Skip to content

Commit

Permalink
Revert "fix(secret)!: remove implicit repo secrets and clean up secre…
Browse files Browse the repository at this point in the history 
…ts testing (#210)" (#229)

This reverts commit d6046d0.
  • Loading branch information
@KellyMerrick
KellyMerrick authored Jan 24, 2022
1 parent d6046d0 commit 480b8e2
Show file tree
Hide file tree
Showing 3 changed files with 52 additions and 268 deletions.
3 changes: 0 additions & 3 deletions constants/secret.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,4 @@ const (

// SecretLogMask defines the secret mask to be used when distributing logs that contain secrets.
SecretLogMask = "***"

// SecretRestrictedCharacters defines the set of characters that a secret name cannot contain.
SecretRestrictedCharacters = "=\x00"
)
96 changes: 29 additions & 67 deletions pipeline/secret.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,9 +64,6 @@ var (
// ErrInvalidPath defines the error type when the
// path provided for a type (org, repo, shared) is invalid.
ErrInvalidPath = errors.New("invalid secret path")
// ErrInvalidName defines the error type when the name
// contains restricted characters or is empty.
ErrInvalidName = errors.New("invalid secret name")
)

// Purge removes the secrets that have a ruleset
Expand Down Expand Up @@ -108,40 +105,25 @@ func (s *Secret) ParseOrg(org string) (string, string, error) {
// check if the secret is not a native or vault type
if !strings.EqualFold(s.Engine, constants.DriverNative) &&
!strings.EqualFold(s.Engine, constants.DriverVault) {
return "", "", fmt.Errorf("%w: %s", ErrInvalidEngine, s.Engine)
return "", "", fmt.Errorf("%s: %s", ErrInvalidEngine, s.Engine)
}

// check if a path was provided
if !strings.Contains(path, "/") {
return "", "", fmt.Errorf("%w: %s ", ErrInvalidPath, path)
return "", "", fmt.Errorf("%s: %s ", ErrInvalidPath, path)
}

// split the full path into parts
parts := strings.SplitN(path, "/", 2)

// secret is invalid
if len(parts) != 2 {
return "", "", fmt.Errorf("%w: %s ", ErrInvalidPath, path)
return "", "", fmt.Errorf("%s: %s ", ErrInvalidPath, path)
}

// check if the org provided matches what we expect
if !strings.EqualFold(parts[0], org) {
return "", "", fmt.Errorf("%w: %s ", ErrInvalidOrg, parts[0])
}

// check if path segments empty
if len(parts[1]) == 0 {
return "", "", fmt.Errorf("%w: %s ", ErrInvalidPath, path)
}

// secret names can't be empty.
if len(s.Name) == 0 {
return "", "", fmt.Errorf("%w: %s missing name", ErrInvalidName, s.Key)
}

// environmental variables can't contain certain restricted characters.
if strings.ContainsAny(s.Name, constants.SecretRestrictedCharacters) {
return "", "", fmt.Errorf("%w (contains restricted characters): %s ", ErrInvalidName, s.Name)
return "", "", fmt.Errorf("%s: %s ", ErrInvalidOrg, parts[0])
}

return parts[0], parts[1], nil
Expand All @@ -155,43 +137,38 @@ func (s *Secret) ParseRepo(org, repo string) (string, string, string, error) {
// check if the secret is not a native or vault type
if !strings.EqualFold(s.Engine, constants.DriverNative) &&
!strings.EqualFold(s.Engine, constants.DriverVault) {
return "", "", "", fmt.Errorf("%w: %s", ErrInvalidEngine, s.Engine)
return "", "", "", fmt.Errorf("%s: %s", ErrInvalidEngine, s.Engine)
}

// split the full path into parts
parts := strings.SplitN(path, "/", 3)

// secret is invalid
if len(parts) != 3 {
return "", "", "", fmt.Errorf("%w: %s ", ErrInvalidPath, path)
}
// check if a path was provided for explicit definition
if strings.Contains(path, "/") {
// split the full path into parts
parts := strings.SplitN(path, "/", 3)

// check if the org provided matches what we expect
if !strings.EqualFold(parts[0], org) {
return "", "", "", fmt.Errorf("%w: %s ", ErrInvalidOrg, parts[0])
}
// secret is invalid
if len(parts) != 3 {
return "", "", "", fmt.Errorf("%s: %s ", ErrInvalidPath, path)
}

// check if the repo provided matches what we expect
if !strings.EqualFold(parts[1], repo) {
return "", "", "", fmt.Errorf("%w: %s ", ErrInvalidRepo, parts[1])
}
// check if the org provided matches what we expect
if !strings.EqualFold(parts[0], org) {
return "", "", "", fmt.Errorf("%s: %s ", ErrInvalidOrg, parts[0])
}

// check if path segments empty
if len(parts[2]) == 0 {
return "", "", "", fmt.Errorf("%w: %s ", ErrInvalidPath, path)
}
// check if the repo provided matches what we expect
if !strings.EqualFold(parts[1], repo) {
return "", "", "", fmt.Errorf("%s: %s ", ErrInvalidRepo, parts[1])
}

// secret names can't be empty.
if len(s.Name) == 0 {
return "", "", "", fmt.Errorf("%w: %s missing name", ErrInvalidName, s.Key)
return parts[0], parts[1], parts[2], nil
}

// environmental variables can't contain certain restricted characters.
if strings.ContainsAny(s.Name, constants.SecretRestrictedCharacters) {
return "", "", "", fmt.Errorf("%w (contains restricted characters): %s ", ErrInvalidName, s.Name)
// check if name equals key for implicit definition
if !strings.EqualFold(s.Name, s.Key) {
return "", "", "", fmt.Errorf("%s: %s ", ErrInvalidPath, path)
}

return parts[0], parts[1], parts[2], nil
return org, repo, s.Name, nil
}

// ParseShared returns the parts (org, team, key) of the secret path
Expand All @@ -202,35 +179,20 @@ func (s *Secret) ParseShared() (string, string, string, error) {
// check if the secret is not a native or vault type
if !strings.EqualFold(s.Engine, constants.DriverNative) &&
!strings.EqualFold(s.Engine, constants.DriverVault) {
return "", "", "", fmt.Errorf("%w: %s", ErrInvalidEngine, s.Engine)
return "", "", "", fmt.Errorf("%s: %s", ErrInvalidEngine, s.Engine)
}

// check if a path was provided
if !strings.Contains(path, "/") {
return "", "", "", fmt.Errorf("%w: %s ", ErrInvalidPath, path)
return "", "", "", fmt.Errorf("%s: %s ", ErrInvalidPath, path)
}

// split the full path into parts
parts := strings.SplitN(path, "/", 3)

// secret is invalid
if len(parts) != 3 {
return "", "", "", fmt.Errorf("%w: %s ", ErrInvalidPath, path)
}

// check if path segments empty
if len(parts[1]) == 0 || len(parts[2]) == 0 {
return "", "", "", fmt.Errorf("%w: %s ", ErrInvalidPath, path)
}

// secret names can't be empty.
if len(s.Name) == 0 {
return "", "", "", fmt.Errorf("%w: %s missing name", ErrInvalidName, s.Key)
}

// environmental variables can't contain certain restricted characters.
if strings.ContainsAny(s.Name, constants.SecretRestrictedCharacters) {
return "", "", "", fmt.Errorf("%w (contains restricted characters): %s ", ErrInvalidName, s.Name)
return "", "", "", fmt.Errorf("%s: %s ", ErrInvalidPath, path)
}

return parts[0], parts[1], parts[2], nil
Expand Down
Loading

0 comments on commit 480b8e2

Please sign in to comment.