Skip to content

Commit

Permalink
Refactor textual secret storage to allow testing
Browse files Browse the repository at this point in the history
Signed-off-by: Charles Duffy <[email protected]>
  • Loading branch information
charles-dyfis-net committed May 3, 2022
1 parent 8ae2cc2 commit c854289
Show file tree
Hide file tree
Showing 3 changed files with 31 additions and 10 deletions.
12 changes: 2 additions & 10 deletions cmd/build/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,8 @@ package main
import (
"bytes"
"encoding/json"
"io/ioutil"
"os"
"os/exec"
"path/filepath"
"strings"

"github.com/sirupsen/logrus"
Expand Down Expand Up @@ -66,14 +64,8 @@ func main() {
seg := strings.SplitN(
strings.TrimPrefix(env, buildkitSecretTextPrefix), "=", 2)

// Q: Filter for environment variable names that are also legal shell variable names to disallow ../ etc?
secretDir := filepath.Join(os.TempDir(), "buildkit-secrets")
secretFile := filepath.Join(secretDir, seg[0])
err := os.MkdirAll(secretDir, 0700)
failIf("create secret directory", err)
err = ioutil.WriteFile(secretFile, []byte(seg[1]), 0600)
failIf("write to secret directory", err)
req.Config.BuildkitSecrets[seg[0]] = secretFile
err := task.StoreSecret(&req.Config.BuildkitSecrets, seg[0], seg[1])
failIf("store secret provided as text", err)
}
}

Expand Down
20 changes: 20 additions & 0 deletions task.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,26 @@ import (
"github.com/sirupsen/logrus"
)

// Q: Audit name to not include "/"?
func StoreSecret(secrets *map[string]string, name, value string) error {
secretDir := filepath.Join(os.TempDir(), "buildkit-secrets")
secretFile := filepath.Join(secretDir, name)
err := os.MkdirAll(secretDir, 0700)
if err != nil {
return fmt.Errorf("unable to create secret directory: %w", err)
}
err = ioutil.WriteFile(secretFile, []byte(value), 0600)
if err != nil {
return fmt.Errorf("unable to write secret to file: %w", err)
}
if secrets == nil {
secretMap := make(map[string]string, 1)
secrets = &secretMap
}
(*secrets)[name] = secretFile
return nil
}

func Build(buildkitd *Buildkitd, outputsDir string, req Request) (Response, error) {
if req.Config.Debug {
logrus.SetLevel(logrus.DebugLevel)
Expand Down
9 changes: 9 additions & 0 deletions task_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -250,6 +250,15 @@ func (s *TaskSuite) TestUnpackRootfs() {
s.Equal(meta.Env, []string{"PATH=/darkness", "BA=nana"})
}

func (s *TaskSuite) TestBuildkitTextualSecrets() {
s.req.Config.ContextDir = "testdata/buildkit-secret"
err := task.StoreSecret(&s.req.Config.BuildkitSecrets, "secret", "hello-world")
s.NoError(err)

_, err = s.build()
s.NoError(err)
}

func (s *TaskSuite) TestBuildkitSecrets() {
s.req.Config.ContextDir = "testdata/buildkit-secret"
s.req.Config.BuildkitSecrets = map[string]string{"secret": "testdata/buildkit-secret/secret"}
Expand Down

0 comments on commit c854289

Please sign in to comment.