mirror of
https://github.com/woodpecker-ci/woodpecker.git
synced 2024-11-04 16:09:33 +00:00
no repo model in parsing secure section of yaml
This commit is contained in:
parent
f9ebf9ca11
commit
85a9811110
5 changed files with 26 additions and 30 deletions
|
@ -183,7 +183,7 @@ func RunBuild(c *gin.Context) {
|
|||
if repo.Params != nil && len(repo.Params) != 0 {
|
||||
raw = []byte(inject.InjectSafe(string(raw), repo.Params))
|
||||
}
|
||||
encrypted, _ := secure.Parse(repo, string(raw))
|
||||
encrypted, _ := secure.Parse(repo.Keys.Private, repo.Hash, string(raw))
|
||||
if encrypted != nil && len(encrypted) != 0 {
|
||||
raw = []byte(inject.InjectSafe(string(raw), encrypted))
|
||||
}
|
||||
|
|
|
@ -101,7 +101,7 @@ func PostHook(c *gin.Context) {
|
|||
if repo.Params != nil && len(repo.Params) != 0 {
|
||||
raw = []byte(inject.InjectSafe(string(raw), repo.Params))
|
||||
}
|
||||
encrypted, _ := secure.Parse(repo, string(raw))
|
||||
encrypted, _ := secure.Parse(repo.Keys.Private, repo.Hash, string(raw))
|
||||
if encrypted != nil && len(encrypted) != 0 {
|
||||
raw = []byte(inject.InjectSafe(string(raw), encrypted))
|
||||
}
|
||||
|
|
|
@ -253,7 +253,8 @@ func Encrypt(c *gin.Context) {
|
|||
|
||||
in := map[string]string{}
|
||||
json.NewDecoder(c.Request.Body).Decode(&in)
|
||||
err := secure.EncryptMap(repo, in)
|
||||
privKey := sshutil.UnMarshalPrivateKey([]byte(repo.Keys.Private))
|
||||
err := secure.EncryptMap(secure.ToHash(repo.Hash), &privKey.PublicKey, in)
|
||||
if err != nil {
|
||||
c.Fail(500, err)
|
||||
return
|
||||
|
|
|
@ -1,33 +1,34 @@
|
|||
package secure
|
||||
|
||||
import (
|
||||
"crypto/rsa"
|
||||
"crypto/sha256"
|
||||
"hash"
|
||||
|
||||
"github.com/drone/drone/Godeps/_workspace/src/gopkg.in/yaml.v2"
|
||||
|
||||
common "github.com/drone/drone/pkg/types"
|
||||
"github.com/drone/drone/pkg/utils/sshutil"
|
||||
)
|
||||
|
||||
// Parse parses and returns the secure section of the
|
||||
// yaml file as plaintext parameters.
|
||||
func Parse(repo *common.Repo, raw string) (map[string]string, error) {
|
||||
func Parse(privateKeyPEM, repoHash, raw string) (map[string]string, error) {
|
||||
params, err := parseSecure(raw)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
err = DecryptMap(repo, params)
|
||||
hasher := ToHash(repoHash)
|
||||
privKey := sshutil.UnMarshalPrivateKey([]byte(privateKeyPEM))
|
||||
|
||||
err = DecryptMap(hasher, privKey, params)
|
||||
return params, err
|
||||
}
|
||||
|
||||
// DecryptMap decrypts values of a map of named parameters
|
||||
// from base64 to decrypted strings.
