Only redact the non-sensitive bits of build args and env vars.
* `-e [REDACTED]` → `-e SOME_SECRET=[REDACTED]` * Replaces `Utils.redact` with `Utils.sensitive` to clarify that we're indicating redactability, not actually performing redaction. * Redacts from YAML output, including `mrsk config` (fixes #96)
This commit is contained in:
Jeremy Daer
@@ -112,8 +112,11 @@ class ConfigurationAccessoryTest < ActiveSupport::TestCase
|
||||
|
||||
test "env args with secret" do
|
||||
ENV["MYSQL_ROOT_PASSWORD"] = "secret123"
|
||||
assert_equal ["-e", "MYSQL_ROOT_PASSWORD=\"secret123\"", "-e", "MYSQL_ROOT_HOST=\"%\""], @config.accessory(:mysql).env_args
|
||||
assert @config.accessory(:mysql).env_args[1].is_a?(SSHKit::Redaction)
|
||||
|
||||
@config.accessory(:mysql).env_args.tap do |env_args|
|
||||
assert_equal ["-e", "MYSQL_ROOT_PASSWORD=\"secret123\"", "-e", "MYSQL_ROOT_HOST=\"%\""], Mrsk::Utils.unredacted(env_args)
|
||||
assert_equal ["-e", "MYSQL_ROOT_PASSWORD=[REDACTED]", "-e", "MYSQL_ROOT_HOST=\"%\""], Mrsk::Utils.redacted(env_args)
|
||||
end
|
||||
ensure
|
||||
ENV["MYSQL_ROOT_PASSWORD"] = nil
|
||||
end
|
||||
|
||||
@@ -97,7 +97,10 @@ class ConfigurationRoleTest < ActiveSupport::TestCase
|
||||
ENV["REDIS_PASSWORD"] = "secret456"
|
||||
ENV["DB_PASSWORD"] = "secret&\"123"
|
||||
|
||||
assert_equal ["-e", "REDIS_PASSWORD=\"secret456\"", "-e", "DB_PASSWORD=\"secret&\\\"123\"", "-e", "REDIS_URL=\"redis://a/b\"", "-e", "WEB_CONCURRENCY=\"4\""], @config_with_roles.role(:workers).env_args
|
||||
@config_with_roles.role(:workers).env_args.tap do |env_args|
|
||||
assert_equal ["-e", "REDIS_PASSWORD=\"secret456\"", "-e", "DB_PASSWORD=\"secret&\\\"123\"", "-e", "REDIS_URL=\"redis://a/b\"", "-e", "WEB_CONCURRENCY=\"4\""], Mrsk::Utils.unredacted(env_args)
|
||||
assert_equal ["-e", "REDIS_PASSWORD=[REDACTED]", "-e", "DB_PASSWORD=[REDACTED]", "-e", "REDIS_URL=\"redis://a/b\"", "-e", "WEB_CONCURRENCY=\"4\""], Mrsk::Utils.redacted(env_args)
|
||||
end
|
||||
ensure
|
||||
ENV["REDIS_PASSWORD"] = nil
|
||||
ENV["DB_PASSWORD"] = nil
|
||||
@@ -116,7 +119,10 @@ class ConfigurationRoleTest < ActiveSupport::TestCase
|
||||
|
||||
ENV["DB_PASSWORD"] = "secret123"
|
||||
|
||||
assert_equal ["-e", "DB_PASSWORD=\"secret123\"", "-e", "REDIS_URL=\"redis://a/b\"", "-e", "WEB_CONCURRENCY=\"4\""], @config_with_roles.role(:workers).env_args
|
||||
@config_with_roles.role(:workers).env_args.tap do |env_args|
|
||||
assert_equal ["-e", "DB_PASSWORD=\"secret123\"", "-e", "REDIS_URL=\"redis://a/b\"", "-e", "WEB_CONCURRENCY=\"4\""], Mrsk::Utils.unredacted(env_args)
|
||||
assert_equal ["-e", "DB_PASSWORD=[REDACTED]", "-e", "REDIS_URL=\"redis://a/b\"", "-e", "WEB_CONCURRENCY=\"4\""], Mrsk::Utils.redacted(env_args)
|
||||
end
|
||||
ensure
|
||||
ENV["DB_PASSWORD"] = nil
|
||||
end
|
||||
@@ -133,7 +139,10 @@ class ConfigurationRoleTest < ActiveSupport::TestCase
|
||||
|
||||
ENV["REDIS_PASSWORD"] = "secret456"
|
||||
|
||||
assert_equal ["-e", "REDIS_PASSWORD=\"secret456\"", "-e", "REDIS_URL=\"redis://a/b\"", "-e", "WEB_CONCURRENCY=\"4\""], @config_with_roles.role(:workers).env_args
|
||||
@config_with_roles.role(:workers).env_args.tap do |env_args|
|
||||
assert_equal ["-e", "REDIS_PASSWORD=\"secret456\"", "-e", "REDIS_URL=\"redis://a/b\"", "-e", "WEB_CONCURRENCY=\"4\""], Mrsk::Utils.unredacted(env_args)
|
||||
assert_equal ["-e", "REDIS_PASSWORD=[REDACTED]", "-e", "REDIS_URL=\"redis://a/b\"", "-e", "WEB_CONCURRENCY=\"4\""], Mrsk::Utils.redacted(env_args)
