fix(aws): parse resource policies into canonical JSON (sorted) before comparing

[cmoscofian]

Problem Statement

Related Issue

Fixes: #5620

Proposed

Add a canonical comparison between JSON objects since maps.Equal requires all map values to implement comparable but slices can be parsed as []interface{} which is not comparable.

This could also be achieved using reflection but it gets even more expensive, specially for bigger JSON objets.

Format

Please ensure that your PR follows the following format for the title:

feat(scope): add new feature
fix(scope): fix bug
docs(scope): update documentation
chore(scope): update build tool or dependencies
ref(scope): refactor code
clean(scope): provider cleanup
test(scope): add tests
perf(scope): improve performance
desig(scope): improve design

Where scope is optionally one of:

• charts
• release
• testing
• security
• templating

Checklist

• I have read the contribution guidelines
• All commits are signed with git commit --signoff
• My changes have reasonable test coverage
• All tests pass with make test
• I ensured my PR is ready for review with make reviewable

Summary by CodeRabbit

• Tests

  • Added tests for Secrets Manager resource policy handling covering unchanged and updated policy scenarios; includes a new test helper and wiring of a fake Kubernetes client with test policy data.

• Refactor

  • Simplified internal comparison logic and adjusted imports for consistency and maintainability.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[jakobmoellerdev]

this is not enough for proper canonical comparison I believe. Please check https://pkg.go.dev/encoding/json/jsontext#Value.Canonicalize for details. if you really want canonical representations we should introduce JCS as per RFC 8785

[cmoscofian]

Yeap, you are absolutely right, it does not do full canonical comparison and it is not a fully RFC8785 compliant implementation. This is more of a paretto implementation in which it should cover 80% of the use cases (including the bug at hand). I see three clear options to continue from here:

1. I can write a full compliant implementation of the RFC8785, I don't mind but it can take a little while, and it still might not be 100% compliant specially when evaluating non UTF keys.
2. We could rely on using jsonv2/ jsontext but those are experimental at this point or search for a third party library that handles the full implementation, but that needs to be vetted by maintainers.
3. There is a quick escape using reflect.DeepEqual , it's a simpler implementation but it adds quite a bit in terms of runtime cost specially on big resource policies.

I'm very much interested in driving this home, but I think I need some input from the projects perspective which direction makes more sense from the maintainers perspective.

[Skarlso]

Rather than using a canonical JSON compare which is an incomplete comparison, how about just type switching? In case of a slice, use a slice, in case of a map use a map?

[cmoscofian]

I think this is mostly what this implementation does. It parses the representations of slices and maps (using sorted keys). Maybe the main issue with this implementation might be the naming, since this does not fully implements CanonicalJSON (it's based on it) it might feel misleading. I can rename it if that's the way to go.

[Skarlso]

I mean that don't do byte compare. Why not just use a structural compare?

[cmoscofian]

I was looking over other parts of the project and reflect.DeepEqual is used, I think it can fit well in here.
Just cleanup the old implementation and pushed it.

[Skarlso]

I think this works. Especially if other parts of the code are already using this. And your test pretty much shows that it works, right?

[cmoscofian]

Yes it does, I wrote them based replicating the issue.

[coderabbitai]

Walkthrough

Replaced maps.Equal with reflect.DeepEqual for AWS SecretsManager resource policy comparison and adjusted imports. Added test helpers and controller-runtime fake kubeclient wiring; new tests cover unchanged and changed resource policy handling.

Changes

Cohort / File(s)	Summary
Policy comparison change providers/v1/aws/secretsmanager/secretsmanager.go	Replaced maps.Equal with reflect.DeepEqual when comparing parsed policy maps in manageResourcePolicy; added reflect import and adjusted aws util import alias.
Test coverage for resource policy providers/v1/aws/secretsmanager/secretsmanager_test.go	Added makeValidGetResourcePolicyOutput helper; introduced controller-runtime fake kubeclient fixture and passed it into SecretsManager; added tests for existing unchanged and changing resource policies and related test data; added controller-runtime client imports.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Inspect manageResourcePolicy handling of nil vs empty maps and ensure DeepEqual semantics match intended behavior.
• Review the new test cases and fake kubeclient wiring for consistency with existing test patterns.
• Verify import alias change and any linting implications.

