Implement secrets concealer in build logs

2025-10-21 21:03:22 +00:00 · 2016-10-14 17:40:20 +01:00
parent 655cbf0f30
commit 5377c62844
5 changed files with 95 additions and 42 deletions
--- a/agent/agent.go
+++ b/agent/agent.go
@@ -22,17 +22,18 @@ type Logger interface {
 }

 type Agent struct {
-	Update    UpdateFunc
-	Logger    LoggerFunc
-	Engine    build.Engine
-	Timeout   time.Duration
-	Platform  string
-	Namespace string
-	Disable   []string
-	Escalate  []string
-	Netrc     []string
-	Local     string
-	Pull      bool
+	Update         UpdateFunc
+	Logger         LoggerFunc
+	Engine         build.Engine
+	Timeout        time.Duration
+	Platform       string
+	Namespace      string
+	Disable        []string
+	Escalate       []string
+	Netrc          []string
+	Local          string
+	Pull           bool
+	ConcealSecrets bool
 }

 func (a *Agent) Poll() error {
@@ -188,6 +189,7 @@ func (a *Agent) exec(spec *yaml.Config, payload *model.Work, cancel <-chan bool)
 		return err
 	}

+	secretsReplacer := newSecretsReplacer(payload.Secrets)
 	timeout := time.After(time.Duration(payload.Repo.Timeout) * time.Minute)

 	for {
@@ -227,11 +229,25 @@ func (a *Agent) exec(spec *yaml.Config, payload *model.Work, cancel <-chan bool)
 				pipeline.Exec()
 			}
 		case line := <-pipeline.Pipe():
+			// FIXME(vaijab): avoid checking a.ConcealSecrets is true everytime new line is received
+			if a.ConcealSecrets {
+				line.Out = secretsReplacer.Replace(line.Out)
+			}
 			a.Logger(line)
 		}
 	}
 }

+// newSecretsReplacer takes []*model.Secret as secrets and returns a list of
+// secret value, "*****" pairs.
+func newSecretsReplacer(secrets []*model.Secret) *strings.Replacer {
+	var r []string
+	for _, s := range secrets {
+		r = append(r, s.Value, "*****")
+	}
+	return strings.NewReplacer(r...)
+}
+
 func toEnv(w *model.Work) map[string]string {
 	envs := map[string]string{
 		"CI":                         "drone",
--- a/agent/agent_test.go
+++ b/agent/agent_test.go
@@ -0,0 +1,23 @@
+package agent
+
+import "testing"
+import "github.com/drone/drone/model"
+
+func Test_newSecretsReplacer(t *testing.T) {
+	secrets := []*model.Secret{
+		{Name: "SECRET",
+			Value:  "secret_value",
+			Images: []string{"*"},
+			Events: []string{"*"},
+		},
+	}
+
+	text := "This is SECRET: secret_value"
+	expected := "This is SECRET: *****"
+	secretsReplacer := newSecretsReplacer(secrets)
+	result := secretsReplacer.Replace(text)
+
+	if result != expected {
+		t.Errorf("Wanted %q, got %q.", expected, result)
+	}
+}