Merge pull request #1342 from talentedmrjones/europa-transform-secret
implements engine.#TransformSecret
This commit is contained in:
commit
ecc45543a0
1
go.mod
1
go.mod
@ -25,6 +25,7 @@ require (
|
||||
github.com/opencontainers/go-digest v1.0.0
|
||||
github.com/opencontainers/image-spec v1.0.2
|
||||
github.com/rs/zerolog v1.26.0
|
||||
github.com/sergi/go-diff v1.1.0 // indirect
|
||||
github.com/spf13/cobra v1.2.1
|
||||
github.com/spf13/viper v1.8.1
|
||||
github.com/stretchr/testify v1.7.0
|
||||
|
18
pkg/dagger.io/dagger/engine/transformsecret.cue
Normal file
18
pkg/dagger.io/dagger/engine/transformsecret.cue
Normal file
@ -0,0 +1,18 @@
|
||||
package engine
|
||||
|
||||
// Securely apply a CUE transformation on the contents of a secret
|
||||
#TransformSecret: {
|
||||
$dagger: task: _name: "TransformSecret"
|
||||
// The original secret
|
||||
input: #Secret
|
||||
// A new secret or (map of secrets) with the transformation applied
|
||||
output: #Secret | {[string]: output}
|
||||
// Transformation function
|
||||
#function: {
|
||||
// Full contents of the input secret (only available to the function)
|
||||
input: string
|
||||
_functionOutput: string | {[string]: _functionOutput}
|
||||
// New contents of the output secret (must provided by the caller)
|
||||
output: _functionOutput
|
||||
}
|
||||
}
|
68
plan/task/transformsecret.go
Normal file
68
plan/task/transformsecret.go
Normal file
@ -0,0 +1,68 @@
|
||||
package task
|
||||
|
||||
import (
|
||||
"context"
|
||||
"errors"
|
||||
"strings"
|
||||
|
||||
"cuelang.org/go/cue"
|
||||
"github.com/rs/zerolog/log"
|
||||
"github.com/sergi/go-diff/diffmatchpatch"
|
||||
"go.dagger.io/dagger/compiler"
|
||||
"go.dagger.io/dagger/plancontext"
|
||||
"go.dagger.io/dagger/solver"
|
||||
)
|
||||
|
||||
func init() {
|
||||
Register("TransformSecret", func() Task { return &transformSecretTask{} })
|
||||
}
|
||||
|
||||
type transformSecretTask struct {
|
||||
}
|
||||
|
||||
func (c *transformSecretTask) Run(ctx context.Context, pctx *plancontext.Context, _ solver.Solver, v *compiler.Value) (*compiler.Value, error) {
|
||||
lg := log.Ctx(ctx)
|
||||
lg.Debug().Msg("transforming secret")
|
||||
|
||||
input := v.Lookup("input")
|
||||
|
||||
inputSecret, err := pctx.Secrets.FromValue(input)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
function := v.Lookup("#function")
|
||||
inputSecretPlaintext := inputSecret.PlainText()
|
||||
err = function.FillPath(cue.ParsePath("input"), inputSecretPlaintext)
|
||||
if err != nil {
|
||||
dmp := diffmatchpatch.New()
|
||||
errStr := err.Error()
|
||||
diffs := dmp.DiffMain(inputSecretPlaintext, err.Error(), false)
|
||||
for _, diff := range diffs {
|
||||
if diff.Type == diffmatchpatch.DiffEqual {
|
||||
// diffText := strings.ReplaceAll(diff.Text, ":", "") // colons are tricky. Yaml keys end with them but if a secret contained one that got replaced, the secret wouldn't get redacted
|
||||
errStr = strings.ReplaceAll(errStr, diff.Text, "***")
|
||||
}
|
||||
}
|
||||
|
||||
return nil, errors.New(errStr)
|
||||
}
|
||||
|
||||
output := compiler.NewValue()
|
||||
// users could yaml.Unmarshal(input) and return a map
|
||||
// or yaml.Unmarshal(input).someKey and return a string
|
||||
// walk will ensure we convert every leaf
|
||||
functionPathSelectors := function.Path().Selectors()
|
||||
function.Lookup("output").Walk(nil, func(v *compiler.Value) {
|
||||
if v.Kind() == cue.StringKind {
|
||||
plaintext, _ := v.String()
|
||||
secret := pctx.Secrets.New(plaintext)
|
||||
newLeafSelectors := v.Path().Selectors()[len(functionPathSelectors):]
|
||||
newLeafSelectors = append(newLeafSelectors, cue.Str("contents"))
|
||||
newLeafPath := cue.MakePath(newLeafSelectors...)