Poem

🐰 I nibbled through maps both bent and deep,
Swapped in reflect so panics sleep,
Tests now hum with fake-kube light,
Policies checked, both wrong and right,
Hooray — secrets snug for the night! 🥕

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: replacing maps.Equal with canonical JSON comparison for resource policy validation in AWS Secrets Manager.
Description check	✅ Passed	The PR description covers the problem statement, related issue, and proposed solution; however, it lacks the required 'Problem Statement' section heading and details are minimal.
Linked Issues check	✅ Passed	The PR implements the fix proposed in #5620 by switching from maps.Equal to canonical JSON comparison to handle non-comparable types like []interface{}, directly addressing the panic issue.
Out of Scope Changes check	✅ Passed	All changes are directly related to fixing the resource policy comparison issue: implementation change in secretsmanager.go and corresponding test additions in secretsmanager_test.go.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

providers/v1/aws/secretsmanager/secretsmanager.go (1)

886-905: Handle empty currentPolicy before JSON unmarshaling.

When currentPolicy is an empty string (line 886-889), json.Unmarshal([]byte(""), &currentPolicyMap) at line 897 will fail with an "unexpected end of JSON input" error. This will cause the reconciliation to error out even when there's no existing policy and a new one should simply be applied.

Consider handling the empty policy case explicitly:

 	currentPolicy := ""
 	if currentPolicyOutput != nil && currentPolicyOutput.ResourcePolicy != nil {
 		currentPolicy = *currentPolicyOutput.ResourcePolicy
 	}

+	// If there's no current policy, we need to create one
+	if currentPolicy == "" {
+		putPolicyInput := &awssm.PutResourcePolicyInput{
+			SecretId:       secretID,
+			ResourcePolicy: aws.String(policyJSON),
+		}
+		if meta.Spec.ResourcePolicy.BlockPublicPolicy != nil {
+			putPolicyInput.BlockPublicPolicy = meta.Spec.ResourcePolicy.BlockPublicPolicy
+		}
+
+		_, err = sm.client.PutResourcePolicy(ctx, putPolicyInput)
+		metrics.ObserveAPICall(constants.ProviderAWSSM, constants.CallAWSSMPutResourcePolicy, err)
+		if err != nil {
+			return fmt.Errorf("failed to put resource policy: %w", err)
+		}
+		return nil
+	}
+
 	// convert to maps so we can do a stable comparison.
 	var (
 		currentPolicyMap map[string]any
 		policyJSONMaps   map[string]any
 	)

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 606e2ec and 21e2b95.

📒 Files selected for processing (2)

• providers/v1/aws/secretsmanager/secretsmanager.go (3 hunks)
• providers/v1/aws/secretsmanager/secretsmanager_test.go (5 hunks)

🔇 Additional comments (5)

providers/v1/aws/secretsmanager/secretsmanager.go (1)

904-906: Good fix: reflect.DeepEqual correctly handles nested slices.

Using reflect.DeepEqual resolves the panic caused by maps.Equal when comparing maps containing []interface{} values (which are not comparable). This properly addresses the linked issue #5620.

providers/v1/aws/secretsmanager/secretsmanager_test.go (4)

109-136: LGTM: Helper function provides good test fixture.

The makeValidGetResourcePolicyOutput function creates a realistic AWS resource policy for testing the comparison logic. The policy structure matches the format expected from AWS Secrets Manager.

---

1124-1199: Test validates changed policy scenario correctly.

This test verifies that when the resource policy differs (different principal ARN), PutResourcePolicy is called. The test correctly includes PutResourcePolicyFn in the mock to verify it gets invoked.

