mirror of
https://github.com/woodpecker-ci/woodpecker.git
synced 2025-01-10 01:25:30 +00:00
Hide secrets
This commit is contained in:
parent
9eee1c158a
commit
9781e160a4
3 changed files with 91 additions and 0 deletions
|
@ -188,6 +188,7 @@ func (a *Agent) exec(spec *yaml.Config, payload *model.Work, cancel <-chan bool)
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
replacer := NewSecretReplacer(payload.Secrets)
|
||||||
timeout := time.After(time.Duration(payload.Repo.Timeout) * time.Minute)
|
timeout := time.After(time.Duration(payload.Repo.Timeout) * time.Minute)
|
||||||
|
|
||||||
for {
|
for {
|
||||||
|
@ -227,6 +228,7 @@ func (a *Agent) exec(spec *yaml.Config, payload *model.Work, cancel <-chan bool)
|
||||||
pipeline.Exec()
|
pipeline.Exec()
|
||||||
}
|
}
|
||||||
case line := <-pipeline.Pipe():
|
case line := <-pipeline.Pipe():
|
||||||
|
line.Out = replacer.Replace(line.Out)
|
||||||
a.Logger(line)
|
a.Logger(line)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
50
agent/secret.go
Normal file
50
agent/secret.go
Normal file
|
@ -0,0 +1,50 @@
|
||||||
|
package agent
|
||||||
|
|
||||||
|
import (
|
||||||
|
"strings"
|
||||||
|
|
||||||
|
"github.com/drone/drone/model"
|
||||||
|
)
|
||||||
|
|
||||||
|
// SecretReplacer hides secrets from being exposed by the build output.
|
||||||
|
type SecretReplacer interface {
|
||||||
|
// Replace conceals instances of secrets found in s.
|
||||||
|
Replace(s string) string
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewSecretReplacer creates a SecretReplacer based on whether any value in
|
||||||
|
// secrets requests it be hidden.
|
||||||
|
func NewSecretReplacer(secrets []*model.Secret) SecretReplacer {
|
||||||
|
var r []string
|
||||||
|
for _, s := range secrets {
|
||||||
|
if s.Conceal {
|
||||||
|
r = append(r, s.Value, "*****")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
var replacer SecretReplacer
|
||||||
|
|
||||||
|
if len(r) > 0 {
|
||||||
|
replacer = &secretReplacer{
|
||||||
|
replacer: strings.NewReplacer(r...),
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
replacer = &noopReplacer{}
|
||||||
|
}
|
||||||
|
|
||||||
|
return replacer
|
||||||
|
}
|
||||||
|
|
||||||
|
type noopReplacer struct{}
|
||||||
|
|
||||||
|
func (*noopReplacer) Replace(s string) string {
|
||||||
|
return s
|
||||||
|
}
|
||||||
|
|
||||||
|
type secretReplacer struct {
|
||||||
|
replacer *strings.Replacer
|
||||||
|
}
|
||||||
|
|
||||||
|
func (r *secretReplacer) Replace(s string) string {
|
||||||
|
return r.replacer.Replace(s)
|
||||||
|
}
|
39
agent/secret_test.go
Normal file
39
agent/secret_test.go
Normal file
|
@ -0,0 +1,39 @@
|
||||||
|
package agent
|
||||||
|
|
||||||
|
import (
|
||||||
|
"testing"
|
||||||
|
|
||||||
|
"github.com/drone/drone/model"
|
||||||
|
"github.com/franela/goblin"
|
||||||
|
)
|
||||||
|
|
||||||
|
const testString = "This is SECRET: secret_value"
|
||||||
|
|
||||||
|
func TestSecret(t *testing.T) {
|
||||||
|
g := goblin.Goblin(t)
|
||||||
|
g.Describe("SecretReplacer", func() {
|
||||||
|
g.It("Should conceal secret", func() {
|
||||||
|
secrets := []*model.Secret{
|
||||||
|
{
|
||||||
|
Name: "SECRET",
|
||||||
|
Value: "secret_value",
|
||||||
|
Conceal: true,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
r := NewSecretReplacer(secrets)
|
||||||
|
g.Assert(r.Replace(testString)).Equal("This is SECRET: *****")
|
||||||
|
})
|
||||||
|
|
||||||
|
g.It("Should not conceal secret", func() {
|
||||||
|
secrets := []*model.Secret{
|
||||||
|
{
|
||||||
|
Name: "SECRET",
|
||||||
|
Value: "secret_value",
|
||||||
|
Conceal: false,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
r := NewSecretReplacer(secrets)
|
||||||
|
g.Assert(r.Replace(testString)).Equal(testString)
|
||||||
|
})
|
||||||
|
})
|
||||||
|
}
|
Loading…
Reference in a new issue