Merge pull request #965 from talentedmrjones/bust-cache-for-new-secrets

Bust the buildkit cache when secret value changes
2021-09-16 09:01:59 -07:00 · 2021-09-16 09:01:59 -07:00 · dda8141dac
commit dda8141dac
parent 7073bc89c0 defaea5a87
3 changed files with 9 additions and 2 deletions
--- a/solver/secretsprovider.go
+++ b/solver/secretsprovider.go
@ -44,6 +44,8 @@ func (s *inputStore) GetSecret(ctx context.Context, id string) ([]byte, error) {

 	id = strings.TrimPrefix(id, secretPrefix)

+	id = strings.Split(id, ";hash=")[0]
+
 	input, ok := s.st.Inputs[id]
 	if !ok {
 		return nil, secrets.ErrNotFound
--- a/state/input.go
+++ b/state/input.go
@ -1,6 +1,7 @@
 package state

 import (
+	"crypto/sha256"
 	"encoding/json"
 	"fmt"
 	"io/ioutil"
@ -197,7 +198,11 @@ func SecretInput(data string) Input {
 type secretInput string

 func (i secretInput) Compile(key string, _ *State) (*compiler.Value, error) {
-	return compiler.Compile("", fmt.Sprintf(`{id:%q}`, "secret="+key))
+	hash := sha256.New()
+	hash.Write([]byte(key))
+	checksum := hash.Sum([]byte(i.PlainText()))
+	secretValue := fmt.Sprintf(`{id:"secret=%s;hash=%x"}`, key, checksum)
+	return compiler.Compile("", secretValue)
 }

 func (i secretInput) PlainText() string {
--- a/tests/core.bats
+++ b/tests/core.bats
@ -145,7 +145,7 @@ setup() {
    # Make sure the secret doesn't show in dagger query
    run "$DAGGER" query mySecret.id -f text
    assert_success
-    assert_output "secret=mySecret"
+    assert_output --partial "secret=mySecret;hash="
 }

@test "compute: docker socket" {