---

1202-1209: LGTM: Test setup properly injects kubeclient.

The kubeclient field is correctly wired into the SecretsManager struct for tests that require Kubernetes client interactions.

---

1049-1123: Test correctly validates that unchanged resource policies are not synced.

This test verifies that when the existing resource policy matches the desired policy (despite different JSON key ordering), PutResourcePolicy is not called. The test properly:

• Omits PutResourcePolicyFn from the mock (which would fail if called)
• Uses different JSON key ordering between the existing policy and ConfigMap to ensure policy comparison works correctly regardless of key order

The ConfigMap is created without an explicit Namespace in ObjectMeta, which defaults to empty string. Verify that the test setup initializes the SecretsManager client with an empty namespace (or matches the ConfigMap's namespace) to ensure the ConfigMap lookup succeeds.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

providers/v1/aws/secretsmanager/secretsmanager_test.go (1)

1049-1123: LGTM! Well-designed test for canonical JSON comparison.

This test correctly verifies that when an existing resource policy and desired policy have identical content but different JSON field ordering (lines 1091-1116 vs lines 111-134), the canonical comparison detects they're equal and skips the PutResourcePolicy call.

The implicit assertion (not setting PutResourcePolicyFn) is consistent with patterns elsewhere in this test file.

Optional: Consider explicit assertion

For clarity, you could add an explicit assertion that PutResourcePolicyFn was not called:

client: fakesm.Client{
    // ... existing functions ...
    PutResourcePolicyFn: func(ctx context.Context, input *awssm.PutResourcePolicyInput, opts ...func(*awssm.Options)) (*awssm.PutResourcePolicyOutput, error) {
        t.Fatal("PutResourcePolicy should not be called when policy is unchanged")
        return nil, nil
    },
},

However, the current pattern (omitting the function) is already used consistently in this file and is equally valid.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3a9f0ee and da87aae.

📒 Files selected for processing (2)

• providers/v1/aws/secretsmanager/secretsmanager.go (2 hunks)
• providers/v1/aws/secretsmanager/secretsmanager_test.go (5 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• providers/v1/aws/secretsmanager/secretsmanager.go

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)

• GitHub Check: publish-artifacts (Dockerfile.ubi, CGO_ENABLED=0, amd64 arm64 ppc64le, linux/amd64,linux/arm64,li... / Build and Publish
• GitHub Check: publish-artifacts (Dockerfile, CGO_ENABLED=0, amd64 arm64 s390x ppc64le, linux/amd64,linux/arm64,... / Build and Publish
• GitHub Check: publish-artifacts (Dockerfile.ubi, CGO_ENABLED=0 GOEXPERIMENT=boringcrypto, amd64 ppc64le, linux/... / Build and Publish
• GitHub Check: check-diff
• GitHub Check: unit-tests
• GitHub Check: lint
• GitHub Check: Analyze project (actions, none)
• GitHub Check: Analyze project (go, autobuild)

🔇 Additional comments (4)

providers/v1/aws/secretsmanager/secretsmanager_test.go (4)

41-42: LGTM! Necessary imports for Kubernetes client testing.

The controller-runtime client imports enable proper test wiring for ConfigMap-based resource policy sources.

---

109-136: LGTM! Well-structured test helper.

The helper provides realistic AWS IAM resource policy test data that serves as a baseline for the canonical JSON comparison tests.

---

567-567: LGTM! Proper test wiring for Kubernetes client.

The kubeclient field addition and initialization correctly wire the fake Kubernetes client into the SecretsManager for testing ConfigMap-based policy sources.

Also applies to: 1208-1208

---

1124-1199: LGTM! Proper test for changed resource policy.

This test correctly verifies that when the resource policy content actually differs (line 1184 has "role/sudo" vs line 128 has "role/admin"), the PutResourcePolicy call is made. This complements the previous test case and ensures the canonical comparison doesn't incorrectly skip updates when policies genuinely differ.