Merge pull request #527 from aluzzardi/redact-secrets

automatically redact secrets from logs
This commit is contained in:
Andrea Luzzardi 2021-06-01 10:53:04 -07:00 committed by GitHub
commit 7d740fb255
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -81,7 +81,7 @@ func (c *Client) Do(ctx context.Context, state *state.State, fn DoFunc) (*enviro
// Create a background context so that logging will not be cancelled // Create a background context so that logging will not be cancelled
// with the main context. // with the main context.
dispCtx := lg.WithContext(context.Background()) dispCtx := lg.WithContext(context.Background())
return c.logSolveStatus(dispCtx, events) return c.logSolveStatus(dispCtx, state, events)
}) })
// Spawn build function // Spawn build function
@ -181,7 +181,7 @@ func (c *Client) buildfn(ctx context.Context, st *state.State, env *environment.
return nil return nil
} }
func (c *Client) logSolveStatus(ctx context.Context, ch chan *bk.SolveStatus) error { func (c *Client) logSolveStatus(ctx context.Context, st *state.State, ch chan *bk.SolveStatus) error {
parseName := func(v *bk.Vertex) (string, string) { parseName := func(v *bk.Vertex) (string, string) {
// Pattern: `@name@ message`. Minimal length is len("@X@ ") // Pattern: `@name@ message`. Minimal length is len("@X@ ")
if len(v.Name) < 2 || !strings.HasPrefix(v.Name, "@") { if len(v.Name) < 2 || !strings.HasPrefix(v.Name, "@") {
@ -197,6 +197,18 @@ func (c *Client) logSolveStatus(ctx context.Context, ch chan *bk.SolveStatus) er
return component, v.Name[prefixEndPos+3 : len(v.Name)] return component, v.Name[prefixEndPos+3 : len(v.Name)]
} }
// Just like sprintf, but redacts secrets automatically
secureSprintf := func(format string, a ...interface{}) string {
s := fmt.Sprintf(format, a...)
for _, i := range st.Inputs {
if i.Secret == nil {
continue
}
s = strings.ReplaceAll(s, i.Secret.PlainText(), "***")
}
return s
}
return progressui.PrintSolveStatus(ctx, ch, return progressui.PrintSolveStatus(ctx, ch,
func(v *bk.Vertex, index int) { func(v *bk.Vertex, index int) {
component, name := parseName(v) component, name := parseName(v)
@ -208,10 +220,10 @@ func (c *Client) logSolveStatus(ctx context.Context, ch chan *bk.SolveStatus) er
lg. lg.
Debug(). Debug().
Msg(fmt.Sprintf("#%d %s\n", index, name)) Msg(secureSprintf("#%d %s\n", index, name))
lg. lg.
Debug(). Debug().
Msg(fmt.Sprintf("#%d %s\n", index, v.Digest)) Msg(secureSprintf("#%d %s\n", index, v.Digest))
}, },
func(v *bk.Vertex, format string, a ...interface{}) { func(v *bk.Vertex, format string, a ...interface{}) {
component, _ := parseName(v) component, _ := parseName(v)
@ -221,9 +233,10 @@ func (c *Client) logSolveStatus(ctx context.Context, ch chan *bk.SolveStatus) er
Str("component", component). Str("component", component).
Logger() Logger()
msg := secureSprintf(format, a...)
lg. lg.
Debug(). Debug().
Msg(fmt.Sprintf(format, a...)) Msg(msg)
}, },
func(v *bk.Vertex, stream int, partial bool, format string, a ...interface{}) { func(v *bk.Vertex, stream int, partial bool, format string, a ...interface{}) {
component, _ := parseName(v) component, _ := parseName(v)
@ -233,15 +246,16 @@ func (c *Client) logSolveStatus(ctx context.Context, ch chan *bk.SolveStatus) er
Str("component", component). Str("component", component).
Logger() Logger()
msg := secureSprintf(format, a...)
switch stream { switch stream {
case 1: case 1:
lg. lg.
Info(). Info().
Msg(fmt.Sprintf(format, a...)) Msg(msg)
case 2: case 2:
lg. lg.
Error(). Error().
Msg(fmt.Sprintf(format, a...)) Msg(msg)
} }
}, },
) )