[TT-14473] - support for encrypted aws kinesis #876

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

LLe27 wants to merge 12 commits into master from tt-14473-support-for-encrypted-aws-kinesis

Closed

[TT-14473] - support for encrypted aws kinesis #876

fix security issues

probelabs / Visor: quality failed Oct 9, 2025 in 4m 59s

🚨 Check Failed

quality check failed because fail_if condition was met.

Details

📊 Summary

Total Issues: 3
Error Issues: 2
Warning Issues: 1

🔍 Failure Condition Results

❌ Failed Conditions

global_fail_if: Global failure condition met
- ⚠️ Severity: Error

🐛 Issues by Category

🧠 Logic (3)

❌ pumps/kinesis_test.go:1 - Critical functionality is completely untested. The core logic for checking and enabling server-side encryption, which involves multiple AWS API calls (DescribeStream, StartStreamEncryption) and complex conditional branching, has no unit test coverage. The new test file only validates configuration parsing and does not exercise any of the new AWS interaction logic within the Init function.
⚠️ pumps/kinesis.go:120 - Potentially misleading log message on ResourceInUseException. When a ResourceInUseException is caught, the code logs "Server-side encryption is already enabled for the Kinesis stream.". According to AWS documentation, this exception indicates the stream is currently being updated (i.e., in an UPDATING state) and cannot be modified. It does not guarantee that encryption is already enabled. This log message could be misleading during troubleshooting.
❌ system:0 - Global failure condition met

Generated by Visor - AI-powered code review

Annotations

Check failure on line 1 in pumps/kinesis_test.go

probelabs / Visor: quality

logic Issue

Critical functionality is completely untested. The core logic for checking and enabling server-side encryption, which involves multiple AWS API calls (`DescribeStream`, `StartStreamEncryption`) and complex conditional branching, has no unit test coverage. The new test file only validates configuration parsing and does not exercise any of the new AWS interaction logic within the `Init` function.

Raw output


            To address this, the `KinesisPump` should be refactored to allow for dependency injection of the Kinesis client. This would enable the use of mocks to write unit tests that cover the following scenarios:
1. Stream is already encrypted with the correct KMS key.
2. Stream is encrypted with a different KMS key (expecting a fatal error).
3. Stream is not encrypted, and the call to `StartStreamEncryption` is successful.
4. The call to `DescribeStream` fails.
5. The call to `StartStreamEncryption` fails with a `ResourceInUseException`.
6. The call to `StartStreamEncryption` fails with a generic error.

Check warning on line 122 in pumps/kinesis.go

probelabs / Visor: quality

logic Issue

Potentially misleading log message on `ResourceInUseException`. When a `ResourceInUseException` is caught, the code logs `"Server-side encryption is already enabled for the Kinesis stream."`. According to AWS documentation, this exception indicates the stream is currently being updated (i.e., in an `UPDATING` state) and cannot be modified. It does not guarantee that encryption is already enabled. This log message could be misleading during troubleshooting.

Raw output


            Change the log message to more accurately reflect the situation, for example: `Stream is currently being updated; could not enable server-side encryption at this time. Will retry on next startup.`

View more details on probelabs