fix(gcpsm): Improve SecretExists method in GCP secret manager provider

[tosih]

Problem Statement

This issue is related to a recent change that addressed this issue: #5584. The PR: #5593 does address the issue but does not cover the case where the latest secret version returned by GCP secret manager could be disabled.

Related Issue

Relates to: #5584
Addresses: #5609

Proposed Changes

SecretExists should check for latest enabled secret version. It does not need to call GetSecret, as looking for just the version should suffice. Instead we can use the already available private function getLatestEnabledVersion().

Checklist

• I have read the contribution guidelines
• All commits are signed with git commit --signoff
• My changes have reasonable test coverage
• All tests pass with make test
• I ensured my PR is ready for review with make reviewable

Summary by CodeRabbit

• New Features

  • Regional/location-aware secret handling with helpers for constructing secret and parent paths.
  • Test helper to simulate secret-version listing and iteration.

• Bug Fixes

  • Secret existence now requires an accessible enabled version; NotFound and API errors propagate correctly.
  • Added observability around secret access calls.

• Tests

  • Expanded regional tests, context-aware patterns, and per-test mock injection for version flows.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[tosih]

/ok-to-test sha=17ed6fbb41c17747b64da40b8065d0aba565fc56

[tosih]

/ok-to-test-managed sha=17ed6fbb41c17747b64da40b8065d0aba565fc56 provider=gcp

[gusfcarvalho]

/ok-to-test sha=17ed6fbb41c17747b64da40b8065d0aba565fc56

[eso-service-account-app]

[Bot] - ✅ e2e for 17ed6fbb41c17747b64da40b8065d0aba565fc56 passed

[tosih]

disclaimer: I used Claude to help me generate this SecretVersionIterator mock

[tosih]

@gusfcarvalho could you fire another e2e? I ended up making a few extra changes.

I was trying to avoid the SecretVersionIterator mock that needed to use reflection, but it seemed to be the only way to properly unit test my usage of getLatestEnabledVersion

[tosih]

/ok-to-test sha=ad4acc7463f54be2a09a92cb79396617c01aa531

[tosih]

/ok-to-test-managed sha=ad4acc7463f54be2a09a92cb79396617c01aa531

[Skarlso]

@tosih I'm afraid you aren't allowed to fire the e2e test. :) Only maintainers ccan.

Also, please take care of the sonar issues before proceeding. :) Thanks!

[Skarlso]

/ok-to-test sha=ad4acc7463f54be2a09a92cb79396617c01aa531

[eso-service-account-app]

[Bot] - ✅ e2e for ad4acc7463f54be2a09a92cb79396617c01aa531 passed

[coderabbitai]

Walkthrough

SecretExists now obtains the latest enabled secret version via ListSecretVersions and AccessSecretVersion (using new helpers getName/getParentName/getLatestEnabledVersion) instead of GetSecret. Tests were made location-aware and use per-test contexts. Fake client gained a mock SecretVersionIterator generator for tests.

Changes

Cohort / File(s)	Summary
Core client refactor providers/v1/gcp/secretmanager/client.go	SecretExists now delegates to getLatestEnabledVersion and uses getName/getParentName. Added helpers: getName, getParentName, isErrSecretDestroyedOrDisabled, getLatestEnabledVersion which lists versions, picks newest ENABLED by CreateTime, falls back to .../versions/latest, calls AccessSecretVersion, and observes API metrics. Minor stylistic change in PushSecret.
Tests — regional/location-aware providers/v1/gcp/secretmanager/client_test.go	Tests switched test types to v1alpha1.PushSecretRemoteRef, added per-test Location scenarios, use t.Context() at call sites, and inject per-test mocks via tc.setupMock for ListSecretVersions and AccessSecretVersion to simulate regional resource names, NotFound, DESTROYED, and permission cases.
Fake/mocks — iterator support providers/v1/gcp/secretmanager/fake/fake.go	Added ListSecretVersionsMockReturn type and NewSecretVersionIterator(versions []*secretmanagerpb.SecretVersion) *secretmanager.SecretVersionIterator to fabricate a mock SecretVersionIterator (uses reflect, unsafe, and iterator.PageInfo internals). Added MockSMClient.NewListSecretVersionsFn to return the iterator and updated imports.
Dependency providers/v1/gcp/go.mod	Added direct require: google.golang.org/protobuf v1.36.10 (moved from indirect to direct).

