supports map of secrets; errors redact plaintext
Signed-off-by: Richard Jones <richard@dagger.io>
This commit is contained in:
parent
86ae230261
commit
05820f3a67
1
go.mod
1
go.mod
@ -25,6 +25,7 @@ require (
|
||||
github.com/opencontainers/go-digest v1.0.0
|
||||
github.com/opencontainers/image-spec v1.0.2
|
||||
github.com/rs/zerolog v1.26.0
|
||||
github.com/sergi/go-diff v1.1.0 // indirect
|
||||
github.com/spf13/cobra v1.2.1
|
||||
github.com/spf13/viper v1.8.1
|
||||
github.com/stretchr/testify v1.7.0
|
||||
|
@ -5,13 +5,14 @@ package engine
|
||||
$dagger: task: _name: "TransformSecret"
|
||||
// The original secret
|
||||
input: #Secret
|
||||
// A new secret with the transformation applied
|
||||
output: #Secret
|
||||
// A new secret or (map of secrets) with the transformation applied
|
||||
output: #Secret | {[string]: output}
|
||||
// Transformation function
|
||||
#function: {
|
||||
// Full contents of the input secret (only available to the function)
|
||||
input: string
|
||||
_functionOutput: string | {[string]: _functionOutput}
|
||||
// New contents of the output secret (must provided by the caller)
|
||||
output: string
|
||||
output: _functionOutput
|
||||
}
|
||||
}
|
||||
|
@ -3,9 +3,11 @@ package task
|
||||
import (
|
||||
"context"
|
||||
"errors"
|
||||
"strings"
|
||||
|
||||
"cuelang.org/go/cue"
|
||||
"github.com/rs/zerolog/log"
|
||||
"github.com/sergi/go-diff/diffmatchpatch"
|
||||
"go.dagger.io/dagger/compiler"
|
||||
"go.dagger.io/dagger/plancontext"
|
||||
"go.dagger.io/dagger/solver"
|
||||
@ -23,9 +25,6 @@ func (c *transformSecretTask) Run(ctx context.Context, pctx *plancontext.Context
|
||||
lg.Debug().Msg("transforming secret")
|
||||
|
||||
input := v.Lookup("input")
|
||||
if !plancontext.IsSecretValue(input) {
|
||||
return nil, errors.New("#TransformSecret requires input: #Secret")
|
||||
}
|
||||
|
||||
inputSecret, err := pctx.Secrets.FromValue(input)
|
||||
if err != nil {
|
||||
@ -33,15 +32,37 @@ func (c *transformSecretTask) Run(ctx context.Context, pctx *plancontext.Context
|
||||
}
|
||||
|
||||
function := v.Lookup("#function")
|
||||
function.FillPath(cue.ParsePath("input"), inputSecret.PlainText())
|
||||
|
||||
outputPlaintext, err := function.Lookup("output").String()
|
||||
inputSecretPlaintext := inputSecret.PlainText()
|
||||
err = function.FillPath(cue.ParsePath("input"), inputSecretPlaintext)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
dmp := diffmatchpatch.New()
|
||||
errStr := err.Error()
|
||||
diffs := dmp.DiffMain(inputSecretPlaintext, err.Error(), false)
|
||||
for _, diff := range diffs {
|
||||
if diff.Type == diffmatchpatch.DiffEqual {
|
||||
diffText := strings.ReplaceAll(diff.Text, ":", "")
|
||||
errStr = strings.ReplaceAll(errStr, diffText, "<redacted>")
|
||||
}
|
||||
}
|
||||
|
||||
outputSecret := pctx.Secrets.New(outputPlaintext)
|
||||
return compiler.NewValue().FillFields(map[string]interface{}{
|
||||
"output": outputSecret.MarshalCUE(),
|
||||
return nil, errors.New(errStr)
|
||||
}
|
||||
|
||||
output := compiler.NewValue()
|
||||
// users could yaml.Unmarshal(input) and return a map
|
||||
// or yaml.Unmarshal(input).someKey and return a string
|
||||
// walk will ensure we convert every leaf
|
||||
functionPathSelectors := function.Path().Selectors()
|
||||
function.Lookup("output").Walk(nil, func(v *compiler.Value) {
|
||||
if v.Kind() == cue.StringKind {
|
||||
plaintext, _ := v.String()
|
||||
secret := pctx.Secrets.New(plaintext)
|
||||
newLeafSelectors := v.Path().Selectors()[len(functionPathSelectors):]
|
||||
newLeafSelectors = append(newLeafSelectors, cue.Str("contents"))
|
||||
newLeafPath := cue.MakePath(newLeafSelectors...)
|
||||
output.FillPath(newLeafPath, secret.MarshalCUE())
|
||||
}
|
||||
})
|
||||
|
||||
return output, nil
|
||||
}
|
||||
|
@ -19,7 +19,7 @@ engine.#Plan & {
|
||||
input: inputs.secrets.sops.contents
|
||||
#function: {
|
||||
input: _
|
||||
output: yaml.Unmarshal(input).DOCKERHUB_TOKEN
|
||||
output: yaml.Unmarshal(input)
|
||||
}
|
||||
}
|
||||
|
||||
@ -29,7 +29,7 @@ engine.#Plan & {
|
||||
target: "daggerio/ci-test:private-pull"
|
||||
username: "daggertest"
|
||||
|
||||
secret: dockerHubToken.output
|
||||
secret: dockerHubToken.output.DOCKERHUB_TOKEN.contents
|
||||
}]
|
||||
dockerfile: contents: """
|
||||
FROM daggerio/ci-test:private-pull@sha256:c74f1b1166784193ea6c8f9440263b9be6cae07dfe35e32a5df7a31358ac2060
|
||||
|
@ -21,7 +21,7 @@ engine.#Plan & {
|
||||
input: inputs.secrets.sops.contents
|
||||
#function: {
|
||||
input: _
|
||||
output: yaml.Unmarshal(input).TestPAT
|
||||
output: yaml.Unmarshal(input)
|
||||
}
|
||||
}
|
||||
|
||||
@ -30,7 +30,7 @@ engine.#Plan & {
|
||||
ref: "main"
|
||||
auth: {
|
||||
username: "dagger-test"
|
||||
password: repoPassword.output
|
||||
password: repoPassword.output.TestPAT.contents
|
||||
}
|
||||
}
|
||||
|
||||
|
Reference in New Issue
Block a user