dagger/plan/task/transformsecret.go

package task

import (
	"context"
	"errors"
	"strings"

	"cuelang.org/go/cue"
	"github.com/rs/zerolog/log"
	"github.com/sergi/go-diff/diffmatchpatch"
	"go.dagger.io/dagger/compiler"
	"go.dagger.io/dagger/plancontext"
	"go.dagger.io/dagger/solver"
)

func init() {
	Register("TransformSecret", func() Task { return &transformSecretTask{} })
}

type transformSecretTask struct {
}

func (c *transformSecretTask) Run(ctx context.Context, pctx *plancontext.Context, _ *solver.Solver, v *compiler.Value) (*compiler.Value, error) {
	lg := log.Ctx(ctx)
	lg.Debug().Msg("transforming secret")

	input := v.Lookup("input")

	inputSecret, err := pctx.Secrets.FromValue(input)
	if err != nil {
		return nil, err
	}

	function := v.Lookup("#function")
	inputSecretPlaintext := inputSecret.PlainText()
	err = function.FillPath(cue.ParsePath("input"), inputSecretPlaintext)
	if err != nil {
		dmp := diffmatchpatch.New()
		errStr := err.Error()
		diffs := dmp.DiffMain(inputSecretPlaintext, err.Error(), false)
		for _, diff := range diffs {
			if diff.Type == diffmatchpatch.DiffEqual {
				// diffText := strings.ReplaceAll(diff.Text, ":", "") // colons are tricky. Yaml keys end with them but if a secret contained one that got replaced, the secret wouldn't get redacted
				errStr = strings.ReplaceAll(errStr, diff.Text, "***")
			}
		}

		return nil, errors.New(errStr)
	}

	pathToSecrets := make(map[string]string)

	// users could yaml.Unmarshal(input) and return a map
	// or yaml.Unmarshal(input).someKey and return a string
	// walk will ensure we convert every leaf
	functionPathSelectors := function.Path().Selectors()

	function.Lookup("output").Walk(nil, func(v *compiler.Value) {
		if v.Kind() == cue.StringKind {
			plaintext, _ := v.String()
			newLeafSelectors := v.Path().Selectors()[len(functionPathSelectors):]
			newLeafSelectors = append(newLeafSelectors, cue.Str("contents"))
			newLeafPath := cue.MakePath(newLeafSelectors...)
			p := newLeafPath.String()
			pathToSecrets[p] = plaintext
		}
	})

	output := compiler.NewValue()

	for p, s := range pathToSecrets {
		secret := pctx.Secrets.New(s)
		output.FillPath(cue.ParsePath(p), secret.MarshalCUE())
	}

	return output, nil
}
transform secret Signed-off-by: Richard Jones <richard@dagger.io> 2022-01-05 04:27:54 +01:00			`package task`

			`import (`
			`"context"`
			`"errors"`
supports map of secrets; errors redact plaintext Signed-off-by: Richard Jones <richard@dagger.io> 2022-01-06 21:13:51 +01:00			`"strings"`
transform secret Signed-off-by: Richard Jones <richard@dagger.io> 2022-01-05 04:27:54 +01:00
			`"cuelang.org/go/cue"`
			`"github.com/rs/zerolog/log"`
supports map of secrets; errors redact plaintext Signed-off-by: Richard Jones <richard@dagger.io> 2022-01-06 21:13:51 +01:00			`"github.com/sergi/go-diff/diffmatchpatch"`
transform secret Signed-off-by: Richard Jones <richard@dagger.io> 2022-01-05 04:27:54 +01:00			`"go.dagger.io/dagger/compiler"`
			`"go.dagger.io/dagger/plancontext"`
			`"go.dagger.io/dagger/solver"`
			`)`

			`func init() {`
			`Register("TransformSecret", func() Task { return &transformSecretTask{} })`
			`}`

			`type transformSecretTask struct {`
			`}`

Fix export cache issue Resolve #1551 and #1020. We are never returning the result of solved operations so Buildkit could not cache the layer. This commit implements a simple system to forward operations' result to the main build to cache it. Signed-off-by: Vasek - Tom C <tom.chauveau@epitech.eu> 2022-03-23 23:02:17 +01:00			`func (c transformSecretTask) Run(ctx context.Context, pctx plancontext.Context, _ solver.Solver, v compiler.Value) (*compiler.Value, error) {`
transform secret Signed-off-by: Richard Jones <richard@dagger.io> 2022-01-05 04:27:54 +01:00			`lg := log.Ctx(ctx)`
			`lg.Debug().Msg("transforming secret")`

			`input := v.Lookup("input")`

			`inputSecret, err := pctx.Secrets.FromValue(input)`
			`if err != nil {`
			`return nil, err`
			`}`

