From a8c7f47b879a9727141c0fcb006bddbb33771c88 Mon Sep 17 00:00:00 2001 From: Anbraten Date: Mon, 16 Oct 2023 20:48:23 +0200 Subject: [PATCH 1/4] fix secret priority --- server/plugins/secrets/builtin.go | 2 +- server/plugins/secrets/builtin_test.go | 100 +++++++++++++++++++++++++ 2 files changed, 101 insertions(+), 1 deletion(-) create mode 100644 server/plugins/secrets/builtin_test.go diff --git a/server/plugins/secrets/builtin.go b/server/plugins/secrets/builtin.go index 98edd81f5a7..81e60633bbb 100644 --- a/server/plugins/secrets/builtin.go +++ b/server/plugins/secrets/builtin.go @@ -57,7 +57,7 @@ func (b *builtin) SecretListPipeline(repo *model.Repo, _ *model.Pipeline, p *mod {Global: true}, } { for _, secret := range s { - if secret.Global() == cond.Global && secret.Organization() == cond.Organization { + if !(secret.Global() == cond.Global && secret.Organization() == cond.Organization) { continue } if _, ok := uniq[secret.Name]; ok { diff --git a/server/plugins/secrets/builtin_test.go b/server/plugins/secrets/builtin_test.go new file mode 100644 index 00000000000..eb1ec4f6565 --- /dev/null +++ b/server/plugins/secrets/builtin_test.go @@ -0,0 +1,100 @@ +// Copyright 2023 Woodpecker Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package secrets_test + +import ( + "context" + "testing" + + "github.com/franela/goblin" + "github.com/stretchr/testify/mock" + "github.com/woodpecker-ci/woodpecker/server/model" + "github.com/woodpecker-ci/woodpecker/server/plugins/secrets" + mocks_store "github.com/woodpecker-ci/woodpecker/server/store/mocks" +) + +func TestSecretListPipeline(t *testing.T) { + g := goblin.Goblin(t) + ctx := context.Background() + mockStore := mocks_store.NewStore(t) + + // global secret + globalSecret := &model.Secret{ + ID: 1, + OrgID: 0, + RepoID: 0, + Name: "secret", + Value: "value-global", + } + + // org secret + orgSecret := &model.Secret{ + ID: 2, + OrgID: 1, + RepoID: 0, + Name: "secret", + Value: "value-org", + } + + // repo secret + repoSecret := &model.Secret{ + ID: 3, + OrgID: 1, + RepoID: 1, + Name: "secret", + Value: "value-repo", + } + + g.Describe("Priority of secrets", func() { + g.It("should get the repo secret", func() { + mockStore.On("SecretList", mock.Anything, mock.Anything, mock.Anything).Once().Return([]*model.Secret{ + globalSecret, + orgSecret, + repoSecret, + }, nil) + + s, err := secrets.New(ctx, mockStore).SecretListPipeline(&model.Repo{}, &model.Pipeline{}, &model.ListOptions{}) + g.Assert(err).IsNil() + + g.Assert(len(s)).Equal(1) + g.Assert(s[0].Value).Equal("value-repo") + }) + + g.It("should get the org secret", func() { + mockStore.On("SecretList", mock.Anything, mock.Anything, mock.Anything).Once().Return([]*model.Secret{ + globalSecret, + orgSecret, + }, nil) + + s, err := secrets.New(ctx, mockStore).SecretListPipeline(&model.Repo{}, &model.Pipeline{}, &model.ListOptions{}) + g.Assert(err).IsNil() + + g.Assert(len(s)).Equal(1) + g.Assert(s[0].Value).Equal("value-org") + }) + + g.It("should get the global secret", func() { + mockStore.On("SecretList", mock.Anything, mock.Anything, mock.Anything).Once().Return([]*model.Secret{ + globalSecret, + }, nil) + + s, err := secrets.New(ctx, mockStore).SecretListPipeline(&model.Repo{}, &model.Pipeline{}, &model.ListOptions{}) + g.Assert(err).IsNil() + + g.Assert(len(s)).Equal(1) + g.Assert(s[0].Value).Equal("value-global") + }) + }) +} From 49812748a1aa732b8d2e30f9295e3cbcfaf5aec7 Mon Sep 17 00:00:00 2001 From: Anbraten Date: Mon, 16 Oct 2023 20:50:28 +0200 Subject: [PATCH 2/4] demorgan --- server/plugins/secrets/builtin.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server/plugins/secrets/builtin.go b/server/plugins/secrets/builtin.go index 81e60633bbb..548e411556b 100644 --- a/server/plugins/secrets/builtin.go +++ b/server/plugins/secrets/builtin.go @@ -57,7 +57,7 @@ func (b *builtin) SecretListPipeline(repo *model.Repo, _ *model.Pipeline, p *mod {Global: true}, } { for _, secret := range s { - if !