mirror of
https://github.com/woodpecker-ci/woodpecker.git
synced 2024-11-25 19:31:05 +00:00
parent
9ece7a1c49
commit
e568c42e84
17 changed files with 154 additions and 50 deletions
|
@ -42,6 +42,10 @@ var secretCreateCmd = &cli.Command{
|
|||
Name: "image",
|
||||
Usage: "secret limited to these images",
|
||||
},
|
||||
&cli.BoolFlag{
|
||||
Name: "plugins-only",
|
||||
Usage: "secret limited to plugins",
|
||||
},
|
||||
),
|
||||
}
|
||||
|
||||
|
@ -55,6 +59,7 @@ func secretCreate(c *cli.Context) error {
|
|||
Name: strings.ToLower(c.String("name")),
|
||||
Value: c.String("value"),
|
||||
Images: c.StringSlice("image"),
|
||||
PluginsOnly: c.Bool("plugins-only"),
|
||||
Events: c.StringSlice("event"),
|
||||
}
|
||||
if len(secret.Events) == 0 {
|
||||
|
|
|
@ -42,6 +42,10 @@ var secretUpdateCmd = &cli.Command{
|
|||
Name: "image",
|
||||
Usage: "secret limited to these images",
|
||||
},
|
||||
&cli.BoolFlag{
|
||||
Name: "plugins-only",
|
||||
Usage: "secret limited to plugins",
|
||||
},
|
||||
),
|
||||
}
|
||||
|
||||
|
@ -55,6 +59,7 @@ func secretUpdate(c *cli.Context) error {
|
|||
Name: strings.ToLower(c.String("name")),
|
||||
Value: c.String("value"),
|
||||
Images: c.StringSlice("image"),
|
||||
PluginsOnly: c.Bool("plugins-only"),
|
||||
Events: c.StringSlice("event"),
|
||||
}
|
||||
if strings.HasPrefix(secret.Value, "@") {
|
||||
|
|
|
@ -79,6 +79,15 @@ woodpecker-cli secret add \
|
|||
|
||||
Please be careful when exposing secrets to pull requests. If your repository is open source and accepts pull requests your secrets are not safe. A bad actor can submit a malicious pull request that exposes your secrets.
|
||||
|
||||
## Image filter
|
||||
|
||||
To prevent abusing your secrets with malicious pull requests, you can limit a secret to a list of images. They are not available to any other container. In addition, you can make the secret available only for plugins (steps without user-defined commands).
|
||||
|
||||
:::warning
|
||||
If you enable the option "Only available for plugins", always set an image filter too. Otherwise, the secret can be accessed by a very simple self-developed plugin and is thus *not* safe.
|
||||
If you only set an image filter, you could still access the secret using the same image and by specifying a command that prints it.
|
||||
:::
|
||||
|
||||
## Examples
|
||||
|
||||
Create the secret using default settings. The secret will be available to all images in your pipeline, and will be available to all push, tag, and deployment events (not pull request events).
|
||||
|
|
|
@ -38,6 +38,11 @@ type Secret struct {
|
|||
Name string
|
||||
Value string
|
||||
Match []string
|
||||
PluginOnly bool
|
||||
}
|
||||
|
||||
func (s *Secret) Available(container *yaml.Container) bool {
|
||||
return (len(s.Match) == 0 || matchImage(container.Image, s.Match...)) && (!s.PluginOnly || container.IsPlugin())
|
||||
}
|
||||
|
||||
type secretMap map[string]Secret
|
||||
|
|
42
pipeline/frontend/yaml/compiler/compiler_test.go
Normal file
42
pipeline/frontend/yaml/compiler/compiler_test.go
Normal file
|
@ -0,0 +1,42 @@
|
|||
package compiler
|
||||
|
||||
import (
|
||||
"testing"
|
||||
|
||||
"github.com/docker/docker/api/types/strslice"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/woodpecker-ci/woodpecker/pipeline/frontend/yaml"
|
||||
"github.com/woodpecker-ci/woodpecker/pipeline/frontend/yaml/types"
|
||||
)
|
||||
|
||||
func TestSecretAvailable(t *testing.T) {
|
||||
secret := Secret{
|
||||
Match: []string{"golang"},
|
||||
PluginOnly: false,
|
||||
}
|
||||
assert.True(t, secret.Available(&yaml.Container{
|
||||
Image: "golang",
|
||||
Commands: types.Stringorslice(strslice.StrSlice{"echo 'this is not a plugin'"}),
|
||||
}))
|
||||
assert.False(t, secret.Available(&yaml.Container{
|
||||
Image: "not-golang",
|