Sequence Diagram(s)

sequenceDiagram
    participant Client as Provider Client
    participant SM as Secret Manager API
    participant Metrics as metrics

    Client->>SM: ListSecretVersions(parent or secret name)
    SM-->>Client: SecretVersion iterator
    Client->>Client: iterate -> pick newest ENABLED by CreateTime
    alt enabled version found
        Client->>Metrics: ObserveAPICall(start)
        Client->>SM: AccessSecretVersion(version name)
        SM-->>Client: Secret payload / error
        Client->>Metrics: ObserveAPICall(end)
    else none enabled
        Client->>Metrics: ObserveAPICall(start)
        Client->>SM: AccessSecretVersion(.../versions/latest)
        SM-->>Client: Secret payload / error
        Client->>Metrics: ObserveAPICall(end)
    end
    Client-->>Caller: return exists? (true/false) or error

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

• Inspect reflect/unsafe usage and iterator/PageInfo manipulation in fake/fake.go.
• Verify getLatestEnabledVersion iteration logic, CreateTime comparison, fallback to latest, and error propagation.
• Confirm metrics placement around AccessSecretVersion.
• Validate updated tests: per-test mock wiring, regional name handling, and type change to v1alpha1.PushSecretRemoteRef.

Poem

🐰 I hopped through versions, nose to every trail,

I found the freshest ENABLED tale,
I stitched mock pages with a gentle paw,
Tuned regions, contexts, and the test-sweet law,
A rabbit cheers when CI sings without fail.

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 35.29% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title clearly summarizes the main change: improving the SecretExists method in the GCP secret manager provider to handle disabled versions.
Description check	✅ Passed	The PR description includes problem statement, related issues, proposed changes, and a complete checklist. All required template sections are present and substantive.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2cc7fc6 and 6a40948.

📒 Files selected for processing (1)

• providers/v1/gcp/go.mod (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (7)

• GitHub Check: publish-artifacts (Dockerfile.ubi, CGO_ENABLED=0, amd64 arm64 ppc64le, linux/amd64,linux/arm64,li... / Build and Publish
• GitHub Check: publish-artifacts (Dockerfile, CGO_ENABLED=0, amd64 arm64 s390x ppc64le, linux/amd64,linux/arm64,... / Build and Publish
• GitHub Check: publish-artifacts (Dockerfile.ubi, CGO_ENABLED=0 GOEXPERIMENT=boringcrypto, amd64 ppc64le, linux/... / Build and Publish
• GitHub Check: lint
• GitHub Check: unit-tests
• GitHub Check: check-diff
• GitHub Check: Analyze project (go, autobuild)

🔇 Additional comments (1)

providers/v1/gcp/go.mod (1)

20-20: The promotion of google.golang.org/protobuf to a direct dependency is appropriate and verified.

The dependency promotion is justified by the updated implementation's direct use of protobuf APIs (e.g., SecretVersionIterator mocking in client.go). Version v1.36.10 is stable and secure with no known unfixed vulnerabilities, and no orphaned indirect entries remain in the dependency tree.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

providers/v1/gcp/secretmanager/client_test.go (1)

1189-1264: Test may not be validating the new SecretExists behavior.

TestSecretExistsWithRegionalEndpoint mocks GetSecretFn and AccessSecretVersionFn, but the refactored SecretExists method now uses getLatestEnabledVersion, which calls ListSecretVersions before AccessSecretVersion.

Since ListSecretVersionsFn is not mocked in these test cases, the test may either:

1. Panic with a nil function call, or
2. Pass accidentally if there's a default behavior

Consider updating this test to use the same setupMock pattern as TestSecretExists to properly mock ListSecretVersionsFn.

 func TestSecretExistsWithRegionalEndpoint(t *testing.T) {
 	tests := []struct {
 		name                          string
 		location                      string
 		ref                           esv1.PushSecretRemoteRef
-		getSecretMockReturn           fakesm.SecretMockReturn
-		accessSecretVersionMockReturn fakesm.AccessSecretVersionMockReturn
+		setupMock                     func(*fakesm.MockSMClient)
 		expectedSecret                bool
 		expectedErr                   func(t *testing.T, err error)
 	}{

🧹 Nitpick comments (1)

providers/v1/gcp/secretmanager/client.go (1)

710-730: Consider edge case when multiple versions have the same CreateTime.

