From 56fd3042baac500a00e123be9e2f8f2122e74172 Mon Sep 17 00:00:00 2001 From: Brad Rydzewski Date: Thu, 6 Jun 2019 16:57:58 -0700 Subject: [PATCH] fix inconsistent base64 encoding/decoding secrets --- CHANGELOG.md | 4 ++++ handler/api/repos/encrypt/encrypt.go | 2 +- plugin/secret/external.go | 11 +++++++++++ 3 files changed, 16 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3cce8aef..8c4b218c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,8 +7,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## Unreleased ### Added +- support for legacy tokens to ease upgrade path, by [@bradrydzewski](https://github.com/bradrydzewski). [#2713](https://github.com/drone/drone/issues/2713). + ### Fixed +- fix inconsistent base64 encoding and decoding of encrypted secrets, by [@bradrydzewski](https://github.com/bradrydzewski). + ## [1.2.0] - 2019-05-30 ### Added diff --git a/handler/api/repos/encrypt/encrypt.go b/handler/api/repos/encrypt/encrypt.go index 55a1aa1c..9c95e990 100644 --- a/handler/api/repos/encrypt/encrypt.go +++ b/handler/api/repos/encrypt/encrypt.go @@ -64,7 +64,7 @@ func Handler(repos core.RepositoryStore) http.HandlerFunc { // the encrypted secret is embedded in the yaml // configuration file and is json-encoded for // inclusion as a !binary attribute. - encoded := base64.URLEncoding.EncodeToString(encrypted) + encoded := base64.StdEncoding.EncodeToString(encrypted) render.JSON(w, &respEncrypted{Data: encoded}, 200) } diff --git a/plugin/secret/external.go b/plugin/secret/external.go index 1ad6f1ea..b2862706 100644 --- a/plugin/secret/external.go +++ b/plugin/secret/external.go @@ -12,6 +12,7 @@ import ( "github.com/drone/drone-yaml/yaml" "github.com/drone/drone/core" + "github.com/drone/drone/logger" "github.com/drone/drone-go/drone" "github.com/drone/drone-go/plugin/secret" @@ -37,12 +38,17 @@ func (c *externalController) Find(ctx context.Context, in *core.SecretArgs) (*co return nil, nil } + logger := logger.FromContext(ctx). + WithField("name", in.Name). + WithField("kind", "secret") + // lookup the named secret in the manifest. If the // secret does not exist, return a nil variable, // allowing the next secret controller in the chain // to be invoked. path, name, ok := getExternal(in.Conf, in.Name) if !ok { + logger.Trace("secret: external: no matching secret") return nil, nil } @@ -62,6 +68,7 @@ func (c *externalController) Find(ctx context.Context, in *core.SecretArgs) (*co client := secret.Client(c.endpoint, c.secret, c.skipVerify) res, err := client.Find(ctx, req) if err != nil { + logger.Trace("secret: external: cannot get secret") return nil, err } @@ -69,6 +76,7 @@ func (c *externalController) Find(ctx context.Context, in *core.SecretArgs) (*co // this indicates the client returned No Content, // and we should exit with no secret, but no error. if res.Data == "" { + logger.Trace("secret: external: secret disabled for pull requests") return nil, nil } @@ -77,9 +85,12 @@ func (c *externalController) Find(ctx context.Context, in *core.SecretArgs) (*co // empty results. if (res.Pull == false && res.PullRequest == false) && in.Build.Event == core.EventPullRequest { + logger.Trace("secret: external: restricted from forks") return nil, nil } + logger.Trace("secret: external: found matching secret") + return &core.Secret{ Name: in.Name, Data: res.Data,