||||
Commands: types.Stringorslice(strslice.StrSlice{"echo 'this is not a plugin'"}),
|
||||
}))
|
||||
// secret only available for "golang" plugin
|
||||
secret = Secret{
|
||||
Match: []string{"golang"},
|
||||
PluginOnly: true,
|
||||
}
|
||||
assert.True(t, secret.Available(&yaml.Container{
|
||||
Image: "golang",
|
||||
Commands: types.Stringorslice(strslice.StrSlice{}),
|
||||
}))
|
||||
assert.False(t, secret.Available(&yaml.Container{
|
||||
Image: "not-golang",
|
||||
Commands: types.Stringorslice(strslice.StrSlice{}),
|
||||
}))
|
||||
assert.False(t, secret.Available(&yaml.Container{
|
||||
Image: "not-golang",
|
||||
Commands: types.Stringorslice(strslice.StrSlice{"echo 'this is not a plugin'"}),
|
||||
}))
|
||||
}
|
|
@ -73,7 +73,14 @@ func (c *Compiler) createProcess(name string, container *yaml.Container, section
|
|||
}
|
||||
|
||||
if !detached {
|
||||
if err := settings.ParamsToEnv(container.Settings, environment, c.secrets.toStringMap()); err != nil {
|
||||
pluginSecrets := secretMap{}
|
||||
for name, secret := range c.secrets {
|
||||
if secret.Available(container) {
|
||||
pluginSecrets[name] = secret
|
||||
}
|
||||
}
|
||||
|
||||
if err := settings.ParamsToEnv(container.Settings, environment, pluginSecrets.toStringMap()); err != nil {
|
||||
log.Error().Err(err).Msg("paramsToEnv")
|
||||
}
|
||||
}
|
||||
|
@ -116,7 +123,7 @@ func (c *Compiler) createProcess(name string, container *yaml.Container, section
|
|||
|
||||
for _, requested := range container.Secrets.Secrets {
|
||||
secret, ok := c.secrets[strings.ToLower(requested.Source)]
|
||||
if ok && (len(secret.Match) == 0 || matchImage(container.Image, secret.Match...)) {
|
||||
if ok && secret.Available(container) {
|
||||
environment[strings.ToUpper(requested.Target)] = secret.Value
|
||||
}
|
||||
}
|
||||
|
|
|
@ -111,3 +111,7 @@ func (c *Containers) UnmarshalYAML(value *yaml.Node) error {
|
|||
|
||||
return nil
|
||||
}
|
||||
|
||||
func (c *Container) IsPlugin() bool {
|
||||
return len(c.Commands) == 0 && len(c.Command) == 0
|
||||
}
|
||||
|
|
|
@ -3,6 +3,7 @@ package yaml
|
|||
import (
|
||||
"testing"
|
||||
|
||||
"github.com/docker/docker/api/types/strslice"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"gopkg.in/yaml.v3"
|
||||
|
||||
|
@ -301,3 +302,13 @@ func stringsToInterface(val ...string) []interface{} {
|
|||
}
|
||||
return res
|
||||
}
|
||||
|
||||
func TestIsPlugin(t *testing.T) {
|
||||
assert.True(t, (&Container{}).IsPlugin())
|
||||
assert.True(t, (&Container{
|
||||
Commands: types.Stringorslice(strslice.StrSlice{}),
|
||||
}).IsPlugin())
|
||||
assert.False(t, (&Container{
|
||||
Commands: types.Stringorslice(strslice.StrSlice{"echo 'this is not a plugin'"}),
|
||||
}).IsPlugin())
|
||||
}
|
||||
|
|
|
@ -63,6 +63,7 @@ func PostGlobalSecret(c *gin.Context) {
|
|||
Value: in.Value,
|
||||
Events: in.Events,
|
||||
Images: in.Images,
|
||||
PluginsOnly: in.PluginsOnly,
|
||||
}
|
||||
if err := secret.Validate(); err != nil {
|
||||
c.String(400, "Error inserting global secret. %s", err)
|
||||
|
@ -100,6 +101,7 @@ func PatchGlobalSecret(c *gin.Context) {
|
|||
if in.Images != nil {
|
||||
secret.Images = in.Images
|
||||
}
|
||||
secret.PluginsOnly = in.PluginsOnly
|
||||
|
||||
if err := secret.Validate(); err != nil {
|
||||
c.String(400, "Error updating global secret. %s", err)
|
||||
|
|
|
@ -70,6 +70,7 @@ func PostOrgSecret(c *gin.Context) {
|
|||
Value: in.Value,
|
||||
Events: in.Events,
|
||||
Images: in.Images,
|
||||
PluginsOnly: in.PluginsOnly,
|
||||
}
|
||||
if err := secret.Validate(); err != nil {
|
||||
c.String(400, "Error inserting org %q secret. %s", owner, err)
|
||||
|
@ -110,6 +111,7 @@ func PatchOrgSecret(c *gin.Context) {
|
|||
if in.Images != nil {
|
||||
secret.Images = in.Images
|
||||
}
|
||||
secret.PluginsOnly = in.PluginsOnly
