fix inconsistent base64 encoding/decoding secrets

This commit is contained in:
Brad Rydzewski 2019-06-06 16:57:58 -07:00
parent 07642dd8e1
commit 56fd3042ba
3 changed files with 16 additions and 1 deletions

View file

@ -7,8 +7,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
## Unreleased
### Added
- support for legacy tokens to ease upgrade path, by [@bradrydzewski](https://github.com/bradrydzewski). [#2713](https://github.com/drone/drone/issues/2713).
### Fixed
- fix inconsistent base64 encoding and decoding of encrypted secrets, by [@bradrydzewski](https://github.com/bradrydzewski).
## [1.2.0] - 2019-05-30
### Added

View file

@ -64,7 +64,7 @@ func Handler(repos core.RepositoryStore) http.HandlerFunc {
// the encrypted secret is embedded in the yaml
// configuration file and is json-encoded for
// inclusion as a !binary attribute.
encoded := base64.URLEncoding.EncodeToString(encrypted)
encoded := base64.StdEncoding.EncodeToString(encrypted)
render.JSON(w, &respEncrypted{Data: encoded}, 200)
}

View file

@ -12,6 +12,7 @@ import (
"github.com/drone/drone-yaml/yaml"
"github.com/drone/drone/core"
"github.com/drone/drone/logger"
"github.com/drone/drone-go/drone"
"github.com/drone/drone-go/plugin/secret"
@ -37,12 +38,17 @@ func (c *externalController) Find(ctx context.Context, in *core.SecretArgs) (*co
return nil, nil
}
logger := logger.FromContext(ctx).
WithField("name", in.Name).
WithField("kind", "secret")
// lookup the named secret in the manifest. If the
// secret does not exist, return a nil variable,
// allowing the next secret controller in the chain
// to be invoked.
path, name, ok := getExternal(in.Conf, in.Name)
if !ok {
logger.Trace("secret: external: no matching secret")
return nil, nil
}
@ -62,6 +68,7 @@ func (c *externalController) Find(ctx context.Context, in *core.SecretArgs) (*co
client := secret.Client(c.endpoint, c.secret, c.skipVerify)
res, err := client.Find(ctx, req)
if err != nil {
logger.Trace("secret: external: cannot get secret")
return nil, err
}
@ -69,6 +76,7 @@ func (c *externalController) Find(ctx context.Context, in *core.SecretArgs) (*co
// this indicates the client returned No Content,
// and we should exit with no secret, but no error.
if res.Data == "" {
logger.Trace("secret: external: secret disabled for pull requests")
return nil, nil
}
@ -77,9 +85,12 @@ func (c *externalController) Find(ctx context.Context, in *core.SecretArgs) (*co
// empty results.
if (res.Pull == false && res.PullRequest == false) &&
in.Build.Event == core.EventPullRequest {
logger.Trace("secret: external: restricted from forks")
return nil, nil
}
logger.Trace("secret: external: found matching secret")
return &core.Secret{
Name: in.Name,
Data: res.Data,