Merge branch 'main' into feat/pr-labeled-action

go-vela · Mar 13, 2024 · 3727c03 · 3727c03
2 parents 361dac1 + 09a256b
commit 3727c03
Show file tree

Hide file tree

Showing 11 changed files with 219 additions and 132 deletions.
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -47,7 +47,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@47b3d888fe66b639e431abf22ebca059152f1eea # v3.24.5
+      uses: github/codeql-action/init@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -58,7 +58,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@47b3d888fe66b639e431abf22ebca059152f1eea # v3.24.5
+      uses: github/codeql-action/autobuild@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -72,4 +72,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@47b3d888fe66b639e431abf22ebca059152f1eea # v3.24.5
+      uses: github/codeql-action/analyze@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7
diff --git a/.github/workflows/reviewdog.yml b/.github/workflows/reviewdog.yml
@@ -23,7 +23,7 @@ jobs:
         check-latest: true
 
     - name: golangci-lint
-      uses: reviewdog/action-golangci-lint@8e1117c7d327bbfb1eb7ec8dc2d895d13e6e17c3 # v2.6.0
+      uses: reviewdog/action-golangci-lint@00311c26a97213f93f2fd3a3524d66762e956ae0 # v2.6.1
       with:
         github_token: ${{ secrets.github_token }}
         golangci_lint_flags: "--config=.golangci.yml"
@@ -47,7 +47,7 @@ jobs:
         check-latest: true
 
     - name: golangci-lint
-      uses: reviewdog/action-golangci-lint@8e1117c7d327bbfb1eb7ec8dc2d895d13e6e17c3 # v2.6.0
+      uses: reviewdog/action-golangci-lint@00311c26a97213f93f2fd3a3524d66762e956ae0 # v2.6.1
       with:
         github_token: ${{ secrets.github_token }}
         golangci_lint_flags: "--config=.golangci.yml"

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -29,7 +29,7 @@ jobs:
         go test -race -covermode=atomic -coverprofile=coverage.out ./...
 
     - name: coverage
-      uses: codecov/codecov-action@e0b68c6749509c5f83f984dd99a76a1c1a231044 # v4.0.1
+      uses: codecov/codecov-action@54bcd8715eee62d40e33596ef5e8f0f48dbbccab # v4.1.0
       with:
         token: ${{ secrets.CODECOV_TOKEN }}
         file: coverage.out
diff --git a/database/secret.go b/database/secret.go
@@ -42,21 +42,22 @@ var (
 
 // Secret is the database representation of a secret.
 type Secret struct {
-	ID           sql.NullInt64  `sql:"id"`
-	Org          sql.NullString `sql:"org"`
-	Repo         sql.NullString `sql:"repo"`
-	Team         sql.NullString `sql:"team"`
-	Name         sql.NullString `sql:"name"`
-	Value        sql.NullString `sql:"value"`
-	Type         sql.NullString `sql:"type"`
-	Images       pq.StringArray `sql:"images" gorm:"type:varchar(1000)"`
-	Events       pq.StringArray `sql:"events" gorm:"type:varchar(1000)"`
-	AllowEvents  sql.NullInt64  `sql:"allow_events"`
-	AllowCommand sql.NullBool   `sql:"allow_command"`
-	CreatedAt    sql.NullInt64  `sql:"created_at"`
-	CreatedBy    sql.NullString `sql:"created_by"`
-	UpdatedAt    sql.NullInt64  `sql:"updated_at"`
-	UpdatedBy    sql.NullString `sql:"updated_by"`
+	ID                sql.NullInt64  `sql:"id"`
+	Org               sql.NullString `sql:"org"`
+	Repo              sql.NullString `sql:"repo"`
+	Team              sql.NullString `sql:"team"`
+	Name              sql.NullString `sql:"name"`
+	Value             sql.NullString `sql:"value"`
+	Type              sql.NullString `sql:"type"`
+	Images            pq.StringArray `sql:"images" gorm:"type:varchar(1000)"`
+	Events            pq.StringArray `sql:"events" gorm:"type:varchar(1000)"`
+	AllowEvents       sql.NullInt64  `sql:"allow_events"`
+	AllowCommand      sql.NullBool   `sql:"allow_command"`
+	AllowSubstitution sql.NullBool   `sql:"allow_substitution"`
+	CreatedAt         sql.NullInt64  `sql:"created_at"`
+	CreatedBy         sql.NullString `sql:"created_by"`
+	UpdatedAt         sql.NullInt64  `sql:"updated_at"`
+	UpdatedBy         sql.NullString `sql:"updated_by"`
 }
 
