From 0666d6f55a1528fb1d49b7b34543d5c280454741 Mon Sep 17 00:00:00 2001 From: Richard Date: Fri, 10 Sep 2021 15:10:39 -0600 Subject: [PATCH 1/3] added hash of the secret key+value to invalidate buildkit cache when value changes Signed-off-by: Richard --- solver/secretsprovider.go | 2 ++ state/input.go | 9 +++++++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/solver/secretsprovider.go b/solver/secretsprovider.go index 3e255bcb..95382e63 100644 --- a/solver/secretsprovider.go +++ b/solver/secretsprovider.go @@ -44,6 +44,8 @@ func (s *inputStore) GetSecret(ctx context.Context, id string) ([]byte, error) { id = strings.TrimPrefix(id, secretPrefix) + id = strings.Split(id, ";hash=")[0] + input, ok := s.st.Inputs[id] if !ok { return nil, secrets.ErrNotFound diff --git a/state/input.go b/state/input.go index 6f4500f9..3188f000 100644 --- a/state/input.go +++ b/state/input.go @@ -1,6 +1,7 @@ package state import ( + "crypto/sha256" "encoding/json" "fmt" "io/ioutil" @@ -196,8 +197,12 @@ func SecretInput(data string) Input { type secretInput string -func (i secretInput) Compile(key string, _ *State) (*compiler.Value, error) { - return compiler.Compile("", fmt.Sprintf(`{id:%q}`, "secret="+key)) +func (i secretInput) Compile(key string, s *State) (*compiler.Value, error) { + hash := sha256.New() + hash.Write([]byte(key)) + checksum := hash.Sum([]byte(s.Inputs[key].Secret.PlainText())) + secretValue := fmt.Sprintf(`{id:"secret=%s;hash=%x"}`, key, checksum) + return compiler.Compile("", secretValue) } func (i secretInput) PlainText() string { From e86985da16b3c8a62d4c1faf0bedcca7d15b3378 Mon Sep 17 00:00:00 2001 From: Richard Jones Date: Fri, 10 Sep 2021 15:36:17 -0600 Subject: [PATCH 2/3] adjust test to account for the new hash Signed-off-by: Richard Jones --- tests/core.bats | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/core.bats b/tests/core.bats index 597817e5..a3e7e582 100644 --- a/tests/core.bats +++ b/tests/core.bats @@ -145,7 +145,7 @@ setup() { # Make sure the secret doesn't show in dagger query run "$DAGGER" query mySecret.id -f text assert_success - assert_output "secret=mySecret" + assert_output --partial "secret=mySecret;hash=" } @test "compute: docker socket" { From defaea5a87c728c7ac49da323a59f5c5d77d1041 Mon Sep 17 00:00:00 2001 From: Richard Jones Date: Thu, 16 Sep 2021 09:30:15 -0600 Subject: [PATCH 3/3] referencing secretInput directly rather than looking up in State by key Signed-off-by: Richard Jones --- state/input.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/state/input.go b/state/input.go index 3188f000..5c75fb08 100644 --- a/state/input.go +++ b/state/input.go @@ -197,10 +197,10 @@ func SecretInput(data string) Input { type secretInput string -func (i secretInput) Compile(key string, s *State) (*compiler.Value, error) { +func (i secretInput) Compile(key string, _ *State) (*compiler.Value, error) { hash := sha256.New() hash.Write([]byte(key)) - checksum := hash.Sum([]byte(s.Inputs[key].Secret.PlainText())) + checksum := hash.Sum([]byte(i.PlainText())) secretValue := fmt.Sprintf(`{id:"secret=%s;hash=%x"}`, key, checksum) return compiler.Compile("", secretValue) }