Skip to content

Commit

Permalink
fix: do not log encoded secrets
Browse files Browse the repository at this point in the history
Signed-off-by: Dariusz Duda <dariusz.duda@canonical.com>
  • Loading branch information
dariuszd21 committed Dec 13, 2024
1 parent 8dae7e2 commit 19faa83
Show file tree
Hide file tree
Showing 3 changed files with 42 additions and 5 deletions.
3 changes: 3 additions & 0 deletions craft_application/application.py
Original file line number Diff line number Diff line change
Expand Up @@ -435,6 +435,9 @@ def run_managed(self, platform: str | None, build_for: str | None) -> None:
# If using build secrets, put them in the environment of the managed
# instance.
secret_values = cast(secrets.BuildSecrets, self._secrets)
# disable logging CRAFT_SECRETS value passed to the managed instance
craft_cli.emit.set_secrets(list(secret_values.environment.values()))

env.update(secret_values.environment)

extra_args["env"] = env
Expand Down
10 changes: 10 additions & 0 deletions docs/reference/changelog.rst
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,16 @@
Changelog
*********

4.7.0 (YYYY-MMM-DD)
-------------------

Application
===========

- Do not log encoded secrets in managed mode if ``build_secrets``
``AppFeature`` is enabled.


4.6.0 (2024-Dec-13)
-------------------

Expand Down
34 changes: 29 additions & 5 deletions tests/unit/test_application.py
Original file line number Diff line number Diff line change
Expand Up @@ -559,17 +559,35 @@ def test_run_managed_failure(app, fake_project, fake_build_plan):


@pytest.mark.enable_features("build_secrets")
def test_run_managed_secrets(app, fake_project, fake_build_plan):
@pytest.mark.parametrize(
"fake_encoded_environment",
[
pytest.param({}, id="empty"),
pytest.param(
{
"CRAFT_TEST": "banana",
},
id="fake-env",
),
pytest.param(
{
"CRAFT_TEST_FRUIT": "banana",
"CRAFT_TEST_VEGETABLE": "cucumber",
},
id="multiple-entries-env",
),
],
)
def test_run_managed_secrets(
app, fake_project, fake_build_plan, fake_encoded_environment: dict[str, str], check
):
mock_provider = mock.MagicMock(spec_set=services.ProviderService)
instance = mock_provider.instance.return_value.__enter__.return_value
mock_execute = instance.execute_run
app.services.provider = mock_provider
app.project = fake_project
app._build_plan = fake_build_plan

fake_encoded_environment = {
"CRAFT_TEST": "banana",
}
app._secrets = secrets.BuildSecrets(
environment=fake_encoded_environment,
secret_strings=set(),
Expand All @@ -581,7 +599,13 @@ def test_run_managed_secrets(app, fake_project, fake_build_plan):
assert len(mock_execute.mock_calls) == 1
call = mock_execute.mock_calls[0]
execute_env = call.kwargs["env"]
assert execute_env["CRAFT_TEST"] == "banana"
for secret_key, secret_val in fake_encoded_environment.items():
with check:
# value is passed to the underlying provider
assert execute_env[secret_key] == secret_val
assert secret_key in craft_cli.emit._log_filepath.read_text()
# value is not leaking in logs
assert secret_val not in craft_cli.emit._log_filepath.read_text()


def test_run_managed_multiple(app, fake_project):
Expand Down

0 comments on commit 19faa83

Please sign in to comment.