supports map of secrets; errors redact plaintext

Signed-off-by: Richard Jones <richard@dagger.io>
This commit is contained in:
Richard Jones 2022-01-06 13:13:51 -07:00
parent 86ae230261
commit 05820f3a67
No known key found for this signature in database
GPG Key ID: CFB3A382EB166F4C
5 changed files with 41 additions and 18 deletions

1
go.mod
View File

@ -25,6 +25,7 @@ require (
github.com/opencontainers/go-digest v1.0.0 github.com/opencontainers/go-digest v1.0.0
github.com/opencontainers/image-spec v1.0.2 github.com/opencontainers/image-spec v1.0.2
github.com/rs/zerolog v1.26.0 github.com/rs/zerolog v1.26.0
github.com/sergi/go-diff v1.1.0 // indirect
github.com/spf13/cobra v1.2.1 github.com/spf13/cobra v1.2.1
github.com/spf13/viper v1.8.1 github.com/spf13/viper v1.8.1
github.com/stretchr/testify v1.7.0 github.com/stretchr/testify v1.7.0

View File

@ -5,13 +5,14 @@ package engine
$dagger: task: _name: "TransformSecret" $dagger: task: _name: "TransformSecret"
// The original secret // The original secret
input: #Secret input: #Secret
// A new secret with the transformation applied // A new secret or (map of secrets) with the transformation applied
output: #Secret output: #Secret | {[string]: output}
// Transformation function // Transformation function
#function: { #function: {
// Full contents of the input secret (only available to the function) // Full contents of the input secret (only available to the function)
input: string input: string
_functionOutput: string | {[string]: _functionOutput}
// New contents of the output secret (must provided by the caller) // New contents of the output secret (must provided by the caller)
output: string output: _functionOutput
} }
} }

View File

@ -3,9 +3,11 @@ package task
import ( import (
"context" "context"
"errors" "errors"
"strings"
"cuelang.org/go/cue" "cuelang.org/go/cue"
"github.com/rs/zerolog/log" "github.com/rs/zerolog/log"
"github.com/sergi/go-diff/diffmatchpatch"
"go.dagger.io/dagger/compiler" "go.dagger.io/dagger/compiler"
"go.dagger.io/dagger/plancontext" "go.dagger.io/dagger/plancontext"
"go.dagger.io/dagger/solver" "go.dagger.io/dagger/solver"
@ -23,9 +25,6 @@ func (c *transformSecretTask) Run(ctx context.Context, pctx *plancontext.Context
lg.Debug().Msg("transforming secret") lg.Debug().Msg("transforming secret")
input := v.Lookup("input") input := v.Lookup("input")
if !plancontext.IsSecretValue(input) {
return nil, errors.New("#TransformSecret requires input: #Secret")
}
inputSecret, err := pctx.Secrets.FromValue(input) inputSecret, err := pctx.Secrets.FromValue(input)
if err != nil { if err != nil {
@ -33,15 +32,37 @@ func (c *transformSecretTask) Run(ctx context.Context, pctx *plancontext.Context
} }
function := v.Lookup("#function") function := v.Lookup("#function")
function.FillPath(cue.ParsePath("input"), inputSecret.PlainText()) inputSecretPlaintext := inputSecret.PlainText()
err = function.FillPath(cue.ParsePath("input"), inputSecretPlaintext)
outputPlaintext, err := function.Lookup("output").String()
if err != nil { if err != nil {
return nil, err dmp := diffmatchpatch.New()
errStr := err.Error()
diffs := dmp.DiffMain(inputSecretPlaintext, err.Error(), false)
for _, diff := range diffs {
if diff.Type == diffmatchpatch.DiffEqual {
diffText := strings.ReplaceAll(diff.Text, ":", "")
errStr = strings.ReplaceAll(errStr, diffText, "<redacted>")
}
}
return nil, errors.New(errStr)
} }
outputSecret := pctx.Secrets.New(outputPlaintext) output := compiler.NewValue()
return compiler.NewValue().FillFields(map[string]interface{}{ // users could yaml.Unmarshal(input) and return a map
"output": outputSecret.MarshalCUE(), // or yaml.Unmarshal(input).someKey and return a string
// walk will ensure we convert every leaf
functionPathSelectors := function.Path().Selectors()
function.Lookup("output").Walk(nil, func(v *compiler.Value) {
if v.Kind() == cue.StringKind {
plaintext, _ := v.String()
secret := pctx.Secrets.New(plaintext)
newLeafSelectors := v.Path().Selectors()[len(functionPathSelectors):]
newLeafSelectors = append(newLeafSelectors, cue.Str("contents"))
newLeafPath := cue.MakePath(newLeafSelectors...)
output.FillPath(newLeafPath, secret.MarshalCUE())
}
}) })
return output, nil
} }

View File

@ -19,7 +19,7 @@ engine.#Plan & {
input: inputs.secrets.sops.contents input: inputs.secrets.sops.contents
#function: { #function: {
input: _ input: _
output: yaml.Unmarshal(input).DOCKERHUB_TOKEN output: yaml.Unmarshal(input)
} }
} }
@ -29,7 +29,7 @@ engine.#Plan & {
target: "daggerio/ci-test:private-pull" target: "daggerio/ci-test:private-pull"
username: "daggertest" username: "daggertest"
secret: dockerHubToken.output secret: dockerHubToken.output.DOCKERHUB_TOKEN.contents
}] }]
dockerfile: contents: """ dockerfile: contents: """
FROM daggerio/ci-test:private-pull@sha256:c74f1b1166784193ea6c8f9440263b9be6cae07dfe35e32a5df7a31358ac2060 FROM daggerio/ci-test:private-pull@sha256:c74f1b1166784193ea6c8f9440263b9be6cae07dfe35e32a5df7a31358ac2060

View File

@ -21,7 +21,7 @@ engine.#Plan & {
input: inputs.secrets.sops.contents input: inputs.secrets.sops.contents
#function: { #function: {
input: _ input: _
output: yaml.Unmarshal(input).TestPAT output: yaml.Unmarshal(input)
} }
} }
@ -30,7 +30,7 @@ engine.#Plan & {
ref: "main" ref: "main"
auth: { auth: {
username: "dagger-test" username: "dagger-test"
password: repoPassword.output password: repoPassword.output.TestPAT.contents
} }
} }