mirror of
https://github.com/woodpecker-ci/woodpecker.git
synced 2024-12-23 08:56:29 +00:00
Implement secrets concealer in build logs
This commit is contained in:
parent
655cbf0f30
commit
5377c62844
5 changed files with 95 additions and 42 deletions
|
@ -22,17 +22,18 @@ type Logger interface {
|
|||
}
|
||||
|
||||
type Agent struct {
|
||||
Update UpdateFunc
|
||||
Logger LoggerFunc
|
||||
Engine build.Engine
|
||||
Timeout time.Duration
|
||||
Platform string
|
||||
Namespace string
|
||||
Disable []string
|
||||
Escalate []string
|
||||
Netrc []string
|
||||
Local string
|
||||
Pull bool
|
||||
Update UpdateFunc
|
||||
Logger LoggerFunc
|
||||
Engine build.Engine
|
||||
Timeout time.Duration
|
||||
Platform string
|
||||
Namespace string
|
||||
Disable []string
|
||||
Escalate []string
|
||||
Netrc []string
|
||||
Local string
|
||||
Pull bool
|
||||
ConcealSecrets bool
|
||||
}
|
||||
|
||||
func (a *Agent) Poll() error {
|
||||
|
@ -188,6 +189,7 @@ func (a *Agent) exec(spec *yaml.Config, payload *model.Work, cancel <-chan bool)
|
|||
return err
|
||||
}
|
||||
|
||||
secretsReplacer := newSecretsReplacer(payload.Secrets)
|
||||
timeout := time.After(time.Duration(payload.Repo.Timeout) * time.Minute)
|
||||
|
||||
for {
|
||||
|
@ -227,11 +229,25 @@ func (a *Agent) exec(spec *yaml.Config, payload *model.Work, cancel <-chan bool)
|
|||
pipeline.Exec()
|
||||
}
|
||||
case line := <-pipeline.Pipe():
|
||||
// FIXME(vaijab): avoid checking a.ConcealSecrets is true everytime new line is received
|
||||
if a.ConcealSecrets {
|
||||
line.Out = secretsReplacer.Replace(line.Out)
|
||||
}
|
||||
a.Logger(line)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// newSecretsReplacer takes []*model.Secret as secrets and returns a list of
|
||||
// secret value, "*****" pairs.
|
||||
func newSecretsReplacer(secrets []*model.Secret) *strings.Replacer {
|
||||
var r []string
|
||||
for _, s := range secrets {
|
||||
r = append(r, s.Value, "*****")
|
||||
}
|
||||
return strings.NewReplacer(r...)
|
||||
}
|
||||
|
||||
func toEnv(w *model.Work) map[string]string {
|
||||
envs := map[string]string{
|
||||
"CI": "drone",
|
||||
|
|
23
agent/agent_test.go
Normal file
23
agent/agent_test.go
Normal file
|
@ -0,0 +1,23 @@
|
|||
package agent
|
||||
|
||||
import "testing"
|
||||
import "github.com/drone/drone/model"
|
||||
|
||||
func Test_newSecretsReplacer(t *testing.T) {
|
||||
secrets := []*model.Secret{
|
||||
{Name: "SECRET",
|
||||
Value: "secret_value",
|
||||
Images: []string{"*"},
|
||||
Events: []string{"*"},
|
||||
},
|
||||
}
|
||||
|
||||
text := "This is SECRET: secret_value"
|
||||
expected := "This is SECRET: *****"
|
||||
secretsReplacer := newSecretsReplacer(secrets)
|
||||
result := secretsReplacer.Replace(text)
|
||||
|
||||
if result != expected {
|
||||
t.Errorf("Wanted %q, got %q.", expected, result)
|
||||
}
|
||||
}
|
|
@ -75,6 +75,11 @@ var AgentCmd = cli.Command{
|
|||
Name: "drone-secret",
|
||||
Usage: "drone agent secret",
|
||||
},
|
||||
cli.BoolFlag{
|
||||
Name: "conceal-secrets",
|
||||
Usage: "conceal secrets from build logs",
|
||||
EnvVar: "DRONE_CONCEAL_SECRETS",
|
||||
},
|
||||
cli.DurationFlag{
|
||||
EnvVar: "DRONE_BACKOFF",
|
||||
Name: "backoff",
|
||||
|
@ -186,12 +191,13 @@ func start(c *cli.Context) {
|
|||
drone: client,
|
||||
docker: docker,
|
||||
config: config{
|
||||
