Skip to content

Commit

Permalink
fix: do not log encoded secrets
Browse files Browse the repository at this point in the history 
Signed-off-by: Dariusz Duda <[email protected]>
  • Loading branch information
@dariuszd21
dariuszd21 committed Dec 13, 2024
1 parent 8357448 commit 27ca53e
Show file tree
Hide file tree
Showing 2 changed files with 30 additions and 5 deletions.
3 changes: 3 additions & 0 deletions craft_application/application.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -435,6 +435,9 @@ def run_managed(self, platform: str | None, build_for: str | None) -> None:
# If using build secrets, put them in the environment of the managed
# instance.
secret_values = cast(secrets.BuildSecrets, self._secrets)
# disable logging CRAFT_SECRETS value passed to the managed instance
craft_cli.emit.set_secrets(list(secret_values.environment.values()))

env.update(secret_values.environment)

extra_args["env"] = env
Expand Down
32 changes: 27 additions & 5 deletions tests/unit/test_application.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -559,17 +559,35 @@ def test_run_managed_failure(app, fake_project, fake_build_plan):


@pytest.mark.enable_features("build_secrets")
def test_run_managed_secrets(app, fake_project, fake_build_plan):
@pytest.mark.parametrize(
"fake_encoded_environment",
[
pytest.param({}, id="empty"),
pytest.param(
{
"CRAFT_TEST": "banana",
},
id="fake-env",
),
pytest.param(
{
"CRAFT_TEST_FRUIT": "banana",
"CRAFT_TEST_VEGETABLE": "cucumber",
},
id="multiple-entries-env",
),
],
)
def test_run_managed_secrets(
app, fake_project, fake_build_plan, fake_encoded_environment: dict[str, str], check
):
mock_provider = mock.MagicMock(spec_set=services.ProviderService)
instance = mock_provider.instance.return_value.__enter__.return_value
mock_execute = instance.execute_run
app.services.provider = mock_provider
app.project = fake_project
app._build_plan = fake_build_plan

fake_encoded_environment = {
"CRAFT_TEST": "banana",
}
app._secrets = secrets.BuildSecrets(
environment=fake_encoded_environment,
secret_strings=set(),
Expand All @@ -581,7 +599,11 @@ def test_run_managed_secrets(app, fake_project, fake_build_plan):
assert len(mock_execute.mock_calls) == 1
call = mock_execute.mock_calls[0]
execute_env = call.kwargs["env"]
assert execute_env["CRAFT_TEST"] == "banana"
for key, val in fake_encoded_environment.items():
with check:
assert execute_env[key] == val
assert key in craft_cli.emit._log_filepath.read_text()
assert val not in craft_cli.emit._log_filepath.read_text()


def test_run_managed_multiple(app, fake_project):
Expand Down

0 comments on commit 27ca53e

Please sign in to comment.