 // Decrypt will manipulate the existing secret value by
@@ -196,6 +197,7 @@ func (s *Secret) ToLibrary() *library.Secret {
 	secret.SetEvents(s.Events)
 	secret.SetAllowEvents(library.NewEventsFromMask(s.AllowEvents.Int64))
 	secret.SetAllowCommand(s.AllowCommand.Bool)
+	secret.SetAllowSubstitution(s.AllowSubstitution.Bool)
 	secret.SetCreatedAt(s.CreatedAt.Int64)
 	secret.SetCreatedBy(s.CreatedBy.String)
 	secret.SetUpdatedAt(s.UpdatedAt.Int64)
@@ -272,21 +274,22 @@ func (s *Secret) Validate() error {
 // to a database Secret type.
 func SecretFromLibrary(s *library.Secret) *Secret {
 	secret := &Secret{
-		ID:           sql.NullInt64{Int64: s.GetID(), Valid: true},
-		Org:          sql.NullString{String: s.GetOrg(), Valid: true},
-		Repo:         sql.NullString{String: s.GetRepo(), Valid: true},
-		Team:         sql.NullString{String: s.GetTeam(), Valid: true},
-		Name:         sql.NullString{String: s.GetName(), Valid: true},
-		Value:        sql.NullString{String: s.GetValue(), Valid: true},
-		Type:         sql.NullString{String: s.GetType(), Valid: true},
-		Images:       pq.StringArray(s.GetImages()),
-		Events:       pq.StringArray(s.GetEvents()),
-		AllowEvents:  sql.NullInt64{Int64: s.GetAllowEvents().ToDatabase(), Valid: true},
-		AllowCommand: sql.NullBool{Bool: s.GetAllowCommand(), Valid: true},
-		CreatedAt:    sql.NullInt64{Int64: s.GetCreatedAt(), Valid: true},
-		CreatedBy:    sql.NullString{String: s.GetCreatedBy(), Valid: true},
-		UpdatedAt:    sql.NullInt64{Int64: s.GetUpdatedAt(), Valid: true},
-		UpdatedBy:    sql.NullString{String: s.GetUpdatedBy(), Valid: true},
+		ID:                sql.NullInt64{Int64: s.GetID(), Valid: true},
+		Org:               sql.NullString{String: s.GetOrg(), Valid: true},
+		Repo:              sql.NullString{String: s.GetRepo(), Valid: true},
+		Team:              sql.NullString{String: s.GetTeam(), Valid: true},
+		Name:              sql.NullString{String: s.GetName(), Valid: true},
+		Value:             sql.NullString{String: s.GetValue(), Valid: true},
+		Type:              sql.NullString{String: s.GetType(), Valid: true},
+		Images:            pq.StringArray(s.GetImages()),
+		Events:            pq.StringArray(s.GetEvents()),
+		AllowEvents:       sql.NullInt64{Int64: s.GetAllowEvents().ToDatabase(), Valid: true},
+		AllowCommand:      sql.NullBool{Bool: s.GetAllowCommand(), Valid: true},
+		AllowSubstitution: sql.NullBool{Bool: s.GetAllowSubstitution(), Valid: true},
+		CreatedAt:         sql.NullInt64{Int64: s.GetCreatedAt(), Valid: true},
+		CreatedBy:         sql.NullString{String: s.GetCreatedBy(), Valid: true},
+		UpdatedAt:         sql.NullInt64{Int64: s.GetUpdatedAt(), Valid: true},
+		UpdatedBy:         sql.NullString{String: s.GetUpdatedBy(), Valid: true},
 	}
 
 	return secret.Nullify()