|
||||
|
||||
if err := secret.Validate(); err != nil {
|
||||
c.String(400, "Error updating org %q secret. %s", owner, err)
|
||||
|
|
|
@ -55,6 +55,7 @@ func PostSecret(c *gin.Context) {
|
|||
Value: in.Value,
|
||||
Events: in.Events,
|
||||
Images: in.Images,
|
||||
PluginsOnly: in.PluginsOnly,
|
||||
}
|
||||
if err := secret.Validate(); err != nil {
|
||||
c.String(400, "Error inserting secret. %s", err)
|
||||
|
@ -95,6 +96,7 @@ func PatchSecret(c *gin.Context) {
|
|||
if in.Images != nil {
|
||||
secret.Images = in.Images
|
||||
}
|
||||
secret.PluginsOnly = in.PluginsOnly
|
||||
|
||||
if err := secret.Validate(); err != nil {
|
||||
c.String(400, "Error updating secret. %s", err)
|
||||
|
|
|
@ -74,6 +74,7 @@ type Secret struct {
|
|||
Name string `json:"name" xorm:"NOT NULL UNIQUE(s) INDEX 'secret_name'"`
|
||||
Value string `json:"value,omitempty" xorm:"TEXT 'secret_value'"`
|
||||
Images []string `json:"image" xorm:"json 'secret_images'"`
|
||||
PluginsOnly bool `json:"plugins_only" xorm:"secret_plugins_only"`
|
||||
Events []WebhookEvent `json:"event" xorm:"json 'secret_events'"`
|
||||
SkipVerify bool `json:"-" xorm:"secret_skip_verify"`
|
||||
Conceal bool `json:"-" xorm:"secret_conceal"`
|
||||
|
@ -157,6 +158,7 @@ func (s *Secret) Copy() *Secret {
|
|||
RepoID: s.RepoID,
|
||||
Name: s.Name,
|
||||
Images: s.Images,
|
||||
PluginsOnly: s.PluginsOnly,
|
||||
Events: sortEvents(s.Events),
|
||||
}
|
||||
}
|
||||
|
|
|
@ -247,6 +247,7 @@ func (b *ProcBuilder) toInternalRepresentation(parsed *yaml.Config, environ map[
|
|||
Name: sec.Name,
|
||||
Value: sec.Value,
|
||||
Match: sec.Images,
|
||||
PluginOnly: sec.PluginsOnly,
|
||||
})
|
||||
}
|
||||
|
||||
|
|
|
@ -121,6 +121,7 @@
|
|||
"events": "Available at following events",
|
||||
"pr_warning": "Please be careful with this option as a bad actor can submit a malicious pull request that exposes your secrets."
|
||||
},
|
||||
"plugins_only": "Only available for plugins",
|
||||
"edit": "Edit secret",
|
||||
"delete":"Delete secret"
|
||||
},
|
||||
|
@ -258,6 +259,7 @@
|
|||
"images": "Available for following images",
|
||||
"desc": "Comma separated list of images where this secret is available, leave empty to allow all images"
|
||||
},
|
||||
"plugins_only": "Only available for plugins",
|
||||
"events": {
|
||||
"events": "Available at following events",
|
||||
"pr_warning": "Please be careful with this option as a bad actor can submit a malicious pull request that exposes your secrets."
|
||||
|
@ -286,6 +288,7 @@
|
|||
"images": "Available for following images",
|
||||
"desc": "Comma separated list of images where this secret is available, leave empty to allow all images"
|
||||
},
|
||||
"plugins_only": "Only available for plugins",
|
||||
"events": {
|
||||
"events": "Available at following events",
|
||||
"pr_warning": "Please be careful with this option as a bad actor can submit a malicious pull request that exposes your secrets."
|
||||
|
|
|
@ -16,6 +16,8 @@
|
|||
|
||||
<InputField :label="$t(i18nPrefix + 'images.images')">
|
||||
<TextField v-model="images" :placeholder="$t(i18nPrefix + 'images.desc')" />
|
||||
|
||||
<Checkbox v-model="innerValue.plugins_only" class="mt-4" :label="$t(i18nPrefix + 'plugins_only')" />
|
||||
</InputField>
|
||||
|
||||
<InputField :label="$t(i18nPrefix + 'events.events')">
|
||||
|
|
|
@ -6,4 +6,5 @@ export type Secret = {
|
|||
value: string;
|
||||
event: WebhookEvents[];
|
||||
image: string[];
|
||||
plugins_only: string;
|
||||
};
|
||||
|
|
|
@ -122,6 +122,7 @@ type (
|
|||
Name string `json:"name"`
|
||||
Value string `json:"value,omitempty"`
|
||||
Images []string `json:"image"`
|
||||
PluginsOnly bool `json:"plugins_only"`
|
||||
Events []string `json:"event"`
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in a new issue