|
||||
output.FillPath(newLeafPath, secret.MarshalCUE())
|
||||
}
|
||||
})
|
||||
|
||||
return output, nil
|
||||
}
|
@ -2,26 +2,38 @@ package testing
|
||||
|
||||
import (
|
||||
"dagger.io/dagger/engine"
|
||||
"encoding/yaml"
|
||||
)
|
||||
|
||||
engine.#Plan & {
|
||||
inputs: {
|
||||
directories: testdata: path: "./testdata"
|
||||
secrets: dockerHubToken: command: {
|
||||
secrets: sops: command: {
|
||||
name: "sops"
|
||||
args: ["exec-env", "../../secrets_sops.yaml", "echo $DOCKERHUB_TOKEN"]
|
||||
args: ["-d", "../../secrets_sops.yaml"]
|
||||
}
|
||||
}
|
||||
|
||||
actions: build: engine.#Build & {
|
||||
actions: {
|
||||
dockerHubToken: engine.#TransformSecret & {
|
||||
input: inputs.secrets.sops.contents
|
||||
#function: {
|
||||
input: _
|
||||
output: yaml.Unmarshal(input)
|
||||
}
|
||||
}
|
||||
|
||||
build: engine.#Build & {
|
||||
source: inputs.directories.testdata.contents
|
||||
auth: [{
|
||||
target: "daggerio/ci-test:private-pull"
|
||||
username: "daggertest"
|
||||
secret: inputs.secrets.dockerHubToken.contents
|
||||
|
||||
secret: dockerHubToken.output.DOCKERHUB_TOKEN.contents
|
||||
}]
|
||||
dockerfile: contents: """
|
||||
FROM daggerio/ci-test:private-pull@sha256:c74f1b1166784193ea6c8f9440263b9be6cae07dfe35e32a5df7a31358ac2060
|
||||
"""
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -1,24 +1,36 @@
|
||||
package main
|
||||
|
||||
import "dagger.io/dagger/engine"
|
||||
import (
|
||||
"encoding/yaml"
|
||||
"dagger.io/dagger/engine"
|
||||
)
|
||||
|
||||
engine.#Plan & {
|
||||
inputs: secrets: token: command: {
|
||||
inputs: secrets: sops: command: {
|
||||
name: "sops"
|
||||
args: ["exec-env", "../../secrets_sops.yaml", "echo $TestPAT"]
|
||||
args: ["-d", "../../secrets_sops.yaml"]
|
||||
}
|
||||
|
||||
actions: {
|
||||
|
||||
alpine: engine.#Pull & {
|
||||
source: "alpine:3.15.0"
|
||||
}
|
||||
|
||||
repoPassword: engine.#TransformSecret & {
|
||||
input: inputs.secrets.sops.contents
|
||||
#function: {
|
||||
input: _
|
||||
output: yaml.Unmarshal(input)
|
||||
}
|
||||
}
|
||||
|
||||
testRepo: engine.#GitPull & {
|
||||
remote: "https://github.com/dagger/dagger.git"
|
||||
ref: "main"
|
||||
auth: {
|
||||
username: "dagger-test"
|
||||
password: inputs.secrets.token.contents
|
||||
password: repoPassword.output.TestPAT.contents
|
||||
}
|
||||
}
|
||||
|
||||
|
Reference in New Issue
Block a user