			`function := v.Lookup("#function")`
supports map of secrets; errors redact plaintext Signed-off-by: Richard Jones <richard@dagger.io> 2022-01-06 21:13:51 +01:00			`inputSecretPlaintext := inputSecret.PlainText()`
			`err = function.FillPath(cue.ParsePath("input"), inputSecretPlaintext)`
transform secret Signed-off-by: Richard Jones <richard@dagger.io> 2022-01-05 04:27:54 +01:00			`if err != nil {`
supports map of secrets; errors redact plaintext Signed-off-by: Richard Jones <richard@dagger.io> 2022-01-06 21:13:51 +01:00			`dmp := diffmatchpatch.New()`
			`errStr := err.Error()`
			`diffs := dmp.DiffMain(inputSecretPlaintext, err.Error(), false)`
			`for _, diff := range diffs {`
			`if diff.Type == diffmatchpatch.DiffEqual {`
commented out replace colons Signed-off-by: Richard Jones <richard@dagger.io> 2022-01-11 21:37:03 +01:00			`// diffText := strings.ReplaceAll(diff.Text, ":", "") // colons are tricky. Yaml keys end with them but if a secret contained one that got replaced, the secret wouldn't get redacted`
redacting with stars Signed-off-by: Richard Jones <richard@dagger.io> 2022-01-13 23:21:30 +01:00			`errStr = strings.ReplaceAll(errStr, diff.Text, "***")`
supports map of secrets; errors redact plaintext Signed-off-by: Richard Jones <richard@dagger.io> 2022-01-06 21:13:51 +01:00			`}`
			`}`

			`return nil, errors.New(errStr)`
transform secret Signed-off-by: Richard Jones <richard@dagger.io> 2022-01-05 04:27:54 +01:00			`}`

using map[string]string and moved Secrets.New outside of Walk Signed-off-by: Richard Jones <richard@dagger.io> 2022-02-01 02:37:31 +01:00			`pathToSecrets := make(map[string]string)`
moved FillPath outside of Walk Signed-off-by: Richard Jones <richard@dagger.io> 2022-01-26 00:10:39 +01:00
supports map of secrets; errors redact plaintext Signed-off-by: Richard Jones <richard@dagger.io> 2022-01-06 21:13:51 +01:00			`// users could yaml.Unmarshal(input) and return a map`
			`// or yaml.Unmarshal(input).someKey and return a string`
			`// walk will ensure we convert every leaf`
			`functionPathSelectors := function.Path().Selectors()`
using map[string]string and moved Secrets.New outside of Walk Signed-off-by: Richard Jones <richard@dagger.io> 2022-02-01 02:37:31 +01:00
supports map of secrets; errors redact plaintext Signed-off-by: Richard Jones <richard@dagger.io> 2022-01-06 21:13:51 +01:00			`function.Lookup("output").Walk(nil, func(v *compiler.Value) {`
			`if v.Kind() == cue.StringKind {`
			`plaintext, _ := v.String()`
			`newLeafSelectors := v.Path().Selectors()[len(functionPathSelectors):]`
			`newLeafSelectors = append(newLeafSelectors, cue.Str("contents"))`
			`newLeafPath := cue.MakePath(newLeafSelectors...)`
using map[string]string and moved Secrets.New outside of Walk Signed-off-by: Richard Jones <richard@dagger.io> 2022-02-01 02:37:31 +01:00			`p := newLeafPath.String()`
			`pathToSecrets[p] = plaintext`
supports map of secrets; errors redact plaintext Signed-off-by: Richard Jones <richard@dagger.io> 2022-01-06 21:13:51 +01:00			`}`
transform secret Signed-off-by: Richard Jones <richard@dagger.io> 2022-01-05 04:27:54 +01:00			`})`
supports map of secrets; errors redact plaintext Signed-off-by: Richard Jones <richard@dagger.io> 2022-01-06 21:13:51 +01:00
moved FillPath outside of Walk Signed-off-by: Richard Jones <richard@dagger.io> 2022-01-26 00:10:39 +01:00			`output := compiler.NewValue()`

using map[string]string and moved Secrets.New outside of Walk Signed-off-by: Richard Jones <richard@dagger.io> 2022-02-01 02:37:31 +01:00			`for p, s := range pathToSecrets {`
			`secret := pctx.Secrets.New(s)`
			`output.FillPath(cue.ParsePath(p), secret.MarshalCUE())`
moved FillPath outside of Walk Signed-off-by: Richard Jones <richard@dagger.io> 2022-01-26 00:10:39 +01:00			`}`

supports map of secrets; errors redact plaintext Signed-off-by: Richard Jones <richard@dagger.io> 2022-01-06 21:13:51 +01:00			`return output, nil`
transform secret Signed-off-by: Richard Jones <richard@dagger.io> 2022-01-05 04:27:54 +01:00			`}`