|
||||
func DecryptMap(repo *common.Repo, params map[string]string) error {
|
||||
func DecryptMap(hasher hash.Hash, privKey *rsa.PrivateKey, params map[string]string) error {
|
||||
var err error
|
||||
hasher := toHash(repo.Hash)
|
||||
privKey := sshutil.UnMarshalPrivateKey([]byte(repo.Keys.Private))
|
||||
|
||||
for name, encrypted := range params {
|
||||
params[name], err = sshutil.Decrypt(hasher, privKey, encrypted)
|
||||
|
@ -39,13 +40,11 @@ func DecryptMap(repo *common.Repo, params map[string]string) error {
|
|||
}
|
||||
|
||||
// EncryptMap encrypts values of a map of named parameters
|
||||
func EncryptMap(repo *common.Repo, params map[string]string) error {
|
||||
func EncryptMap(hasher hash.Hash, pubKey *rsa.PublicKey, params map[string]string) error {
|
||||
var err error
|
||||
hasher := toHash(repo.Hash)
|
||||
privKey := sshutil.UnMarshalPrivateKey([]byte(repo.Keys.Private))
|
||||
|
||||
for name, value := range params {
|
||||
params[name], err = sshutil.Encrypt(hasher, &privKey.PublicKey, value)
|
||||
params[name], err = sshutil.Encrypt(hasher, pubKey, value)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
@ -64,8 +63,8 @@ func parseSecure(raw string) (map[string]string, error) {
|
|||
return data.Secure, err
|
||||
}
|
||||
|
||||
// toHash is helper function to generate Hash of given string
|
||||
func toHash(key string) hash.Hash {
|
||||
// ToHash is helper function to generate Hash of given string
|
||||
func ToHash(key string) hash.Hash {
|
||||
hasher := sha256.New()
|
||||
hasher.Write([]byte(key))
|
||||
hasher.Reset()
|
||||
|
|
|
@ -5,7 +5,6 @@ import (
|
|||
|
||||
"github.com/drone/drone/Godeps/_workspace/src/github.com/franela/goblin"
|
||||
|
||||
common "github.com/drone/drone/pkg/types"
|
||||
"github.com/drone/drone/pkg/utils/sshutil"
|
||||
)
|
||||
|
||||
|
@ -14,21 +13,18 @@ func Test_Secure(t *testing.T) {
|
|||
g := goblin.Goblin(t)
|
||||
g.Describe("Encrypt params", func() {
|
||||
privKey, _ := sshutil.GeneratePrivateKey()
|
||||
keypair := common.Keypair{
|
||||
Private: string(sshutil.MarshalPrivateKey(privKey)),
|
||||
Public: string(sshutil.MarshalPublicKey(&privKey.PublicKey)),
|
||||
}
|
||||
repo := common.Repo{
|
||||
Hash: "9T2tH3qZ8FSPr9uxrhzV4mn2VdVgA56xPVtYvCh0",
|
||||
Keys: &keypair,
|
||||
}
|
||||
hashKey := toHash(repo.Hash)
|
||||
publicKey := &privKey.PublicKey
|
||||
|
||||
privateKeyPEM := string(sshutil.MarshalPrivateKey(privKey))
|
||||
|
||||
repoHash := "9T2tH3qZ8FSPr9uxrhzV4mn2VdVgA56xPVtYvCh0"
|
||||
hashKey := ToHash(repoHash)
|
||||
text := "super_duper_secret"
|
||||
encryptedValue, _ := sshutil.Encrypt(hashKey, &privKey.PublicKey, text)
|
||||
encryptedValue, _ := sshutil.Encrypt(hashKey, publicKey, text)
|
||||
|
||||
g.It("Should decrypt a yaml", func() {
|
||||
yaml := "secure: {\"foo\": \"" + encryptedValue + "\"}"
|
||||
decrypted, err := Parse(&repo, yaml)
|
||||
decrypted, err := Parse(privateKeyPEM, repoHash, yaml)
|
||||
|
||||
g.Assert(err == nil).IsTrue()
|
||||
g.Assert(decrypted["foo"]).Equal(text)
|
||||
|
@ -36,7 +32,7 @@ func Test_Secure(t *testing.T) {
|
|||
|
||||
g.It("Should decrypt a yaml with no secure section", func() {
|
||||
yaml := `foo: bar`
|
||||
decrypted, err := Parse(&repo, yaml)
|
||||
decrypted, err := Parse(privateKeyPEM, repoHash, yaml)
|
||||
g.Assert(err == nil).IsTrue()
|
||||
g.Assert(len(decrypted)).Equal(0)
|
||||
})
|
||||
|
@ -45,10 +41,10 @@ func Test_Secure(t *testing.T) {
|
|||
params := map[string]string{
|
||||
"foo": text,
|
||||
}
|
||||
err := EncryptMap(&repo, params)
|
||||
err := EncryptMap(hashKey, publicKey, params)
|
||||
g.Assert(err == nil).IsTrue()
|
||||
g.Assert(params["foo"] == "super_duper_secret").IsFalse()
|
||||
err = DecryptMap(&repo, params)
|
||||
err = DecryptMap(hashKey, privKey, params)
|
||||
g.Assert(err == nil).IsTrue()
|
||||
g.Assert(params["foo"] == "super_duper_secret").IsTrue()
|
||||
})
|
||||
|
|
Loading…
Reference in a new issue