no repo model in parsing secure section of yaml

This commit is contained in:
Ke Zhu 2015-08-20 00:24:32 -04:00
parent f9ebf9ca11
commit 85a9811110
5 changed files with 26 additions and 30 deletions

View file

@ -183,7 +183,7 @@ func RunBuild(c *gin.Context) {
if repo.Params != nil && len(repo.Params) != 0 {
raw = []byte(inject.InjectSafe(string(raw), repo.Params))
}
encrypted, _ := secure.Parse(repo, string(raw))
encrypted, _ := secure.Parse(repo.Keys.Private, repo.Hash, string(raw))
if encrypted != nil && len(encrypted) != 0 {
raw = []byte(inject.InjectSafe(string(raw), encrypted))
}

View file

@ -101,7 +101,7 @@ func PostHook(c *gin.Context) {
if repo.Params != nil && len(repo.Params) != 0 {
raw = []byte(inject.InjectSafe(string(raw), repo.Params))
}
encrypted, _ := secure.Parse(repo, string(raw))
encrypted, _ := secure.Parse(repo.Keys.Private, repo.Hash, string(raw))
if encrypted != nil && len(encrypted) != 0 {
raw = []byte(inject.InjectSafe(string(raw), encrypted))
}

View file

@ -253,7 +253,8 @@ func Encrypt(c *gin.Context) {
in := map[string]string{}
json.NewDecoder(c.Request.Body).Decode(&in)
err := secure.EncryptMap(repo, in)
privKey := sshutil.UnMarshalPrivateKey([]byte(repo.Keys.Private))
err := secure.EncryptMap(secure.ToHash(repo.Hash), &privKey.PublicKey, in)
if err != nil {
c.Fail(500, err)
return

View file

@ -1,33 +1,34 @@
package secure
import (
"crypto/rsa"
"crypto/sha256"
"hash"
"github.com/drone/drone/Godeps/_workspace/src/gopkg.in/yaml.v2"
common "github.com/drone/drone/pkg/types"
"github.com/drone/drone/pkg/utils/sshutil"
)
// Parse parses and returns the secure section of the
// yaml file as plaintext parameters.
func Parse(repo *common.Repo, raw string) (map[string]string, error) {
func Parse(privateKeyPEM, repoHash, raw string) (map[string]string, error) {
params, err := parseSecure(raw)
if err != nil {
return nil, err
}
err = DecryptMap(repo, params)
hasher := ToHash(repoHash)
privKey := sshutil.UnMarshalPrivateKey([]byte(privateKeyPEM))
err = DecryptMap(hasher, privKey, params)
return params, err
}
// DecryptMap decrypts values of a map of named parameters
// from base64 to decrypted strings.
func DecryptMap(repo *common.Repo, params map[string]string) error {
func DecryptMap(hasher hash.Hash, privKey *rsa.PrivateKey, params map[string]string) error {
var err error
hasher := toHash(repo.Hash)
privKey := sshutil.UnMarshalPrivateKey([]byte(repo.Keys.Private))
for name, encrypted := range params {
params[name], err = sshutil.Decrypt(hasher, privKey, encrypted)
@ -39,13 +40,11 @@ func DecryptMap(repo *common.Repo, params map[string]string) error {
}
// EncryptMap encrypts values of a map of named parameters
func EncryptMap(repo *common.Repo, params map[string]string) error {
func EncryptMap(hasher hash.Hash, pubKey *rsa.PublicKey, params map[string]string) error {
var err error
hasher := toHash(repo.Hash)
privKey := sshutil.UnMarshalPrivateKey([]byte(repo.Keys.Private))
for name, value := range params {
params[name], err = sshutil.Encrypt(hasher, &privKey.PublicKey, value)
params[name], err = sshutil.Encrypt(hasher, pubKey, value)
if err != nil {
return err
}
@ -64,8 +63,8 @@ func parseSecure(raw string) (map[string]string, error) {
return data.Secure, err
}
// toHash is helper function to generate Hash of given string
func toHash(key string) hash.Hash {
// ToHash is helper function to generate Hash of given string
func ToHash(key string) hash.Hash {
hasher := sha256.New()
hasher.Write([]byte(key))
hasher.Reset()

View file

@ -5,7 +5,6 @@ import (
"github.com/drone/drone/Godeps/_workspace/src/github.com/franela/goblin"
common "github.com/drone/drone/pkg/types"
"github.com/drone/drone/pkg/utils/sshutil"
)
@ -14,21 +13,18 @@ func Test_Secure(t *testing.T) {
g := goblin.Goblin(t)
g.Describe("Encrypt params", func() {
privKey, _ := sshutil.GeneratePrivateKey()
keypair := common.Keypair{
Private: string(sshutil.MarshalPrivateKey(privKey)),
Public: string(sshutil.MarshalPublicKey(&privKey.PublicKey)),
}
repo := common.Repo{
Hash: "9T2tH3qZ8FSPr9uxrhzV4mn2VdVgA56xPVtYvCh0",
Keys: &keypair,
}
hashKey := toHash(repo.Hash)
publicKey := &privKey.PublicKey
privateKeyPEM := string(sshutil.MarshalPrivateKey(privKey))
repoHash := "9T2tH3qZ8FSPr9uxrhzV4mn2VdVgA56xPVtYvCh0"
hashKey := ToHash(repoHash)
text := "super_duper_secret"
encryptedValue, _ := sshutil.Encrypt(hashKey, &privKey.PublicKey, text)
encryptedValue, _ := sshutil.Encrypt(hashKey, publicKey, text)
g.It("Should decrypt a yaml", func() {
yaml := "secure: {\"foo\": \"" + encryptedValue + "\"}"
decrypted, err := Parse(&repo, yaml)
decrypted, err := Parse(privateKeyPEM, repoHash, yaml)
g.Assert(err == nil).IsTrue()
g.Assert(decrypted["foo"]).Equal(text)
@ -36,7 +32,7 @@ func Test_Secure(t *testing.T) {
g.It("Should decrypt a yaml with no secure section", func() {
yaml := `foo: bar`
decrypted, err := Parse(&repo, yaml)
decrypted, err := Parse(privateKeyPEM, repoHash, yaml)
g.Assert(err == nil).IsTrue()
g.Assert(len(decrypted)).Equal(0)
})
@ -45,10 +41,10 @@ func Test_Secure(t *testing.T) {
params := map[string]string{
"foo": text,
}
err := EncryptMap(&repo, params)
err := EncryptMap(hashKey, publicKey, params)
g.Assert(err == nil).IsTrue()
g.Assert(params["foo"] == "super_duper_secret").IsFalse()
err = DecryptMap(&repo, params)
err = DecryptMap(hashKey, privKey, params)
g.Assert(err == nil).IsTrue()
g.Assert(params["foo"] == "super_duper_secret").IsTrue()
})