Merge pull request #527 from aluzzardi/redact-secrets

automatically redact secrets from logs
This commit is contained in:
Andrea Luzzardi 2021-06-01 10:53:04 -07:00 committed by GitHub
commit 7d740fb255
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -81,7 +81,7 @@ func (c *Client) Do(ctx context.Context, state *state.State, fn DoFunc) (*enviro
// Create a background context so that logging will not be cancelled
// with the main context.
dispCtx := lg.WithContext(context.Background())
return c.logSolveStatus(dispCtx, events)
return c.logSolveStatus(dispCtx, state, events)
})
// Spawn build function
@ -181,7 +181,7 @@ func (c *Client) buildfn(ctx context.Context, st *state.State, env *environment.
return nil
}
func (c *Client) logSolveStatus(ctx context.Context, ch chan *bk.SolveStatus) error {
func (c *Client) logSolveStatus(ctx context.Context, st *state.State, ch chan *bk.SolveStatus) error {
parseName := func(v *bk.Vertex) (string, string) {
// Pattern: `@name@ message`. Minimal length is len("@X@ ")
if len(v.Name) < 2 || !strings.HasPrefix(v.Name, "@") {
@ -197,6 +197,18 @@ func (c *Client) logSolveStatus(ctx context.Context, ch chan *bk.SolveStatus) er
return component, v.Name[prefixEndPos+3 : len(v.Name)]
}
// Just like sprintf, but redacts secrets automatically
secureSprintf := func(format string, a ...interface{}) string {
s := fmt.Sprintf(format, a...)
for _, i := range st.Inputs {
if i.Secret == nil {
continue
}
s = strings.ReplaceAll(s, i.Secret.PlainText(), "***")
}
return s
}
return progressui.PrintSolveStatus(ctx, ch,
func(v *bk.Vertex, index int) {
component, name := parseName(v)
@ -208,10 +220,10 @@ func (c *Client) logSolveStatus(ctx context.Context, ch chan *bk.SolveStatus) er
lg.
Debug().
Msg(fmt.Sprintf("#%d %s\n", index, name))
Msg(secureSprintf("#%d %s\n", index, name))
lg.
Debug().
Msg(fmt.Sprintf("#%d %s\n", index, v.Digest))
Msg(secureSprintf("#%d %s\n", index, v.Digest))
},
func(v *bk.Vertex, format string, a ...interface{}) {
component, _ := parseName(v)
@ -221,9 +233,10 @@ func (c *Client) logSolveStatus(ctx context.Context, ch chan *bk.SolveStatus) er
Str("component", component).
Logger()
msg := secureSprintf(format, a...)
lg.
Debug().
Msg(fmt.Sprintf(format, a...))
Msg(msg)
},
func(v *bk.Vertex, stream int, partial bool, format string, a ...interface{}) {
component, _ := parseName(v)
@ -233,15 +246,16 @@ func (c *Client) logSolveStatus(ctx context.Context, ch chan *bk.SolveStatus) er
Str("component", component).
Logger()
msg := secureSprintf(format, a...)
switch stream {
case 1:
lg.
Info().
Msg(fmt.Sprintf(format, a...))
Msg(msg)
case 2:
lg.
Error().
Msg(fmt.Sprintf(format, a...))
Msg(msg)
}
},
)