diff --git a/database/secret_test.go b/database/secret_test.go
@@ -171,6 +171,7 @@ func TestDatabase_Secret_ToLibrary(t *testing.T) {
 	want.SetEvents([]string{"push", "tag", "deployment"})
 	want.SetAllowEvents(library.NewEventsFromMask(1))
 	want.SetAllowCommand(true)
+	want.SetAllowSubstitution(true)
 	want.SetCreatedAt(tsCreate)
 	want.SetCreatedBy("octocat")
 	want.SetUpdatedAt(tsUpdate)
@@ -295,6 +296,7 @@ func TestDatabase_SecretFromLibrary(t *testing.T) {
 	s.SetEvents([]string{"push", "tag", "deployment"})
 	s.SetAllowEvents(library.NewEventsFromMask(1))
 	s.SetAllowCommand(true)
+	s.SetAllowSubstitution(true)
 	s.SetCreatedAt(tsCreate)
 	s.SetCreatedBy("octocat")
 	s.SetUpdatedAt(tsUpdate)
@@ -314,20 +316,21 @@ func TestDatabase_SecretFromLibrary(t *testing.T) {
 // type with all fields set to a fake value.
 func testSecret() *Secret {
 	return &Secret{
-		ID:           sql.NullInt64{Int64: 1, Valid: true},
-		Org:          sql.NullString{String: "github", Valid: true},
-		Repo:         sql.NullString{String: "octocat", Valid: true},
-		Team:         sql.NullString{String: "octokitties", Valid: true},
-		Name:         sql.NullString{String: "foo", Valid: true},
-		Value:        sql.NullString{String: "bar", Valid: true},
-		Type:         sql.NullString{String: "repo", Valid: true},
-		Images:       []string{"alpine"},
-		Events:       []string{"push", "tag", "deployment"},
-		AllowEvents:  sql.NullInt64{Int64: 1, Valid: true},
-		AllowCommand: sql.NullBool{Bool: true, Valid: true},
-		CreatedAt:    sql.NullInt64{Int64: tsCreate, Valid: true},
-		CreatedBy:    sql.NullString{String: "octocat", Valid: true},
-		UpdatedAt:    sql.NullInt64{Int64: tsUpdate, Valid: true},
-		UpdatedBy:    sql.NullString{String: "octocat2", Valid: true},
+		ID:                sql.NullInt64{Int64: 1, Valid: true},
+		Org:               sql.NullString{String: "github", Valid: true},
+		Repo:              sql.NullString{String: "octocat", Valid: true},
+		Team:              sql.NullString{String: "octokitties", Valid: true},
+		Name:              sql.NullString{String: "foo", Valid: true},
+		Value:             sql.NullString{String: "bar", Valid: true},
+		Type:              sql.NullString{String: "repo", Valid: true},
+		Images:            []string{"alpine"},
+		Events:            []string{"push", "tag", "deployment"},
+		AllowEvents:       sql.NullInt64{Int64: 1, Valid: true},
+		AllowCommand:      sql.NullBool{Bool: true, Valid: true},
+		AllowSubstitution: sql.NullBool{Bool: true, Valid: true},
+		CreatedAt:         sql.NullInt64{Int64: tsCreate, Valid: true},
+		CreatedBy:         sql.NullString{String: "octocat", Valid: true},
+		UpdatedAt:         sql.NullInt64{Int64: tsUpdate, Valid: true},
+		UpdatedBy:         sql.NullString{String: "octocat2", Valid: true},
 	}
 }
diff --git a/go.mod b/go.mod
@@ -3,7 +3,7 @@ module github.com/go-vela/types
 go 1.21
 
 require (
-	github.com/adhocore/gronx v1.6.7
+	github.com/adhocore/gronx v1.8.0
 	github.com/buildkite/yaml v0.0.0-20181016232759-0caa5f0796e3
 	github.com/drone/envsubst v1.0.3
 	github.com/ghodss/yaml v1.0.0

diff --git a/go.sum b/go.sum
@@ -1,5 +1,5 @@
-github.com/adhocore/gronx v1.6.7 h1:yE/AKQP/yhjMRqV943XiPqBdmUwIF8VHJwm6KZhnk48=
-github.com/adhocore/gronx v1.6.7/go.mod h1:7oUY1WAU8rEJWmAxXR2DN0JaO4gi9khSgKjiRypqteg=
+github.com/adhocore/gronx v1.8.0 h1:BHgzaGyS7zPmuMVqiIxyAwvKpwAX+bR7bCxDVacfhuo=
+github.com/adhocore/gronx v1.8.0/go.mod h1:7oUY1WAU8rEJWmAxXR2DN0JaO4gi9khSgKjiRypqteg=
 github.com/aymerick/douceur v0.2.0 h1:Mv+mAeH1Q+n9Fr+oyamOlAkUNPWPlA8PPGR0QAaYuPk=
 github.com/aymerick/douceur v0.2.0/go.mod h1:wlT5vV2O3h55X9m7iVYN0TBM0NH/MmbLnd30/FjWUq4=
 github.com/buildkite/yaml v0.0.0-20181016232759-0caa5f0796e3 h1:q+sMKdA6L8LyGVudTkpGoC73h6ak2iWSPFiFo/pFOU8=

diff --git a/library/log.go b/library/log.go
@@ -3,8 +3,8 @@
 package library
 
 import (
+	"bytes"
 	"fmt"
-	"regexp"
 
 	"github.com/go-vela/types/constants"
 )
@@ -45,25 +45,14 @@ func (l *Log) AppendData(data []byte) {
 func (l *Log) MaskData(secrets []string) {
 	data := l.GetData()
 