(secret.Global() == cond.Global && secret.Organization() == cond.Organization) { + if secret.Global() != cond.Global || secret.Organization() != cond.Organization { continue } if _, ok := uniq[secret.Name]; ok { From 4273ab5ae00f1a777e70bfbf5ee8f82ca78cdd4d Mon Sep 17 00:00:00 2001 From: Anbraten Date: Mon, 16 Oct 2023 21:06:39 +0200 Subject: [PATCH 3/4] update docs --- docs/docs/20-usage/40-secrets.md | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/docs/docs/20-usage/40-secrets.md b/docs/docs/20-usage/40-secrets.md index 613a03fdb1e..8e7884a7642 100644 --- a/docs/docs/20-usage/40-secrets.md +++ b/docs/docs/20-usage/40-secrets.md @@ -4,6 +4,15 @@ Woodpecker provides the ability to store named parameters external to the YAML c Secrets are exposed to your pipeline steps and plugins as uppercase environment variables and can therefore be referenced in the commands section of your pipeline. +Woodpecker provides three different levels to add secrets to your pipeline. The following list shows the priority of the different levels. If a secret is defined in multiple levels, will be used following this priorities: Repository secrets > Organization secrets > Global secrets. + +1. **Repository secrets**: They are available to all pipelines of an repository. +1. **Organization secrets**: They are available to all pipelines of an organization. +1. **Global secrets**: Can be configured by an instance admin. + They are available to all pipelines of the **whole** Woodpecker instance and should therefore **only** be used for secrets that are allowed to be read by **all** users. + +## Usage + ```diff steps: docker: @@ -45,7 +54,7 @@ steps: ## Adding Secrets -Secrets are added to the Woodpecker secret store on the UI or with the CLI. +Secrets are added to the Woodpecker in the UI or with the CLI. ## Alternate Names @@ -88,7 +97,7 @@ If you enable the option "Only available for plugins", always set an image filte If you only set an image filter, you could still access the secret using the same image and by specifying a command that prints it. ::: -## Examples +## CLI Examples Create the secret using default settings. The secret will be available to all images in your pipeline, and will be available to all push, tag, and deployment events (not pull request events). From 9a53f5673131fa3461f268e6391e16b8608e0885 Mon Sep 17 00:00:00 2001 From: 6543 <6543@obermui.de> Date: Mon, 16 Oct 2023 23:08:22 +0200 Subject: [PATCH 4/4] Update docs/docs/20-usage/40-secrets.md Co-authored-by: Lauris BH --- docs/docs/20-usage/40-secrets.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/docs/20-usage/40-secrets.md b/docs/docs/20-usage/40-secrets.md index 8e7884a7642..255ac9bf2e6 100644 --- a/docs/docs/20-usage/40-secrets.md +++ b/docs/docs/20-usage/40-secrets.md @@ -7,8 +7,8 @@ Secrets are exposed to your pipeline steps and plugins as uppercase environment Woodpecker provides three different levels to add secrets to your pipeline. The following list shows the priority of the different levels. If a secret is defined in multiple levels, will be used following this priorities: Repository secrets > Organization secrets > Global secrets. 1. **Repository secrets**: They are available to all pipelines of an repository. -1. **Organization secrets**: They are available to all pipelines of an organization. -1. **Global secrets**: Can be configured by an instance admin. +2. **Organization secrets**: They are available to all pipelines of an organization. +3. **Global secrets**: Can be configured by an instance admin. They are available to all pipelines of the **whole** Woodpecker instance and should therefore **only** be used for secrets that are allowed to be read by **all** users. ## Usage