fix inconsistent base64 encoding/decoding secrets

2019-06-06 16:57:58 -07:00 · 2019-06-06 16:57:58 -07:00 · 56fd3042ba
commit 56fd3042ba
parent 07642dd8e1
3 changed files with 16 additions and 1 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -7,8 +7,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## Unreleased
 ### Added

+- support for legacy tokens to ease upgrade path, by [@bradrydzewski](https://github.com/bradrydzewski). [#2713](https://github.com/drone/drone/issues/2713).
+
 ### Fixed

+- fix inconsistent base64 encoding and decoding of encrypted secrets, by [@bradrydzewski](https://github.com/bradrydzewski).
+
 ## [1.2.0] - 2019-05-30
 ### Added

--- a/handler/api/repos/encrypt/encrypt.go
+++ b/handler/api/repos/encrypt/encrypt.go
@ -64,7 +64,7 @@ func Handler(repos core.RepositoryStore) http.HandlerFunc {
 		// the encrypted secret is embedded in the yaml
 		// configuration file and is json-encoded for
 		// inclusion as a !binary attribute.
-		encoded := base64.URLEncoding.EncodeToString(encrypted)
+		encoded := base64.StdEncoding.EncodeToString(encrypted)

 		render.JSON(w, &respEncrypted{Data: encoded}, 200)
 	}
--- a/plugin/secret/external.go
+++ b/plugin/secret/external.go
@ -12,6 +12,7 @@ import (

 	"github.com/drone/drone-yaml/yaml"
 	"github.com/drone/drone/core"
+	"github.com/drone/drone/logger"

 	"github.com/drone/drone-go/drone"
 	"github.com/drone/drone-go/plugin/secret"
@ -37,12 +38,17 @@ func (c *externalController) Find(ctx context.Context, in *core.SecretArgs) (*co
 		return nil, nil
 	}

+	logger := logger.FromContext(ctx).
+		WithField("name", in.Name).
+		WithField("kind", "secret")
+
 	// lookup the named secret in the manifest. If the
 	// secret does not exist, return a nil variable,
 	// allowing the next secret controller in the chain
 	// to be invoked.
 	path, name, ok := getExternal(in.Conf, in.Name)
 	if !ok {
+		logger.Trace("secret: external: no matching secret")
 		return nil, nil
 	}

@ -62,6 +68,7 @@ func (c *externalController) Find(ctx context.Context, in *core.SecretArgs) (*co
 	client := secret.Client(c.endpoint, c.secret, c.skipVerify)
 	res, err := client.Find(ctx, req)
 	if err != nil {
+		logger.Trace("secret: external: cannot get secret")
 		return nil, err
 	}

@ -69,6 +76,7 @@ func (c *externalController) Find(ctx context.Context, in *core.SecretArgs) (*co
 	// this indicates the client returned No Content,
 	// and we should exit with no secret, but no error.
 	if res.Data == "" {
+		logger.Trace("secret: external: secret disabled for pull requests")
 		return nil, nil
 	}

@ -77,9 +85,12 @@ func (c *externalController) Find(ctx context.Context, in *core.SecretArgs) (*co
 	// empty results.
 	if (res.Pull == false && res.PullRequest == false) &&
 		in.Build.Event == core.EventPullRequest {
+			logger.Trace("secret: external: restricted from forks")
 		return nil, nil
 	}

+	logger.Trace("secret: external: found matching secret")
+
 	return &core.Secret{
 		Name:        in.Name,
 		Data:        res.Data,