From 19faa83a03b8906d0ed7733e94abc63fbe3ce8b3 Mon Sep 17 00:00:00 2001 From: Dariusz Duda Date: Fri, 13 Dec 2024 10:32:38 -0500 Subject: [PATCH] fix: do not log encoded secrets Signed-off-by: Dariusz Duda --- craft_application/application.py | 3 +++ docs/reference/changelog.rst | 10 ++++++++++ tests/unit/test_application.py | 34 +++++++++++++++++++++++++++----- 3 files changed, 42 insertions(+), 5 deletions(-) diff --git a/craft_application/application.py b/craft_application/application.py index e2842018..24bb6ed7 100644 --- a/craft_application/application.py +++ b/craft_application/application.py @@ -435,6 +435,9 @@ def run_managed(self, platform: str | None, build_for: str | None) -> None: # If using build secrets, put them in the environment of the managed # instance. secret_values = cast(secrets.BuildSecrets, self._secrets) + # disable logging CRAFT_SECRETS value passed to the managed instance + craft_cli.emit.set_secrets(list(secret_values.environment.values())) + env.update(secret_values.environment) extra_args["env"] = env diff --git a/docs/reference/changelog.rst b/docs/reference/changelog.rst index d5a94b56..5e82bddc 100644 --- a/docs/reference/changelog.rst +++ b/docs/reference/changelog.rst @@ -4,6 +4,16 @@ Changelog ********* +4.7.0 (YYYY-MMM-DD) +------------------- + +Application +=========== + +- Do not log encoded secrets in managed mode if ``build_secrets`` + ``AppFeature`` is enabled. + + 4.6.0 (2024-Dec-13) ------------------- diff --git a/tests/unit/test_application.py b/tests/unit/test_application.py index 02dfae78..4e530d6a 100644 --- a/tests/unit/test_application.py +++ b/tests/unit/test_application.py @@ -559,7 +559,28 @@ def test_run_managed_failure(app, fake_project, fake_build_plan): @pytest.mark.enable_features("build_secrets") -def test_run_managed_secrets(app, fake_project, fake_build_plan): +@pytest.mark.parametrize( + "fake_encoded_environment", + [ + pytest.param({}, id="empty"), + pytest.param( + { + "CRAFT_TEST": "banana", + }, + id="fake-env", + ), + pytest.param( + { + "CRAFT_TEST_FRUIT": "banana", + "CRAFT_TEST_VEGETABLE": "cucumber", + }, + id="multiple-entries-env", + ), + ], +) +def test_run_managed_secrets( + app, fake_project, fake_build_plan, fake_encoded_environment: dict[str, str], check +): mock_provider = mock.MagicMock(spec_set=services.ProviderService) instance = mock_provider.instance.return_value.__enter__.return_value mock_execute = instance.execute_run @@ -567,9 +588,6 @@ def test_run_managed_secrets(app, fake_project, fake_build_plan): app.project = fake_project app._build_plan = fake_build_plan - fake_encoded_environment = { - "CRAFT_TEST": "banana", - } app._secrets = secrets.BuildSecrets( environment=fake_encoded_environment, secret_strings=set(), @@ -581,7 +599,13 @@ def test_run_managed_secrets(app, fake_project, fake_build_plan): assert len(mock_execute.mock_calls) == 1 call = mock_execute.mock_calls[0] execute_env = call.kwargs["env"] - assert execute_env["CRAFT_TEST"] == "banana" + for secret_key, secret_val in fake_encoded_environment.items(): + with check: + # value is passed to the underlying provider + assert execute_env[secret_key] == secret_val + assert secret_key in craft_cli.emit._log_filepath.read_text() + # value is not leaking in logs + assert secret_val not in craft_cli.emit._log_filepath.read_text() def test_run_managed_multiple(app, fake_project):