platform: c.String("docker-os") + "/" + c.String("docker-arch"),
|
||||
timeout: c.Duration("timeout"),
|
||||
namespace: c.String("namespace"),
|
||||
privileged: c.StringSlice("privileged"),
|
||||
pull: c.BoolT("pull"),
|
||||
logs: int64(c.Int("max-log-size")) * 1000000,
|
||||
platform: c.String("docker-os") + "/" + c.String("docker-arch"),
|
||||
timeout: c.Duration("timeout"),
|
||||
namespace: c.String("namespace"),
|
||||
privileged: c.StringSlice("privileged"),
|
||||
pull: c.BoolT("pull"),
|
||||
logs: int64(c.Int("max-log-size")) * 1000000,
|
||||
concealSecrets: c.Bool("conceal-secrets"),
|
||||
},
|
||||
}
|
||||
|
||||
|
|
|
@ -13,12 +13,13 @@ import (
|
|||
)
|
||||
|
||||
type config struct {
|
||||
platform string
|
||||
namespace string
|
||||
privileged []string
|
||||
pull bool
|
||||
logs int64
|
||||
timeout time.Duration
|
||||
platform string
|
||||
namespace string
|
||||
privileged []string
|
||||
pull bool
|
||||
logs int64
|
||||
timeout time.Duration
|
||||
concealSecrets bool
|
||||
}
|
||||
|
||||
type pipeline struct {
|
||||
|
@ -40,14 +41,15 @@ func (r *pipeline) run(w *model.Work) {
|
|||
engine := docker.NewClient(r.docker)
|
||||
|
||||
a := agent.Agent{
|
||||
Update: agent.NewClientUpdater(r.drone),
|
||||
Logger: agent.NewClientLogger(r.drone, w.Job.ID, r.config.logs),
|
||||
Engine: engine,
|
||||
Timeout: r.config.timeout,
|
||||
Platform: r.config.platform,
|
||||
Namespace: r.config.namespace,
|
||||
Escalate: r.config.privileged,
|
||||
Pull: r.config.pull,
|
||||
Update: agent.NewClientUpdater(r.drone),
|
||||
Logger: agent.NewClientLogger(r.drone, w.Job.ID, r.config.logs),
|
||||
Engine: engine,
|
||||
Timeout: r.config.timeout,
|
||||
Platform: r.config.platform,
|
||||
Namespace: r.config.namespace,
|
||||
Escalate: r.config.privileged,
|
||||
Pull: r.config.pull,
|
||||
ConcealSecrets: r.config.concealSecrets,
|
||||
}
|
||||
|
||||
cancelFunc := func(m *stomp.Message) {
|
||||
|
|
|
@ -48,6 +48,11 @@ var execCmd = cli.Command{
|
|||
Usage: "build secrets file in KEY=VALUE format",
|
||||
EnvVar: "DRONE_SECRETS_FILE",
|
||||
},
|
||||
cli.BoolFlag{
|
||||
Name: "conceal-secrets",
|
||||
Usage: "conceal secrets from build logs",
|
||||
EnvVar: "DRONE_CONCEAL_SECRETS",
|
||||
},
|
||||
cli.StringSliceFlag{
|
||||
Name: "matrix",
|
||||
Usage: "build matrix in KEY=VALUE format",
|
||||
|
@ -326,17 +331,18 @@ func exec(c *cli.Context) error {
|
|||
}
|
||||
|
||||
a := agent.Agent{
|
||||
Update: agent.NoopUpdateFunc,
|
||||
Logger: agent.TermLoggerFunc,
|
||||
Engine: engine,
|
||||
Timeout: c.Duration("timeout.inactivity"),
|
||||
Platform: "linux/amd64",
|
||||
Namespace: c.String("namespace"),
|
||||
Disable: c.StringSlice("plugin"),
|
||||
Escalate: c.StringSlice("privileged"),
|
||||
Netrc: []string{},
|
||||
Local: dir,
|
||||
Pull: c.Bool("pull"),
|
||||
Update: agent.NoopUpdateFunc,
|
||||
Logger: agent.TermLoggerFunc,
|
||||
Engine: engine,
|
||||
Timeout: c.Duration("timeout.inactivity"),
|
||||
Platform: "linux/amd64",
|
||||
Namespace: c.String("namespace"),
|
||||
Disable: c.StringSlice("plugin"),
|
||||
Escalate: c.StringSlice("privileged"),
|
||||
Netrc: []string{},
|
||||
Local: dir,
|
||||
Pull: c.Bool("pull"),
|
||||
ConcealSecrets: c.Bool("conceal-secrets"),
|
||||
}
|
||||
|
||||
payload := &model.Work{
|
||||
|
|
Loading…
Reference in a new issue