The loop selects the version with the latest CreateTime using After(). If two versions have identical timestamps (unlikely but possible), the selection depends on iteration order, which may not be deterministic.

This is a minor edge case, but worth noting. If deterministic behavior is needed, consider a secondary sort key (e.g., version name/number).

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4473156 and 3d40256.

📒 Files selected for processing (3)

• providers/v1/gcp/secretmanager/client.go (3 hunks)
• providers/v1/gcp/secretmanager/client_test.go (8 hunks)
• providers/v1/gcp/secretmanager/fake/fake.go (5 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

providers/v1/gcp/secretmanager/client_test.go (1)

providers/v1/gcp/secretmanager/fake/fake.go (5)

• AddSecretVersionMockReturn (60-63)
• MockSMClient (34-47)
• ListSecretVersionsMockReturn (65-67)
• NewSecretVersionIterator (73-139)
• AccessSecretVersionMockReturn (55-58)

🔇 Additional comments (7)

providers/v1/gcp/secretmanager/fake/fake.go (3)

69-139: Acknowledge the reflection-based mock approach.

This is a sophisticated mock implementation that uses reflection and unsafe to populate unexported fields of secretmanager.SecretVersionIterator. The approach is well-documented and appropriately scoped for test-only usage.

A few observations:

1. The setField helper silently ignores invalid field names (when !field.IsValid()). Consider logging or panicking in tests if a field name is incorrect, as this could mask test setup bugs.

2. The done variable is captured in the InternalFetch closure, meaning the iterator cannot be reused after exhaustion. This is fine for the current test patterns but worth noting.

---

65-67: LGTM - consistent mock pattern.

The ListSecretVersionsMockReturn struct correctly only contains Res since ListSecretVersions returns an iterator directly (errors are surfaced through iter.Next()), unlike other methods that return (result, error).

---

292-296: LGTM - standard mock setter.

The NewListSecretVersionsFn follows the established pattern used by other mock setters in this file.

providers/v1/gcp/secretmanager/client_test.go (2)

1145-1164: Test case behavior may not match the new implementation.

This test case "secret version does not exist - latest version is destroyed/disabled" sets up:

• Empty iterator (no enabled versions)
• AccessSecretVersion returning FailedPrecondition with "DESTROYED state"

The test expects expectedExists: false and an error containing "DESTROYED state".

However, looking at the implementation in client.go, getLatestEnabledVersion will:

1. Find no enabled versions (empty iterator)
2. Fall through with versionName = "latest"
3. Call AccessSecretVersion with /versions/latest
4. Return the FailedPrecondition error

Since SecretExists only treats codes.NotFound as "secret doesn't exist", this error will propagate as an error (not "secret exists = false"). The test expectation seems correct, but consider whether this behavior is intended—a secret with all versions destroyed/disabled returns an error rather than (false, nil).

Is this the intended behavior? If a secret exists but has no enabled versions (all destroyed/disabled), should SecretExists return:

• (false, nil) - treating it as "doesn't exist for practical purposes", or
• (false, err) - indicating the secret exists but is in an unusable state?

The current implementation returns (false, err), which may be confusing for callers.

---

1016-1021: LGTM - improved test structure.

The refactored TestSecretExists uses the setupMock pattern which provides better flexibility and clarity. The test cases cover important scenarios including regional secrets, not-found errors, and permission denied errors.

providers/v1/gcp/secretmanager/client.go (2)

149-160: LGTM - cleaner existence check using enabled versions.

The refactored SecretExists now correctly delegates to getLatestEnabledVersion, which checks for accessible (enabled) secret versions rather than just secret existence. This aligns with the PR objective of fixing the issue where the latest version could be disabled.

The NotFound error handling correctly returns (false, nil) indicating the secret doesn't exist from a practical standpoint.

---

192-196: LGTM - minor style change.

Changing var replication = to replication := is a stylistic improvement with identical semantics.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

providers/v1/gcp/secretmanager/fake/fake.go (1)

69-140: Consider adding defensive checks for field reflection failures.

