Mask values in assignment expressions (#17)

cloudposse-archives · Jun 20, 2020 · 0198f5e · 0198f5e
1 parent 0c7da96
commit 0198f5e
Show file tree

Hide file tree

Showing 2 changed files with 97 additions and 2 deletions.
diff --git a/main.go b/main.go
@@ -24,10 +24,19 @@ type match struct {
 	postfix            string
 }
 
+type keyValueMatch struct {
+	leadingWhitespace        string
+	property                 string
+	trailingWhitespaceBefore string
+	trailingWhitespaceAfter  string
+	oldValue                 string
+}
+
 type expression struct {
 	planStatusRegex         *regexp.Regexp
 	reTfPlanLine            *regexp.Regexp
 	reTfPlanCurrentResource *regexp.Regexp
+	reMapKeyPair            *regexp.Regexp
 	resourceIndex           int
 	assign                  string
 	operator                string
@@ -58,6 +67,9 @@ var versionedExpressions = map[string]expression{
 		reTfPlanCurrentResource: regexp.MustCompile(
 			"^([~/+-]+) (.*?) +(.*)$",
 		),
+		reMapKeyPair: regexp.MustCompile(
+			"(?i)^(\\s+(?:[~+-] )?)\"(.*)\"(\\s+)=(\\s+)\"(.*)\"$",
+		),
 		resourceIndex: 2,
 		assign:        ":",
 		operator:      "=>",
@@ -72,6 +84,9 @@ var versionedExpressions = map[string]expression{
 		reTfPlanCurrentResource: regexp.MustCompile(
 			"^([~/+-]+) (.*?) +(.*) (.*) (.*)$",
 		),
+		reMapKeyPair: regexp.MustCompile(
+			"(?i)^(\\s+(?:[~+-] )?)\"(.*)\"(\\s+)=(\\s+)\"(.*)\"$",
+		),
 		resourceIndex: 3,
 		assign:        "=",
 		operator:      "->",
@@ -90,14 +105,14 @@ func main() {
 	var tfmaskResourceRegex = getEnv("TFMASK_RESOURCES_REGEX",
 		"(?i)^(random_id|random_string).*$")
 
-	// Default to tf 0.11, but users can override
+	// Default to tf 0.12, but users can override
 	var tfenv = getEnv("TFENV", "0.12")
 
 	reTfValues := regexp.MustCompile(tfmaskValuesRegex)
 	reTfResource := regexp.MustCompile(tfmaskResourceRegex)
 	scanner := bufio.NewScanner(os.Stdin)
 	versionedExpressions := versionedExpressions[tfenv]
-	// initialise currentResource once before scanning
+	// initialize currentResource once before scanning
 	currentResource := ""
 	for scanner.Scan() {
 		line := scanner.Text()
@@ -125,6 +140,7 @@ func getCurrentResource(expression expression, currentResource, line string) str
 		match := reTfApplyCurrentResource.FindStringSubmatch(line)
 		currentResource = match[1]
 	}
+
 	return currentResource
 }
 
@@ -138,6 +154,9 @@ func processLine(expression expression, reTfResource,
 		line = planLine(expression.reTfPlanLine, reTfResource, reTfValues,
 			currentResource, tfmaskChar, expression.assign,
 			expression.operator, line)
+	} else if expression.reMapKeyPair.MatchString(line) {
+		line = assignmentLine(expression.reMapKeyPair, reTfValues,
+			tfmaskChar, line)
 	}
 	return line
 }
@@ -170,6 +189,17 @@ func matchFromLine(reTfPlanLine *regexp.Regexp, line string) match {
 	}
 }
 
+func matchFromAssignment(reMapKeyPair *regexp.Regexp, line string) keyValueMatch {
+	subMatch := reMapKeyPair.FindStringSubmatch(line)
+	return keyValueMatch{
+		leadingWhitespace:        subMatch[1],
+		property:                 subMatch[2],
+		trailingWhitespaceBefore: subMatch[3],
+		trailingWhitespaceAfter:  subMatch[4],
+		oldValue:                 subMatch[5],
+	}
+}
+
 func planLine(reTfPlanLine, reTfResource, reTfValues *regexp.Regexp,
 	currentResource, tfmaskChar, assign, operator, line string) string {
 	match := matchFromLine(reTfPlanLine, line)
@@ -188,6 +218,20 @@ func planLine(reTfPlanLine, reTfResource, reTfValues *regexp.Regexp,
 	return line
 }
 
+func assignmentLine(reMapKeyPair, reTfValues *regexp.Regexp, tfmaskChar, line string) string {
+	match := matchFromAssignment(reMapKeyPair, line)
+	if reTfValues.MatchString(match.property) {
+		maskedValue := maskValue(match.oldValue, tfmaskChar)
+		line = fmt.Sprintf("%v\"%v\"%v=%v\"%v\"",
+			match.leadingWhitespace,
+			match.property,
+			match.trailingWhitespaceBefore,
+			match.trailingWhitespaceAfter,
+			maskedValue)
+	}
+	return line
+}
+
 func maskValue(value, tfmaskChar string) string {
 	exclusions := []string{"sensitive", "computed", "<computed",
 		"known after apply"}

diff --git a/main_test.go b/main_test.go
@@ -167,3 +167,54 @@ func TestMaskValue(t *testing.T) {
 		}
 	}
 }
+
+var assignmentTests = []struct {
+	line           string
+	expectedResult string
+	minorVersion   string
+}{
+	// tf 0.12 ------------------------------------
+	{
+		" + \"foo_secret\" = \"123456\"",
+		" + \"foo_secret\" = \"******\"",
+		"0.12",
+	},
+	{
+		" - \"foo_secret\" = \"123456\"",
+		" - \"foo_secret\" = \"******\"",
+		"0.12",
+	},
+	{
+		" ~ \"foo_secret\" = \"123456\"",
+		" ~ \"foo_secret\" = \"******\"",
+		"0.12",
+	},
+	{
+		" ~ \"foo\" = \"123456\"",
+		" ~ \"foo\" = \"123456\"",
+		"0.12",
+	},
+	{
+		" \"foo_secret\" = \"123456\"",
+		" \"foo_secret\" = \"******\"",
+		"0.12",
+	},
+}
+
+func TestAssignmentLine(t *testing.T) {
+	// Character used to mask sensitive output
+	var tfmaskChar = "*"
+	// Pattern representing sensitive output
+	var tfmaskValuesRegex = "(?i)^.*(oauth|secret|token|password|key|result|id).*$"
+	reTfValues := regexp.MustCompile(tfmaskValuesRegex)
+
+	for _, assignmentTest := range assignmentTests {
+		result := assignmentLine(
+			versionedExpressions[assignmentTest.minorVersion].reMapKeyPair,
+			reTfValues, tfmaskChar,
+			assignmentTest.line)
+		if result != assignmentTest.expectedResult {
+			t.Errorf("Got %s, want %s", result, assignmentTest.expectedResult)
+		}
+	}
+}