+	// early exit on empty log or secret list
+	if len(data) == 0 || len(secrets) == 0 {
+		return
+	}
+
+	// byte replace data with masked logs
 	for _, secret := range secrets {
-		// escape regexp meta characters if they exist within value of secret
-		//
-		// https://pkg.go.dev/regexp#QuoteMeta
-		escaped := regexp.QuoteMeta(secret)
-
-		// create regexp to match secrets in the log data surrounded by regexp metacharacters
-		//
-		// https://pkg.go.dev/regexp#MustCompile
-		buffer := `(\s|^|=|"|\?|:|'|\.|,|&|$|;|\[|\])`
-		re := regexp.MustCompile((buffer + escaped + buffer))
-
-		// create a mask for the secret
-		mask := fmt.Sprintf("$1%s$2", constants.SecretLogMask)
-
-		// replace all regexp matches of secret with mask
-		//
-		// https://pkg.go.dev/regexp#Regexp.ReplaceAll
-		data = re.ReplaceAll(data, []byte(mask))
+		data = bytes.ReplaceAll(data, []byte(secret), []byte(constants.SecretLogMask))
 	}
 
 	// update data field to masked logs

diff --git a/library/log_test.go b/library/log_test.go
@@ -42,59 +42,83 @@ func TestLibrary_Log_AppendData(t *testing.T) {
 
 func TestLibrary_Log_MaskData(t *testing.T) {
 	// set up test secrets
-	sVals := []string{"secret", "((%.YY245***pP.><@@}}", "littlesecret", "extrasecret"}
-
-	// set up test logs
-	s1 := "$ echo $NO_SECRET\nnosecret\n"
-	s2 := "((%.YY245***pP.><@@}}"
-	s2Masked := "***"
-	s3 := "$ echo $SECRET1\n((%.YY245***pP.><@@}}\n$ echo $SECRET2\nlittlesecret\n"
-	s3Masked := "$ echo $SECRET1\n***\n$ echo $SECRET2\n***\n"
-	s4 := "SOME_SECRET=((%.YY245***pP.><@@}}"
-	s4Masked := "SOME_SECRET=***"
-	s5 := "www.example.com?username=secret&password=extrasecret"
-	s5Masked := "www.example.com?username=***&password=***"
-	s6 := "[token: extrasecret]"
-	s6Masked := "[token: ***]"
+	sVals := []string{"gh_abc123def456", "((%.YY245***pP.><@@}}", "quick-bear-fox-squid", "SUPERSECRETVALUE"}
 
 	tests := []struct {
-		want    []byte
 		log     []byte
+		want    []byte
 		secrets []string
 	}{
 		{ // no secrets in log
-			want:    []byte(s1),
-			log:     []byte(s1),
+			log: []byte(
+				"$ echo hello\nhello\n",
+			),
+			want: []byte(
+				"$ echo hello\nhello\n",
+			),
 			secrets: sVals,
 		},
 		{ // one secret in log
-			want:    []byte(s2Masked),
-			log:     []byte(s2),
+			log: []byte(
+				"((%.YY245***pP.><@@}}",
+			),
+			want: []byte(
+				"***",
+			),
 			secrets: sVals,
 		},
 		{ // multiple secrets in log
-			want:    []byte(s3Masked),
-			log:     []byte(s3),
+			log: []byte(
+				"$ echo $SECRET1\n((%.YY245***pP.><@@}}\n$ echo $SECRET2\nquick-bear-fox-squid\n",
+			),
+			want: []byte(
+				"$ echo $SECRET1\n***\n$ echo $SECRET2\n***\n",
+			),
 			secrets: sVals,
 		},
 		{ // secret with leading =
-			want:    []byte(s4Masked),
-			log:     []byte(s4),
+			log: []byte(
+				"SOME_SECRET=((%.YY245***pP.><@@}}",
+			),
+			want: []byte(
+				"SOME_SECRET=***",
+			),
 			secrets: sVals,
 		},
 		{ // secret baked in URL query params
-			want:    []byte(s5Masked),
-			log:     []byte(s5),
+			log: []byte(
+				"www.example.com?username=quick-bear-fox-squid&password=SUPERSECRETVALUE",
+			),
+			want: []byte(
+				"www.example.com?username=***&password=***",
+			),
 			secrets: sVals,
 		},
 		{ // secret in verbose brackets
-			want:    []byte(s6Masked),
-			log:     []byte(s6),
+			log: []byte(
+				"[token: gh_abc123def456]",
+			),
+			want: []byte(
+				"[token: ***]",
+			),
+			secrets: sVals,
+		},
+		{ // double secret
+			log: []byte(
+				"echo ${GITHUB_TOKEN}${SUPER_SECRET}\ngh_abc123def456SUPERSECRETVALUE\n",
+			),
+			want: []byte(
+				"echo ${GITHUB_TOKEN}${SUPER_SECRET}\n******\n",
+			),
 			secrets: sVals,
 		},
 		{ // empty secrets slice
-			want:    []byte(s3),
-			log:     []byte(s3),
+			log: []byte(
+				"echo hello\nhello\n",
+			),
+			want: []byte(
+				"echo hello\nhello\n",
+			),
 			secrets: []string{},
 		},
 	}