The reflection-based approach is reasonable for test mocking but has maintenance implications:

1. Silent failures: The setField helper (lines 77-85) silently does nothing if a field is not found. If the underlying library changes field names, tests may pass with invalid mocks, hiding failures.

2. Brittleness: The mock assumes specific unexported field names (pageInfo, nextFunc, items) in secretmanager.SecretVersionIterator. Library updates could break this without warning.

3. Simplified scope: The implementation only supports 0-1 versions (documented on lines 70-72), which may require updates if test coverage expands.

Consider these improvements:

 // Simple helper to set an unexported field using reflection
 setField := func(name string, value any) {
   v := reflect.ValueOf(it).Elem()
   field := v.FieldByName(name)
-  if field.IsValid() {
+  if !field.IsValid() {
+    // In tests, failing to set a field likely means the library structure changed
+    panic(fmt.Sprintf("mock iterator: field %q not found in SecretVersionIterator", name))
+  }
+  if field.CanAddr() {
     //#nosec G103 -- Audited this use and it's only for mocking in testing
     reflect.NewAt(field.Type(), unsafe.Pointer(field.UnsafeAddr())).
       Elem().Set(reflect.ValueOf(value))
+  } else {
+    panic(fmt.Sprintf("mock iterator: field %q is not addressable", name))
   }
 }

This will fail tests immediately if the library structure changes, rather than silently producing incorrect behavior.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3d40256 and c66d59d.

📒 Files selected for processing (1)

• providers/v1/gcp/secretmanager/fake/fake.go (5 hunks)

🔇 Additional comments (3)

providers/v1/gcp/secretmanager/fake/fake.go (3)

65-67: LGTM!

The ListSecretVersionsMockReturn type follows the established pattern of other mock return types in this file and provides a clean wrapper for the mock iterator.

---

293-297: LGTM!

The NewListSecretVersionsFn method follows the established pattern of other mock setup methods in this file and correctly wires the mock iterator.

---

23-24: The reflection-based mock approach relies on unstable internal iterator structure. Verify compatibility and add error handling.

The InternalFetch field in SecretVersionIterator is explicitly documented as not part of the stable interface of the package. Using reflection and unsafe pointers to set unexported fields in a struct with internal implementation details creates brittleness. If Google's implementation changes internal field names or structure in future library versions, this mock will silently fail.

Consider adding defensive error handling to the setField helper to detect and report failures, and add comments documenting the specific library version this mock targets to make future compatibility breaks more discoverable.

[tosih]

I added a fix that CodeRabbitAI was suggesting and it also matched another PR: #5678

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

providers/v1/gcp/secretmanager/client_test.go (1)

1028-1047: Consider setting CreateTime in mock versions to fully exercise the comparison logic.

The mocked SecretVersion objects don't set CreateTime. While this works (protobuf handles nil safely), it means the "latest by creation time" comparison logic in getLatestEnabledVersion isn't fully tested. Consider adding CreateTime values to properly validate the version selection:

 mc.NewListSecretVersionsFn(fakesm.ListSecretVersionsMockReturn{
     Res: fakesm.NewSecretVersionIterator([]*secretmanagerpb.SecretVersion{
         {
             Name:  "projects/foo/secrets/bar/versions/1",
             State: secretmanagerpb.SecretVersion_ENABLED,
+            CreateTime: timestamppb.Now(),
         },
     }),
 })

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9fa5abb and 98987a3.

📒 Files selected for processing (3)

• providers/v1/gcp/secretmanager/client.go (3 hunks)
• providers/v1/gcp/secretmanager/client_test.go (20 hunks)
• providers/v1/gcp/secretmanager/fake/fake.go (5 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• providers/v1/gcp/secretmanager/fake/fake.go

🧰 Additional context used

🧬 Code graph analysis (1)

providers/v1/gcp/secretmanager/client_test.go (4)

providers/v1/gcp/secretmanager/fake/fake.go (4)

• AddSecretVersionMockReturn (60-63)
• MockSMClient (34-47)
• ListSecretVersionsMockReturn (65-67)
• NewSecretVersionIterator (73-140)

apis/externalsecrets/v1alpha1/pushsecret_types.go (1)

• PushSecret (261-267)

providers/v1/gcp/secretmanager/client.go (1)

• Client (88-97)

providers/v1/oracle/oracle.go (1)

• SecretExists (110-110)

🔇 Additional comments (8)

providers/v1/gcp/secretmanager/client.go (3)

149-160: LGTM: SecretExists now correctly checks for accessible versions.

