")
+	tmpl, err := engine.ParseTemplate(cfgContents)
+	if err != nil {
+		return nil
+	}
+
+	return listTemplateVariables(tmpl)
+}
+
 // findTemplateVariables looks at the template's abstract syntax tree (AST)
 // and identifies which variables were used
 func findTemplateVariables(curNode render.Node, vars map[string]struct{}) {

pkg/config/loader_test.go

@@ -165,6 +165,39 @@ current-context: default
 	require.ErrorContains(t, err, "missing required 'contexts' key")
 }
 
+func TestLoadMultiContext_OnlyResolvesSelectedContextSecrets(t *testing.T) {
+	t.Parallel()
+
+	c := NewTestConfig(t)
+	c.SetHomeDir("/home/myuser/.porter")
+
+	cfg := `schemaVersion: "` + ConfigSchemaVersion + `"
+current-context: local
+contexts:
+  - name: local
+    config:
+      default-secrets-plugin: filesystem
+  - name: prod
+    config:
+      default-storage: proddb
+      storage:
+        - name: proddb
+          plugin: mongodb
+          config:
+            url: "${secret.prodMongoConnectionString}"
+`
+	require.NoError(t, c.TestContext.FileSystem.WriteFile(
+		"/home/myuser/.porter/config.yaml", []byte(cfg), 0600))
+
+	c.DataLoader = LoadFromFilesystem()
+	_, err := c.Load(context.Background(), func(ctx context.Context, secretKey string) (string, error) {
+		t.Fatalf("unexpected secret resolution: %s", secretKey)
+		return "", nil
+	})
+	require.NoError(t, err)
+	assert.Equal(t, "filesystem", c.Data.DefaultSecretsPlugin)
+}
+
 func TestListTemplateVariables(t *testing.T) {
 	eng := liquid.NewEngine()
 	tmpl, err := eng.ParseString(`not a variable {{secrets.foo}} more non variable junk{{env.var}}{{env.var}}`)