From e77936f5c893a05f67a475049888c3d0b39ee7ae Mon Sep 17 00:00:00 2001
From: Don <don.j.olmstead@gmail.com>
Date: Wed, 16 Nov 2016 11:28:36 -0800
Subject: [PATCH 1/2] Implement backend for concealing secrets

---
 model/repo_secret.go                |  5 +++++
 model/secret.go                     |  3 +++
 model/team_secret.go                |  5 +++++
 store/datastore/ddl/mysql/10.sql    | 12 ++++++++++++
 store/datastore/ddl/postgres/10.sql | 12 ++++++++++++
 store/datastore/ddl/sqlite3/10.sql  | 12 ++++++++++++
 store/datastore/repo_secret_test.go |  5 ++++-
 store/datastore/team_secret_test.go |  5 ++++-
 8 files changed, 57 insertions(+), 2 deletions(-)
 create mode 100644 store/datastore/ddl/mysql/10.sql
 create mode 100644 store/datastore/ddl/postgres/10.sql
 create mode 100644 store/datastore/ddl/sqlite3/10.sql

diff --git a/model/repo_secret.go b/model/repo_secret.go
index 6f8be0e91..0763e15f7 100644
--- a/model/repo_secret.go
+++ b/model/repo_secret.go
@@ -23,6 +23,9 @@ type RepoSecret struct {
 
 	// whether the secret requires verification
 	SkipVerify bool `json:"skip_verify" meddler:"secret_skip_verify"`
+
+	// whether the secret should be concealed in the build log
+	Conceal bool `json:"conceal" meddler:"secret_conceal"`
 }
 
 // Secret transforms a repo secret into a simple secret.
@@ -33,6 +36,7 @@ func (s *RepoSecret) Secret() *Secret {
 		Images:     s.Images,
 		Events:     s.Events,
 		SkipVerify: s.SkipVerify,
+		Conceal:    s.Conceal,
 	}
 }
 
@@ -44,6 +48,7 @@ func (s *RepoSecret) Clone() *RepoSecret {
 		Images:     s.Images,
 		Events:     s.Events,
 		SkipVerify: s.SkipVerify,
+		Conceal:    s.Conceal,
 	}
 }
 
diff --git a/model/secret.go b/model/secret.go
index 336b3055f..f93624d6d 100644
--- a/model/secret.go
+++ b/model/secret.go
@@ -21,6 +21,9 @@ type Secret struct {
 
 	// whether the secret requires verification
 	SkipVerify bool `json:"skip_verify"`
+
+	// whether the secret should be concealed in the build log
+	Conceal bool `json:"conceal"`
 }
 
 // Match returns true if an image and event match the restricted list.
diff --git a/model/team_secret.go b/model/team_secret.go
index 1afc6c601..60f6f9f88 100644
--- a/model/team_secret.go
+++ b/model/team_secret.go
@@ -23,6 +23,9 @@ type TeamSecret struct {
 
 	// whether the secret requires verification
 	SkipVerify bool `json:"skip_verify" meddler:"team_secret_skip_verify"`
+
+	// whether the secret should be concealed in the build log
+	Conceal bool `json:"conceal" meddler:"team_secret_conceal"`
 }
 
 // Secret transforms a repo secret into a simple secret.
@@ -33,6 +36,7 @@ func (s *TeamSecret) Secret() *Secret {
 		Images:     s.Images,
 		Events:     s.Events,
 		SkipVerify: s.SkipVerify,
+		Conceal:    s.Conceal,
 	}
 }
 
@@ -44,6 +48,7 @@ func (s *TeamSecret) Clone() *TeamSecret {
 		Images:     s.Images,
 		Events:     s.Events,
 		SkipVerify: s.SkipVerify,
+		Conceal:    s.Conceal,
 	}
 }
 