The refactored implementation properly determines secret existence by checking for an enabled/accessible version rather than just checking if the secret resource exists. This addresses the issue where a secret could exist but have only disabled/destroyed versions.

---

192-196: Minor style improvement noted.

The change from var replication = ... to replication := ... is a minor idiomatic improvement.

---

710-746: Path construction issue resolved correctly.

The previous critical issue about double-prefixed paths has been properly addressed. The implementation now:

1. Initializes versionName as empty string
2. Sets it to the full path from version.Name when enabled versions are found
3. Only constructs the fallback path when no enabled versions exist (line 734-736)
4. Uses versionName directly in the request

This ensures valid resource paths in all scenarios.

providers/v1/gcp/secretmanager/client_test.go (5)

82-82: Context usage is appropriate for test setup.

Using context.TODO() in the test setup helper is acceptable since the actual test methods use t.Context() which provides proper test-scoped context handling.

---

601-619: Minor style improvements noted.

The changes from var x = ... to x := ... are idiomatic Go style improvements with no functional impact.

---

1189-1280: Regional endpoint tests provide good coverage.

The TestSecretExistsWithRegionalEndpoint test cases properly exercise the regional secret behavior, including existence checks and NotFound scenarios with the updated mock infrastructure.

---

1145-1164: Good test case for destroyed/disabled state handling.

This test case properly validates the behavior when the latest version is destroyed/disabled - the function correctly returns false with an error containing the state information, ensuring callers can distinguish between "secret doesn't exist" and "secret exists but is inaccessible."

---

217-217: Correct the Go version reference in t.Context() usage explanation.

Using t.Context() (Go 1.24+) returns a context that's canceled after the test completes, improving test isolation.

Likely an incorrect or invalid review comment.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

providers/v1/gcp/secretmanager/client.go (1)

716-730: Consider edge case: multiple versions with identical CreateTime.

The logic finds the version with the latest CreateTime, but if two versions have identical timestamps, the result depends on iteration order which may not be deterministic. While unlikely in practice, consider using version number as a tiebreaker for deterministic behavior.

providers/v1/gcp/secretmanager/fake/fake.go (1)

76-85: Consider adding error handling for invalid field names in setField.

The setField helper silently ignores invalid field names. While this works for the current use case, if the SecretVersionIterator struct changes in a future library update, the mock could silently break. Consider logging a warning or panicking in tests when a field isn't found.

 	setField := func(name string, value any) {
 		v := reflect.ValueOf(it).Elem()
 		field := v.FieldByName(name)
 		if field.IsValid() {
 			//#nosec G103 -- Audited this use and it's only for mocking in testing
 			reflect.NewAt(field.Type(), unsafe.Pointer(field.UnsafeAddr())).
 				Elem().Set(reflect.ValueOf(value))
+		} else {
+			panic(fmt.Sprintf("SecretVersionIterator field %q not found - mock may be incompatible with library version", name))
 		}
 	}

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 98987a3 and d464236.

📒 Files selected for processing (3)

• providers/v1/gcp/secretmanager/client.go (3 hunks)
• providers/v1/gcp/secretmanager/client_test.go (20 hunks)
• providers/v1/gcp/secretmanager/fake/fake.go (5 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

providers/v1/gcp/secretmanager/client_test.go (1)

providers/v1/gcp/secretmanager/fake/fake.go (5)

• AddSecretVersionMockReturn (60-63)
• MockSMClient (34-47)
• ListSecretVersionsMockReturn (65-67)
• NewSecretVersionIterator (73-140)
• AccessSecretVersionMockReturn (55-58)

🔇 Additional comments (8)

providers/v1/gcp/secretmanager/client.go (2)

149-160: LGTM! SecretExists now correctly uses getLatestEnabledVersion.

The refactored implementation properly determines secret existence by checking for accessible versions rather than just the secret metadata. This addresses the issue where a secret could exist but have all versions disabled/destroyed.

---

710-746: Previous path construction issue has been addressed.

