diff --git a/plan/task/inputsecretenv.go b/plan/task/inputsecretenv.go index 7336aeaa..6e9fa11b 100644 --- a/plan/task/inputsecretenv.go +++ b/plan/task/inputsecretenv.go @@ -4,6 +4,7 @@ import ( "context" "fmt" "os" + "strings" "github.com/rs/zerolog/log" "go.dagger.io/dagger/compiler" @@ -22,19 +23,25 @@ func (c *inputSecretEnvTask) Run(ctx context.Context, pctx *plancontext.Context, lg := log.Ctx(ctx) var secretEnv struct { - Envvar string + Envvar string + TrimSpace bool } if err := v.Decode(&secretEnv); err != nil { return nil, err } - lg.Debug().Str("envvar", secretEnv.Envvar).Msg("loading secret") + lg.Debug().Str("envvar", secretEnv.Envvar).Str("trimSpace", fmt.Sprintf("%t", secretEnv.TrimSpace)).Msg("loading secret") env := os.Getenv(secretEnv.Envvar) if env == "" { return nil, fmt.Errorf("environment variable %q not set", secretEnv.Envvar) } + + if secretEnv.TrimSpace { + env = strings.TrimSpace(env) + } + secret := pctx.Secrets.New(env) return compiler.NewValue().FillFields(map[string]interface{}{ "contents": secret.MarshalCUE(), diff --git a/plan/task/inputsecretexec.go b/plan/task/inputsecretexec.go index 0d2fcf26..5806cccf 100644 --- a/plan/task/inputsecretexec.go +++ b/plan/task/inputsecretexec.go @@ -2,6 +2,7 @@ package task import ( "context" + "fmt" "os/exec" "strings" @@ -24,21 +25,29 @@ func (c *inputSecretExecTask) Run(ctx context.Context, pctx *plancontext.Context Name string Args []string } + TrimSpace bool } if err := v.Decode(&secretExec); err != nil { return nil, err } - lg := log.Ctx(ctx) - lg.Debug().Str("name", secretExec.Command.Name).Str("args", strings.Join(secretExec.Command.Args, " ")).Msg("executing secret command") + lg := log.Ctx(ctx) + lg.Debug().Str("name", secretExec.Command.Name).Str("args", strings.Join(secretExec.Command.Args, " ")).Str("trimSpace", fmt.Sprintf("%t", secretExec.TrimSpace)).Msg("loading secret") // sec audited by @aluzzardi and @mrjones out, err := exec.CommandContext(ctx, secretExec.Command.Name, secretExec.Command.Args...).Output() //#nosec G204 if err != nil { return nil, err } - secret := pctx.Secrets.New(string(out)) + + plaintext := string(out) + + if secretExec.TrimSpace { + plaintext = strings.TrimSpace(plaintext) + } + + secret := pctx.Secrets.New(plaintext) return compiler.NewValue().FillFields(map[string]interface{}{ "contents": secret.MarshalCUE(), }) diff --git a/plan/task/inputsecretfile.go b/plan/task/inputsecretfile.go index d6c8aca2..e985f34f 100644 --- a/plan/task/inputsecretfile.go +++ b/plan/task/inputsecretfile.go @@ -2,7 +2,9 @@ package task import ( "context" + "fmt" "os" + "strings" "github.com/rs/zerolog/log" "go.dagger.io/dagger/compiler" @@ -18,24 +20,29 @@ type inputSecretFileTask struct { } func (c *inputSecretFileTask) Run(ctx context.Context, pctx *plancontext.Context, _ solver.Solver, v *compiler.Value) (*compiler.Value, error) { - lg := log.Ctx(ctx) - var secretFile struct { - Path string + Path string + TrimSpace bool } if err := v.Decode(&secretFile); err != nil { return nil, err } - lg.Debug().Str("path", secretFile.Path).Msg("loading secret") + lg := log.Ctx(ctx) + lg.Debug().Str("path", secretFile.Path).Str("trimSpace", fmt.Sprintf("%t", secretFile.TrimSpace)).Msg("loading secret") - plaintext, err := os.ReadFile(secretFile.Path) + fileBytes, err := os.ReadFile(secretFile.Path) if err != nil { return nil, err } - secret := pctx.Secrets.New(string(plaintext)) + plaintext := string(fileBytes) + if secretFile.TrimSpace { + plaintext = strings.TrimSpace(plaintext) + } + + secret := pctx.Secrets.New(plaintext) return compiler.NewValue().FillFields(map[string]interface{}{ "contents": secret.MarshalCUE(), }) diff --git a/stdlib/europa/dagger/engine/plan.cue b/stdlib/europa/dagger/engine/plan.cue index 2d444b33..29b2efaf 100644 --- a/stdlib/europa/dagger/engine/plan.cue +++ b/stdlib/europa/dagger/engine/plan.cue @@ -66,6 +66,9 @@ _#inputSecret: { // See universe.dagger.io/docker.#Run.mounts // FIXME: `contents` field name causes confusion (not actually the secret contents..) contents: #Secret + + // Whether to trim leading and trailing space characters from secret value + trimSpace: *true | false } // Read secret from an environment variable ON THE CLIENT MACHINE