|
||||
end
|
||||
ensure
|
||||
ENV["REDIS_PASSWORD"] = nil
|
||||
end
|
||||
|
||||
@@ -113,12 +113,13 @@ class ConfigurationTest < ActiveSupport::TestCase
|
||||
|
||||
test "env args with clear and secrets" do
|
||||
ENV["PASSWORD"] = "secret123"
|
||||
|
||||
config = Mrsk::Configuration.new(@deploy.tap { |c| c.merge!({
|
||||
env: { "clear" => { "PORT" => "3000" }, "secret" => [ "PASSWORD" ] }
|
||||
}) })
|
||||
|
||||
assert_equal [ "-e", "PASSWORD=\"secret123\"", "-e", "PORT=\"3000\"" ], config.env_args
|
||||
assert config.env_args[1].is_a?(SSHKit::Redaction)
|
||||
assert_equal [ "-e", "PASSWORD=\"secret123\"", "-e", "PORT=\"3000\"" ], Mrsk::Utils.unredacted(config.env_args)
|
||||
assert_equal [ "-e", "PASSWORD=[REDACTED]", "-e", "PORT=\"3000\"" ], Mrsk::Utils.redacted(config.env_args)
|
||||
ensure
|
||||
ENV["PASSWORD"] = nil
|
||||
end
|
||||
@@ -133,12 +134,13 @@ class ConfigurationTest < ActiveSupport::TestCase
|
||||
|
||||
test "env args with only secrets" do
|
||||
ENV["PASSWORD"] = "secret123"
|
||||
|
||||
config = Mrsk::Configuration.new(@deploy.tap { |c| c.merge!({
|
||||
env: { "secret" => [ "PASSWORD" ] }
|
||||
}) })
|
||||
|
||||
assert_equal [ "-e", "PASSWORD=\"secret123\"" ], config.env_args
|
||||
assert config.env_args[1].is_a?(SSHKit::Redaction)
|
||||
assert_equal [ "-e", "PASSWORD=\"secret123\"" ], Mrsk::Utils.unredacted(config.env_args)
|
||||
assert_equal [ "-e", "PASSWORD=[REDACTED]" ], Mrsk::Utils.redacted(config.env_args)
|
||||
ensure
|
||||
ENV["PASSWORD"] = nil
|
||||
end
|
||||
|
||||
@@ -8,13 +8,16 @@ class UtilsTest < ActiveSupport::TestCase
|
||||
|
||||
test "argumentize with redacted" do
|
||||
assert_kind_of SSHKit::Redaction, \
|
||||
Mrsk::Utils.argumentize("--label", { foo: "bar" }, redacted: true).last
|
||||
Mrsk::Utils.argumentize("--label", { foo: "bar" }, sensitive: true).last
|
||||
end
|
||||
|
||||
test "argumentize_env_with_secrets" do
|
||||
ENV.expects(:fetch).with("FOO").returns("secret")
|
||||
assert_equal [ "-e", "FOO=\"secret\"", "-e", "BAZ=\"qux\"" ], \
|
||||
Mrsk::Utils.argumentize_env_with_secrets({ "secret" => [ "FOO" ], "clear" => { BAZ: "qux" } })
|
||||
|
||||
args = Mrsk::Utils.argumentize_env_with_secrets({ "secret" => [ "FOO" ], "clear" => { BAZ: "qux" } })
|
||||
|
||||
assert_equal [ "-e", "FOO=[REDACTED]", "-e", "BAZ=\"qux\"" ], Mrsk::Utils.redacted(args)
|
||||
assert_equal [ "-e", "FOO=\"secret\"", "-e", "BAZ=\"qux\"" ], Mrsk::Utils.unredacted(args)
|
||||
end
|
||||
|
||||
test "optionize" do
|
||||
@@ -27,9 +30,20 @@ class UtilsTest < ActiveSupport::TestCase
|
||||
Mrsk::Utils.optionize({ foo: "bar", baz: "qux", quux: true }, with: "=")
|
||||
end
|
||||
|
||||
test "redact" do
|
||||
assert_kind_of SSHKit::Redaction, Mrsk::Utils.redact("secret")
|
||||
assert_equal "secret", Mrsk::Utils.redact("secret")
|
||||
test "no redaction from #to_s" do
|
||||
assert_equal "secret", Mrsk::Utils.sensitive("secret").to_s
|
||||
end
|
||||
|
||||
test "redact from #inspect" do
|
||||
assert_equal "[REDACTED]".inspect, Mrsk::Utils.sensitive("secret").inspect
|
||||
end
|
||||
|
||||
test "redact from SSHKit output" do
|
||||
assert_kind_of SSHKit::Redaction, Mrsk::Utils.sensitive("secret")
|
||||
end
|
||||
|
||||
test "redact from YAML output" do
|
||||
assert_equal "--- ! '[REDACTED]'\n", YAML.dump(Mrsk::Utils.sensitive("secret"))
|
||||
end
|
||||
|
||||
test "escape_shell_value" do
|
||||
|
||||
Reference in New Issue
Block a user