The implementation now correctly handles the version name:

• When an enabled version is found, versionName is set to version.Name (already a full resource path)
• When no enabled versions exist, the fallback constructs the full path: fmt.Sprintf("%s/versions/latest", name)
• Line 738 uses versionName directly without wrapping it in another fmt.Sprintf

This resolves the double-prefixed path issue raised in previous reviews.

providers/v1/gcp/secretmanager/fake/fake.go (2)

69-140: Reflection-based mock iterator is correctly implemented for testing purposes.

The use of reflect and unsafe to manipulate unexported fields is an accepted pattern when mocking Google Cloud iterators. The #nosec G103 annotation appropriately acknowledges the audited use of unsafe pointers.

---

293-297: LGTM! NewListSecretVersionsFn provides clean mock injection.

The method follows the established pattern used by other mock setters in this file (e.g., NewAccessSecretVersionFn, NewGetSecretFn).

providers/v1/gcp/secretmanager/client_test.go (4)

1014-1165: LGTM! Comprehensive test coverage for SecretExists.

The test cases properly cover:

• Secret with accessible enabled versions (global and regional)
• NotFound scenarios (secret doesn't exist)
• PermissionDenied error propagation
• DESTROYED/disabled state handling
• Regional endpoint behavior

The use of setupMock function pattern improves test readability and maintainability.

---

1146-1164: Good test case for destroyed/disabled secret version edge case.

This test case correctly validates that when all versions are destroyed/disabled, the error is propagated rather than returning exists=true. This aligns with the PR objective to properly handle disabled secret versions.

---

1189-1268: LGTM! Regional endpoint tests are well structured.

Tests correctly validate the regional secret path format (projects/{project}/locations/{location}/secrets/{secret}/versions/{version}) and both exists/not-exists scenarios with regional endpoints.

---

82-82: Consistent use of context.TODO() in test setup helpers.

Using context.TODO() in makeValidSecretManagerTestCase and makeValidSecretManagerTestCaseCustom is appropriate since these helpers run before the test context is available.

Also applies to: 112-112

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

providers/v1/gcp/secretmanager/fake/fake.go (1)

80-88: Consider adding error handling for missing fields.

The setField helper silently ignores cases where the field is not valid. While this works for the current use case, consider logging or returning an error if a field is not found, to catch potential issues if the underlying library changes its field names.

 	setField := func(name string, value any) {
 		v := reflect.ValueOf(it).Elem()
 		field := v.FieldByName(name)
-		if field.IsValid() {
-			//#nosec G103 -- Audited this use and it's only for mocking in testing
-			reflect.NewAt(field.Type(), unsafe.Pointer(field.UnsafeAddr())).
-				Elem().Set(reflect.ValueOf(value))
+		if !field.IsValid() {
+			panic(fmt.Sprintf("SecretVersionIterator field %q not found - library may have changed", name))
 		}
+		//#nosec G103 -- Audited this use and it's only for mocking in testing
+		reflect.NewAt(field.Type(), unsafe.Pointer(field.UnsafeAddr())).
+			Elem().Set(reflect.ValueOf(value))
 	}

providers/v1/gcp/secretmanager/client.go (1)

192-196: Minor: Unused variable initialization when location is set.

When c.store.Location is set (regional secrets), the replication variable is initialized but never used since regional secrets don't set replication (as per the check on line 230). This is harmless but slightly wasteful.

+	var replication *secretmanagerpb.Replication
+	if c.store.Location == "" {
-	replication := &secretmanagerpb.Replication{
+		replication = &secretmanagerpb.Replication{
-		Replication: &secretmanagerpb.Replication_Automatic_{
-			Automatic: &secretmanagerpb.Replication_Automatic{},
-		},
+			Replication: &secretmanagerpb.Replication_Automatic_{
+				Automatic: &secretmanagerpb.Replication_Automatic{},
+			},
+		}
 	}

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d464236 and 2cc7fc6.

📒 Files selected for processing (3)

• providers/v1/gcp/secretmanager/client.go (3 hunks)
• providers/v1/gcp/secretmanager/client_test.go (22 hunks)
• providers/v1/gcp/secretmanager/fake/fake.go (5 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

providers/v1/gcp/secretmanager/client.go (1)

providers/v1/oracle/oracle.go (1)

• SecretExists (110-110)

🔇 Additional comments (11)

providers/v1/gcp/secretmanager/client_test.go (4)

26-35: LGTM: New imports for time-based testing.

