From de8cd3a52a8dee4431da583d31444726a5c9d949 Mon Sep 17 00:00:00 2001 From: guillaume Date: Thu, 14 Oct 2021 02:43:45 +0200 Subject: [PATCH] Add secrets for secure mount of .env local files inside Dagger Signed-off-by: guillaume --- stdlib/.dagger/env/js-yarn/values.yaml | 11 +++++-- stdlib/js/yarn/tests/testdata2/package.json | 12 ++++++++ stdlib/js/yarn/tests/yarn.cue | 32 +++++++++++++++++++++ stdlib/js/yarn/yarn.cue | 19 ++++++++++++ 4 files changed, 72 insertions(+), 2 deletions(-) create mode 100644 stdlib/js/yarn/tests/testdata2/package.json diff --git a/stdlib/.dagger/env/js-yarn/values.yaml b/stdlib/.dagger/env/js-yarn/values.yaml index 96355983..4ca9af4e 100644 --- a/stdlib/.dagger/env/js-yarn/values.yaml +++ b/stdlib/.dagger/env/js-yarn/values.yaml @@ -5,6 +5,13 @@ inputs: TestData: dir: path: ./js/yarn/tests/testdata + TestData2: + dir: + path: ./js/yarn/tests/testdata2 + TestSecretsAndFile.pkg.secrets.secretone: + secret: ENC[AES256_GCM,data:xfk8,iv:EHZpLqR2CAhFE/39/c7FkQD4G83nt0sIB3svzvA2axU=,tag:Frsl2djN2uYZrv8ZWvElhw==,type:str] + TestSecretsAndFile.pkg.secrets.secretwo: + secret: ENC[AES256_GCM,data:d5Yr,iv:iMS3HQO6/7hnA0rNxHbj4yMxEyKm85/73+V7W0nDGzk=,tag:J/3RUP8x17V0fnUerlY46w==,type:str] sops: kms: [] gcp_kms: [] @@ -20,8 +27,8 @@ sops: S2JsNXRkbWVERHM0WWk0bXBJSXJIK1kK9R3gMDcbeKRRlt0HHM+w2kcs+sGfASmE 0YhxbFF2qQPFwHHR7aPmM+L1ML8cXOrxOOyWmmWhXNgtURCJ9/SO3A== -----END AGE ENCRYPTED FILE----- - lastmodified: "2021-07-08T09:55:45Z" - mac: ENC[AES256_GCM,data:qVdlcliugnYIPCAe36scgfaXy3QJhIpPampNK1d4E47njhoOooM5YzpI57sIRlC0qYh+Y9osaux3+zjMgws09rIEdyuBkBoQ/M+0D5D9fz8hZLEbfGr1hhuBfI95kfKGnip8h7K/tiZAneHuDmPqd5Pjc+3CeCT8TFMTjet2tIU=,iv:OnSghkK2Kgki8DjAuSy8ubjVQqnt8kbf9Xz5cJxvpZc=,tag:wl2izqxIxNiidKBlC1dqmA==,type:str] + lastmodified: "2021-10-14T00:13:29Z" + mac: ENC[AES256_GCM,data:jtcjDq2yzjQMF9+0CULS5w0CHQe9iZyAz/j4GsRxVpHj2N+1CucCK2TM8ydP3A0nspUsmiJlzrdZGJ/axb4SMNzc3rRxQXSEwXFuarGzhnZdUaui2Y3F36wCbFght9fACg7T/fXid9ZMYwHSA+5ZcjJZG4SZ5f0QyrzD8VKmBm0=,iv:z2eNPACf6NqJSe2TjlUAeTh9dkzHcaL5/7niknDFuEw=,tag:FuF+U1IaFEMS+imdNB4vKA==,type:str] pgp: [] encrypted_suffix: secret version: 3.7.1 diff --git a/stdlib/js/yarn/tests/testdata2/package.json b/stdlib/js/yarn/tests/testdata2/package.json new file mode 100644 index 00000000..94746735 --- /dev/null +++ b/stdlib/js/yarn/tests/testdata2/package.json @@ -0,0 +1,12 @@ +{ + "name": "test", + "main": "index.js", + "license": { + "type": "Apache-2.0", + "url": "https://opensource.org/licenses/apache2.0.php" + }, + "scripts": { + "build": "mkdir -p ./build && cp /.env ./build/env" + } + } + \ No newline at end of file diff --git a/stdlib/js/yarn/tests/yarn.cue b/stdlib/js/yarn/tests/yarn.cue index 6f52cb8b..8cf8a9ef 100644 --- a/stdlib/js/yarn/tests/yarn.cue +++ b/stdlib/js/yarn/tests/yarn.cue @@ -23,3 +23,35 @@ TestReact: { """ } } + +TestData2: dagger.#Artifact + +TestSecretsAndFile: { + pkg: #Package & { + source: TestData2 + writeEnvFile: "/.env" + env: { + one: "one" + two: "two" + } + secrets: { + secretone: dagger.#Secret @dagger(input) + secretwo: dagger.#Secret @dagger(input) + } + } + + test: os.#Container & { + image: alpine.#Image & { + package: bash: "=5.1.0-r0" + } + shell: path: "/bin/bash" + mount: "/build": from: pkg.build + command: """ + content="$(cat /build/env)" + [[ "${content}" = *"SECRETONE="* ]] && \\ + [[ "${content}" = *"SECRETWO="* ]] && \\ + [[ "${content}" = *"ONE=one"* ]] && \\ + [[ "${content}" = *"TWO=two"* ]] + """ + } +} diff --git a/stdlib/js/yarn/yarn.cue b/stdlib/js/yarn/yarn.cue index 7f90dbd3..ec75dd15 100644 --- a/stdlib/js/yarn/yarn.cue +++ b/stdlib/js/yarn/yarn.cue @@ -41,6 +41,9 @@ import ( // Optional arguments for the script args: [...string] | *[] @dagger(input) + // Secret variables + secrets: [string]: dagger.#Secret + // Build output directory build: os.#Dir & { from: ctr @@ -56,7 +59,20 @@ import ( } shell: path: "/bin/bash" command: """ + # Create $ENVFILE_NAME file if set [ -n "$ENVFILE_NAME" ] && echo "$ENVFILE" > "$ENVFILE_NAME" + + # Safely export secrets, or prepend them to $ENVFILE_NAME if set + shopt -s dotglob + for FILE in /tmp/secrets/*; do + val=$(echo "${FILE##*/}" | tr '[:lower:]' '[:upper:]') # Collect name + path=$(cat "$FILE") # Collect value + # Prepend + [ -n "$ENVFILE_NAME" ] && echo "$val=$path"$'\n'"$(cat "$ENVFILE_NAME")" > "$ENVFILE_NAME" \\ + || export "$val"="$path" # Or export + done + + # Execute yarn --cwd "$YARN_CWD" install --production false opts=( $(echo $YARN_ARGS) ) @@ -74,6 +90,9 @@ import ( ENVFILE: strings.Join([ for k, v in env {"\(k)=\(v)"}], "\n") } } + for name, s in secrets { + secret: "/tmp/secrets/\(name)": s + } dir: "/src" mount: "/src": from: source cache: "/cache/yarn": true