diff --git a/store/datastore/ddl/mysql/10.sql b/store/datastore/ddl/mysql/10.sql
new file mode 100644
index 000000000..8b1692dc4
--- /dev/null
+++ b/store/datastore/ddl/mysql/10.sql
@@ -0,0 +1,12 @@
+-- +migrate Up
+
+ALTER TABLE secrets      ADD COLUMN secret_conceal      BOOLEAN;
+ALTER TABLE team_secrets ADD COLUMN team_secret_conceal BOOLEAN;
+
+UPDATE secrets      SET secret_conceal      = false;
+UPDATE team_secrets SET team_secret_conceal = false;
+
+-- +migrate Down
+
+ALTER TABLE secrets      DROP COLUMN secret_conceal;
+ALTER TABLE team_secrets DROP COLUMN team_secret_conceal;
diff --git a/store/datastore/ddl/postgres/10.sql b/store/datastore/ddl/postgres/10.sql
new file mode 100644
index 000000000..8b1692dc4
--- /dev/null
+++ b/store/datastore/ddl/postgres/10.sql
@@ -0,0 +1,12 @@
+-- +migrate Up
+
+ALTER TABLE secrets      ADD COLUMN secret_conceal      BOOLEAN;
+ALTER TABLE team_secrets ADD COLUMN team_secret_conceal BOOLEAN;
+
+UPDATE secrets      SET secret_conceal      = false;
+UPDATE team_secrets SET team_secret_conceal = false;
+
+-- +migrate Down
+
+ALTER TABLE secrets      DROP COLUMN secret_conceal;
+ALTER TABLE team_secrets DROP COLUMN team_secret_conceal;
diff --git a/store/datastore/ddl/sqlite3/10.sql b/store/datastore/ddl/sqlite3/10.sql
new file mode 100644
index 000000000..91630acac
--- /dev/null
+++ b/store/datastore/ddl/sqlite3/10.sql
@@ -0,0 +1,12 @@
+-- +migrate Up
+
+ALTER TABLE secrets      ADD COLUMN secret_conceal      BOOLEAN;
+ALTER TABLE team_secrets ADD COLUMN team_secret_conceal BOOLEAN;
+
+UPDATE secrets      SET secret_conceal      = 0;
+UPDATE team_secrets SET team_secret_conceal = 0;
+
+-- +migrate Down
+
+ALTER TABLE secrets      DROP COLUMN secret_conceal;
+ALTER TABLE team_secrets DROP COLUMN team_secret_conceal;
diff --git a/store/datastore/repo_secret_test.go b/store/datastore/repo_secret_test.go
index 153df872b..91e51d314 100644
--- a/store/datastore/repo_secret_test.go
+++ b/store/datastore/repo_secret_test.go
@@ -28,7 +28,8 @@ func TestRepoSecrets(t *testing.T) {
 				Value:      "bar",
 				Images:     []string{"docker", "gcr"},
 				Events:     []string{"push", "tag"},
-				SkipVerify: false,
+				SkipVerify: true,
+				Conceal:    true,
 			}
 			err := s.SetSecret(secret)
 			g.Assert(err == nil).IsTrue()
@@ -40,6 +41,8 @@ func TestRepoSecrets(t *testing.T) {
 			g.Assert(got.Value).Equal(secret.Value)
 			g.Assert(got.Images).Equal(secret.Images)
 			g.Assert(got.Events).Equal(secret.Events)
+			g.Assert(got.SkipVerify).Equal(secret.SkipVerify)
+			g.Assert(got.Conceal).Equal(secret.Conceal)
 		})
 
 		g.It("Should update a secret", func() {
diff --git a/store/datastore/team_secret_test.go b/store/datastore/team_secret_test.go
index 84b0e8f7d..5ac640b6b 100644
--- a/store/datastore/team_secret_test.go
+++ b/store/datastore/team_secret_test.go
@@ -28,7 +28,8 @@ func TestTeamSecrets(t *testing.T) {
 				Value:      "bar",
 				Images:     []string{"docker", "gcr"},
 				Events:     []string{"push", "tag"},
-				SkipVerify: false,
+				SkipVerify: true,
+				Conceal:    true,
 			}
 			err := s.SetTeamSecret(secret)
 			g.Assert(err == nil).IsTrue()
@@ -40,6 +41,8 @@ func TestTeamSecrets(t *testing.T) {
 			g.Assert(got.Value).Equal(secret.Value)
 			g.Assert(got.Images).Equal(secret.Images)
 			g.Assert(got.Events).Equal(secret.Events)
+			g.Assert(got.SkipVerify).Equal(secret.SkipVerify)
+			g.Assert(got.Conceal).Equal(secret.Conceal)
 		})
 
 		g.It("Should update a secret", func() {

From 8d63f8c2711183eaa9688c7e6a08d3fd4e4de2ad Mon Sep 17 00:00:00 2001
From: Don <don.j.olmstead@gmail.com>
Date: Wed, 16 Nov 2016 11:30:35 -0800
Subject: [PATCH 2/2] Add conceal option to CLI secrets

---
 drone/secret.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drone/secret.go b/drone/secret.go
index 89087f02a..f66900591 100644
--- a/drone/secret.go
+++ b/drone/secret.go
@@ -45,6 +45,10 @@ func secretAddFlags() []cli.Flag {
 			Name:  "skip-verify",
 			Usage: "skip verification for the secret",
 		},
+		cli.BoolFlag{
+			Name:  "conceal",
+			Usage: "conceal secret in build logs",
+		},
 	}
 }
 
@@ -73,6 +77,7 @@ func secretParseCmd(name string, value string, c *cli.Context) (*model.Secret, e
 	secret.Images = c.StringSlice("image")
 	secret.Events = c.StringSlice("event")
 	secret.SkipVerify = c.Bool("skip-verify")
+	secret.Conceal = c.Bool("conceal")
 
 	if len(secret.Images) == 0 {
 		return nil, fmt.Errorf("Please specify the --image parameter")
@@ -122,6 +127,7 @@ var tmplSecretList = "\x1b[33m{{ .Name }} \x1b[0m" + `
 Images: {{ list .Images }}
 Events: {{ list .Events }}
 SkipVerify: {{ .SkipVerify }}
+Conceal: {{ .Conceal }}
 `
 
 var secretFuncMap = template.FuncMap{