The additions of time and timestamppb imports are correctly added to support the new timestamp-based version selection tests.

---

1016-1233: Well-structured test cases for SecretExists.

The test cases comprehensively cover:

• Secret with accessible version exists
• Multiple versions selecting latest by create time
• Secret not found (NotFound error)
• Permission denied error propagation
• Regional secret existence
• Regional secret not found
• Destroyed/disabled version handling

The use of setupMock function for per-test mock injection is a clean pattern.

---

1235-1315: LGTM: Regional endpoint tests properly updated.

The TestSecretExistsWithRegionalEndpoint tests correctly use the new ListSecretVersionsMockReturn and properly construct regional secret paths like projects/foo/locations/us-east1/secrets/bar/versions/1.

---

1191-1210: Test expectations are correct and align with implementation.

The test case correctly validates that when a secret's latest enabled version is destroyed/disabled, SecretExists returns (false, error) rather than silently returning false.

The implementation flow confirms this: SecretExists calls getLatestEnabledVersion, which falls back to accessing "latest" when no enabled versions exist. When AccessSecretVersion returns a FailedPrecondition error for a destroyed version, this error is propagated back to the caller. The implementation only treats NotFound as a special case (returning false, nil), while other errors—including FailedPrecondition—are returned as-is. This is the intended behavior: distinguishing between "secret doesn't exist" (NotFound) and "secret exists but cannot be accessed" (FailedPrecondition). The test expectations are valid.

providers/v1/gcp/secretmanager/fake/fake.go (3)

23-24: Acknowledge: Reflection and unsafe usage for test mocking.

The use of reflect and unsafe packages is necessary here to mock the Google Cloud SecretVersionIterator which has unexported fields. The #nosec G103 annotation appropriately documents that this unsafe usage has been audited. Since this is test-only code, this approach is acceptable.

---

69-143: Well-documented mock iterator implementation.

The NewSecretVersionIterator function is well-documented with clear comments explaining:

• The purpose of the function
• How the iterator works (returns all versions on first fetch, then iterator.Done)
• Why reflection is needed (unexported fields)

The implementation correctly uses iterator.NewPageInfo to wire up the pagination mechanics, making it compatible with the Google iterator package.

---

296-303: LGTM: Clean mock configuration method.

The NewListSecretVersionsFn method provides a clean API for configuring the mock's ListSecretVersions behavior in tests.

providers/v1/gcp/secretmanager/client.go (4)

149-160: LGTM: SecretExists implementation is clean and correct.

The implementation correctly:

1. Constructs the secret name using getName
2. Delegates to getLatestEnabledVersion to check for accessible versions
3. Returns false, nil for NotFound errors (secret doesn't exist)
4. Returns false, err for other errors (propagates the error)
5. Returns true, nil when a version is accessible

---

690-706: LGTM: Well-documented helper functions.

The getName and getParentName helper functions are well-documented and correctly handle both global and regional secret paths.

---

708-715: LGTM: Error detection for destroyed/disabled states.

The isErrSecretDestroyedOrDisabled function correctly checks for FailedPrecondition status code and message content to detect destroyed or disabled secret versions.

---

717-760: Path construction issue has been addressed.

The previous review comments flagged a critical path construction bug where version.Name (a full resource path) was being incorrectly wrapped in another path template. This has been fixed:

1. versionName is now initialized as empty string (Line 731)
2. When an enabled version is found, versionName is set to version.Name directly (Line 742) - which is already a full path
3. Only when no enabled versions are found, versionName is constructed with the fallback path (Lines 748-750)
4. versionName is used directly in the request (Line 752)

This correctly avoids the double-prefixed path issue.

[tosih]

please let me know what else is needed to get this merged in, thanks!

[gusfcarvalho]

/ok-to-test sha=2cc7fc612b1a1d00e0598c98bb439a795c466617

[gusfcarvalho]

/ok-to-test-managed sha=2cc7fc612b1a1d00e0598c98bb439a795c466617 provider=gcp

[gusfcarvalho]

LGTM. Lets just wait if e2e will actually pass 😄

[eso-service-account-app]

[Bot] - ✅ e2e for 2cc7fc612b1a1d00e0598c98bb439a795c466617 passed

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud