Merge pull request #1858 from donny-dont/feature/secret-concealer
Feature/secret concealer
This commit is contained in:
commit
17e5eb5036
7 changed files with 129 additions and 95 deletions
|
@ -22,18 +22,17 @@ type Logger interface {
|
||||||
}
|
}
|
||||||
|
|
||||||
type Agent struct {
|
type Agent struct {
|
||||||
Update UpdateFunc
|
Update UpdateFunc
|
||||||
Logger LoggerFunc
|
Logger LoggerFunc
|
||||||
Engine build.Engine
|
Engine build.Engine
|
||||||
Timeout time.Duration
|
Timeout time.Duration
|
||||||
Platform string
|
Platform string
|
||||||
Namespace string
|
Namespace string
|
||||||
Disable []string
|
Disable []string
|
||||||
Escalate []string
|
Escalate []string
|
||||||
Netrc []string
|
Netrc []string
|
||||||
Local string
|
Local string
|
||||||
Pull bool
|
Pull bool
|
||||||
ConcealSecrets bool
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func (a *Agent) Poll() error {
|
func (a *Agent) Poll() error {
|
||||||
|
@ -189,7 +188,7 @@ func (a *Agent) exec(spec *yaml.Config, payload *model.Work, cancel <-chan bool)
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
secretsReplacer := newSecretsReplacer(payload.Secrets)
|
replacer := NewSecretReplacer(payload.Secrets)
|
||||||
timeout := time.After(time.Duration(payload.Repo.Timeout) * time.Minute)
|
timeout := time.After(time.Duration(payload.Repo.Timeout) * time.Minute)
|
||||||
|
|
||||||
for {
|
for {
|
||||||
|
@ -229,25 +228,12 @@ func (a *Agent) exec(spec *yaml.Config, payload *model.Work, cancel <-chan bool)
|
||||||
pipeline.Exec()
|
pipeline.Exec()
|
||||||
}
|
}
|
||||||
case line := <-pipeline.Pipe():
|
case line := <-pipeline.Pipe():
|
||||||
// FIXME(vaijab): avoid checking a.ConcealSecrets is true everytime new line is received
|
line.Out = replacer.Replace(line.Out)
|
||||||
if a.ConcealSecrets {
|
|
||||||
line.Out = secretsReplacer.Replace(line.Out)
|
|
||||||
}
|
|
||||||
a.Logger(line)
|
a.Logger(line)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// newSecretsReplacer takes []*model.Secret as secrets and returns a list of
|
|
||||||
// secret value, "*****" pairs.
|
|
||||||
func newSecretsReplacer(secrets []*model.Secret) *strings.Replacer {
|
|
||||||
var r []string
|
|
||||||
for _, s := range secrets {
|
|
||||||
r = append(r, s.Value, "*****")
|
|
||||||
}
|
|
||||||
return strings.NewReplacer(r...)
|
|
||||||
}
|
|
||||||
|
|
||||||
func toEnv(w *model.Work) map[string]string {
|
func toEnv(w *model.Work) map[string]string {
|
||||||
envs := map[string]string{
|
envs := map[string]string{
|
||||||
"CI": "drone",
|
"CI": "drone",
|
||||||
|
|
|
@ -1,23 +0,0 @@
|
||||||
package agent
|
|
||||||
|
|
||||||
import "testing"
|
|
||||||
import "github.com/drone/drone/model"
|
|
||||||
|
|
||||||
func Test_newSecretsReplacer(t *testing.T) {
|
|
||||||
secrets := []*model.Secret{
|
|
||||||
{Name: "SECRET",
|
|
||||||
Value: "secret_value",
|
|
||||||
Images: []string{"*"},
|
|
||||||
Events: []string{"*"},
|
|
||||||
},
|
|
||||||
}
|
|
||||||
|
|
||||||
text := "This is SECRET: secret_value"
|
|
||||||
expected := "This is SECRET: *****"
|
|
||||||
secretsReplacer := newSecretsReplacer(secrets)
|
|
||||||
result := secretsReplacer.Replace(text)
|
|
||||||
|
|
||||||
if result != expected {
|
|
||||||
t.Errorf("Wanted %q, got %q.", expected, result)
|
|
||||||
}
|
|
||||||
}
|
|
46
agent/secret.go
Normal file
46
agent/secret.go
Normal file
|
@ -0,0 +1,46 @@
|
||||||
|
package agent
|
||||||
|
|
||||||
|
import (
|
||||||
|
"strings"
|
||||||
|
|
||||||
|
"github.com/drone/drone/model"
|
||||||
|
)
|
||||||
|
|
||||||
|
// SecretReplacer hides secrets from being exposed by the build output.
|
||||||
|
type SecretReplacer interface {
|
||||||
|
// Replace conceals instances of secrets found in s.
|
||||||
|
Replace(s string) string
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewSecretReplacer creates a SecretReplacer based on whether any value in
|
||||||
|
// secrets requests it be hidden.
|
||||||
|
func NewSecretReplacer(secrets []*model.Secret) SecretReplacer {
|
||||||
|
var r []string
|
||||||
|
for _, s := range secrets {
|
||||||
|
if s.Conceal {
|
||||||
|
r = append(r, s.Value, "*****")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(r) == 0 {
|
||||||
|
return &noopReplacer{}
|
||||||
|
}
|
||||||
|
|
||||||
|
return &secretReplacer{
|
||||||
|
replacer: strings.NewReplacer(r...),
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
type noopReplacer struct{}
|
||||||
|
|
||||||
|
func (*noopReplacer) Replace(s string) string {
|
||||||
|
return s
|
||||||
|
}
|
||||||
|
|
||||||
|
type secretReplacer struct {
|
||||||
|
replacer *strings.Replacer
|
||||||
|
}
|
||||||
|
|
||||||
|
func (r *secretReplacer) Replace(s string) string {
|
||||||
|
return r.replacer.Replace(s)
|
||||||
|
}
|
39
agent/secret_test.go
Normal file
39
agent/secret_test.go
Normal file
|
@ -0,0 +1,39 @@
|
||||||
|
package agent
|
||||||
|
|
||||||
|
import (
|
||||||
|
"testing"
|
||||||
|
|
||||||
|
"github.com/drone/drone/model"
|
||||||
|
"github.com/franela/goblin"
|
||||||
|
)
|
||||||
|
|
||||||
|
const testString = "This is SECRET: secret_value"
|
||||||
|
|
||||||
|
func TestSecret(t *testing.T) {
|
||||||
|
g := goblin.Goblin(t)
|
||||||
|
g.Describe("SecretReplacer", func() {
|
||||||
|
g.It("Should conceal secret", func() {
|
||||||
|
secrets := []*model.Secret{
|
||||||
|
{
|
||||||
|
Name: "SECRET",
|
||||||
|
Value: "secret_value",
|
||||||
|
Conceal: true,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
r := NewSecretReplacer(secrets)
|
||||||
|
g.Assert(r.Replace(testString)).Equal("This is SECRET: *****")
|
||||||
|
})
|
||||||
|
|
||||||
|
g.It("Should not conceal secret", func() {
|
||||||
|
secrets := []*model.Secret{
|
||||||
|
{
|
||||||
|
Name: "SECRET",
|
||||||
|
Value: "secret_value",
|
||||||
|
Conceal: false,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
r := NewSecretReplacer(secrets)
|
||||||
|
g.Assert(r.Replace(testString)).Equal(testString)
|
||||||
|
})
|
||||||
|
})
|
||||||
|
}
|
|
@ -75,11 +75,6 @@ var AgentCmd = cli.Command{
|
||||||
Name: "drone-secret",
|
Name: "drone-secret",
|
||||||
Usage: "drone agent secret",
|
Usage: "drone agent secret",
|
||||||
},
|
},
|
||||||
cli.BoolFlag{
|
|
||||||
Name: "conceal-secrets",
|
|
||||||
Usage: "conceal secrets from build logs",
|
|
||||||
EnvVar: "DRONE_CONCEAL_SECRETS",
|
|
||||||
},
|
|
||||||
cli.DurationFlag{
|
cli.DurationFlag{
|
||||||
EnvVar: "DRONE_BACKOFF",
|
EnvVar: "DRONE_BACKOFF",
|
||||||
Name: "backoff",
|
Name: "backoff",
|
||||||
|
@ -191,13 +186,12 @@ func start(c *cli.Context) {
|
||||||
drone: client,
|
drone: client,
|
||||||
docker: docker,
|
docker: docker,
|
||||||
config: config{
|
config: config{
|
||||||
platform: c.String("docker-os") + "/" + c.String("docker-arch"),
|
platform: c.String("docker-os") + "/" + c.String("docker-arch"),
|
||||||
timeout: c.Duration("timeout"),
|
timeout: c.Duration("timeout"),
|
||||||
namespace: c.String("namespace"),
|
namespace: c.String("namespace"),
|
||||||
privileged: c.StringSlice("privileged"),
|
privileged: c.StringSlice("privileged"),
|
||||||
pull: c.BoolT("pull"),
|
pull: c.BoolT("pull"),
|
||||||
logs: int64(c.Int("max-log-size")) * 1000000,
|
logs: int64(c.Int("max-log-size")) * 1000000,
|
||||||
concealSecrets: c.Bool("conceal-secrets"),
|
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -13,13 +13,12 @@ import (
|
||||||
)
|
)
|
||||||
|
|
||||||
type config struct {
|
type config struct {
|
||||||
platform string
|
platform string
|
||||||
namespace string
|
namespace string
|
||||||
privileged []string
|
privileged []string
|
||||||
pull bool
|
pull bool
|
||||||
logs int64
|
logs int64
|
||||||
timeout time.Duration
|
timeout time.Duration
|
||||||
concealSecrets bool
|
|
||||||
}
|
}
|
||||||
|
|
||||||
type pipeline struct {
|
type pipeline struct {
|
||||||
|
@ -41,15 +40,14 @@ func (r *pipeline) run(w *model.Work) {
|
||||||
engine := docker.NewClient(r.docker)
|
engine := docker.NewClient(r.docker)
|
||||||
|
|
||||||
a := agent.Agent{
|
a := agent.Agent{
|
||||||
Update: agent.NewClientUpdater(r.drone),
|
Update: agent.NewClientUpdater(r.drone),
|
||||||
Logger: agent.NewClientLogger(r.drone, w.Job.ID, r.config.logs),
|
Logger: agent.NewClientLogger(r.drone, w.Job.ID, r.config.logs),
|
||||||
Engine: engine,
|
Engine: engine,
|
||||||
Timeout: r.config.timeout,
|
Timeout: r.config.timeout,
|
||||||
Platform: r.config.platform,
|
Platform: r.config.platform,
|
||||||
Namespace: r.config.namespace,
|
Namespace: r.config.namespace,
|
||||||
Escalate: r.config.privileged,
|
Escalate: r.config.privileged,
|
||||||
Pull: r.config.pull,
|
Pull: r.config.pull,
|
||||||
ConcealSecrets: r.config.concealSecrets,
|
|
||||||
}
|
}
|
||||||
|
|
||||||
cancelFunc := func(m *stomp.Message) {
|
cancelFunc := func(m *stomp.Message) {
|
||||||
|
|
|
@ -48,11 +48,6 @@ var execCmd = cli.Command{
|
||||||
Usage: "build secrets file in KEY=VALUE format",
|
Usage: "build secrets file in KEY=VALUE format",
|
||||||
EnvVar: "DRONE_SECRETS_FILE",
|
EnvVar: "DRONE_SECRETS_FILE",
|
||||||
},
|
},
|
||||||
cli.BoolFlag{
|
|
||||||
Name: "conceal-secrets",
|
|
||||||
Usage: "conceal secrets from build logs",
|
|
||||||
EnvVar: "DRONE_CONCEAL_SECRETS",
|
|
||||||
},
|
|
||||||
cli.StringSliceFlag{
|
cli.StringSliceFlag{
|
||||||
Name: "matrix",
|
Name: "matrix",
|
||||||
Usage: "build matrix in KEY=VALUE format",
|
Usage: "build matrix in KEY=VALUE format",
|
||||||
|
@ -331,18 +326,17 @@ func exec(c *cli.Context) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
a := agent.Agent{
|
a := agent.Agent{
|
||||||
Update: agent.NoopUpdateFunc,
|
Update: agent.NoopUpdateFunc,
|
||||||
Logger: agent.TermLoggerFunc,
|
Logger: agent.TermLoggerFunc,
|
||||||
Engine: engine,
|
Engine: engine,
|
||||||
Timeout: c.Duration("timeout.inactivity"),
|
Timeout: c.Duration("timeout.inactivity"),
|
||||||
Platform: "linux/amd64",
|
Platform: "linux/amd64",
|
||||||
Namespace: c.String("namespace"),
|
Namespace: c.String("namespace"),
|
||||||
Disable: c.StringSlice("plugin"),
|
Disable: c.StringSlice("plugin"),
|
||||||
Escalate: c.StringSlice("privileged"),
|
Escalate: c.StringSlice("privileged"),
|
||||||
Netrc: []string{},
|
Netrc: []string{},
|
||||||
Local: dir,
|
Local: dir,
|
||||||
Pull: c.Bool("pull"),
|
Pull: c.Bool("pull"),
|
||||||
ConcealSecrets: c.Bool("conceal-secrets"),
|
|
||||||
}
|
}
|
||||||
|
|
||||||
payload := &model.Work{
|
payload := &model.Work{
|
||||||
|
|
Loading…
Reference in a new issue