Merge pull request from GHSA-4jhj-3gv3-c3gr

* fix(secrets): add support for substitute adds support for substitute on secrets. also improves default values for 'commands' and 'substitution'. previously, both were set to 'true' by default. with the change, they mimic the server defaults when the flag for either was not used. * better words * when defaulted to true you can still check if flag was passed * pointer bool to parse non input * address feedback * upgrade other pkgs --------- Co-authored-by: ecrupper <easton.crupper12@gmail.com>
go-vela · Mar 12, 2024 · 0349a20 · 0349a20
1 parent 466fd18
commit 0349a20
Show file tree

Hide file tree

Showing 10 changed files with 193 additions and 135 deletions.
diff --git a/action/secret/add.go b/action/secret/add.go
@@ -50,15 +50,16 @@ func (c *Config) Add(client *vela.Client) error {
 	//
 	// https://pkg.go.dev/github.com/go-vela/types/library?tab=doc#Secret
 	s := &library.Secret{
-		Type:         &c.Type,
-		Org:          &c.Org,
-		Repo:         &c.Repo,
-		Team:         &c.Team,
-		Name:         &c.Name,
-		Value:        &c.Value,
-		Images:       &c.Images,
-		Events:       &c.Events,
-		AllowCommand: &c.AllowCommand,
+		Type:              &c.Type,
+		Org:               &c.Org,
+		Repo:              &c.Repo,
+		Team:              &c.Team,
+		Name:              &c.Name,
+		Value:             &c.Value,
+		Images:            &c.Images,
+		Events:            &c.Events,
+		AllowCommand:      c.AllowCommand,
+		AllowSubstitution: c.AllowSubstitution,
 	}
 
 	logrus.Tracef("adding secret %s/%s/%s/%s/%s", c.Engine, c.Type, c.Org, name, c.Name)
@@ -139,18 +140,19 @@ func (c *Config) AddFromFile(client *vela.Client) error {
 			//
 			// https://pkg.go.dev/github.com/go-vela/cli/action/secret?tab=doc#Config
 			s := &Config{
-				Action:       "add",
-				Engine:       f.Metadata.Engine,
-				Type:         s.GetType(),
-				Org:          s.GetOrg(),
-				Repo:         s.GetRepo(),
-				Team:         s.GetTeam(),
-				Name:         s.GetName(),
-				Value:        s.GetValue(),
-				Images:       s.GetImages(),
-				Events:       s.GetEvents(),
-				AllowCommand: s.GetAllowCommand(),
-				Output:       c.Output,
+				Action:            "add",
+				Engine:            f.Metadata.Engine,
+				Type:              s.GetType(),
+				Org:               s.GetOrg(),
+				Repo:              s.GetRepo(),
+				Team:              s.GetTeam(),
+				Name:              s.GetName(),
+				Value:             s.GetValue(),
+				Images:            s.GetImages(),
+				Events:            s.GetEvents(),
+				AllowCommand:      s.AllowCommand,
+				AllowSubstitution: s.AllowSubstitution,
+				Output:            c.Output,
 			}
 
 			// validate secret configuration

diff --git a/action/secret/secret.go b/action/secret/secret.go
@@ -13,21 +13,22 @@ import (
 // Config represents the configuration necessary
 // to perform secret related requests with Vela.
 type Config struct {
-	Action       string
-	Engine       string
-	Type         string
-	Org          string
-	Repo         string
-	Team         string
-	Name         string
-	Value        string
-	Images       []string
-	Events       []string
-	AllowCommand bool
-	File         string
-	Page         int
-	PerPage      int
-	Output       string
+	Action            string
+	Engine            string
+	Type              string
+	Org               string
+	Repo              string
+	Team              string
+	Name              string
+	Value             string
+	Images            []string
+	Events            []string
+	AllowCommand      *bool
+	AllowSubstitution *bool
+	File              string
+	Page              int
+	PerPage           int
+	Output            string
 }
 
 // setValue is a helper function to check if the value

diff --git a/action/secret/table.go b/action/secret/table.go
@@ -91,7 +91,7 @@ func wideTable(secrets *[]library.Secret) error {
 	// set of secret fields we display in a wide table
 	//
 	// https://pkg.go.dev/github.com/gosuri/uitable?tab=doc#Table.AddRow
-	table.AddRow("NAME", "ORG", "TYPE", "KEY", "EVENTS", "IMAGES")
+	table.AddRow("NAME", "ORG", "TYPE", "KEY", "EVENTS", "IMAGES", "ALLOW COMMANDS", "ALLOW SUBSTITUTION")
 
 	// iterate through all secrets in the list
 	for _, s := range *secrets {
@@ -111,7 +111,7 @@ func wideTable(secrets *[]library.Secret) error {
 		// add a row to the table with the specified values
 		//
 		// https://pkg.go.dev/github.com/gosuri/uitable?tab=doc#Table.AddRow
-		table.AddRow(s.GetName(), s.GetOrg(), s.GetType(), k, e, i)
+		table.AddRow(s.GetName(), s.GetOrg(), s.GetType(), k, e, i, s.GetAllowCommand(), s.GetAllowSubstitution())
 	}
 
 	// output the wide table in stdout format

diff --git a/action/secret/table_test.go b/action/secret/table_test.go
@@ -68,6 +68,8 @@ func TestSecret_wideTable(t *testing.T) {
 	s3.SetRepo("")
 	s3.SetTeam("octokitties")
 	s3.SetType("shared")
+	s3.SetAllowCommand(false)
+	s3.SetAllowSubstitution(false)
 
 	// setup tests
 	tests := []struct {
@@ -117,6 +119,7 @@ func testSecret() *library.Secret {
 	s.SetImages([]string{"alpine"})
 	s.SetEvents([]string{"push", "tag", "deployment"})
 	s.SetAllowCommand(true)
+	s.SetAllowSubstitution(true)
 
 	return s
 }
diff --git a/action/secret/update.go b/action/secret/update.go
@@ -50,15 +50,16 @@ func (c *Config) Update(client *vela.Client) error {
 	//
 	// https://pkg.go.dev/github.com/go-vela/types/library?tab=doc#Secret
 	s := &library.Secret{
-		Type:         &c.Type,
-		Org:          &c.Org,
-		Repo:         &c.Repo,
-		Team:         &c.Team,
-		Name:         &c.Name,
-		Value:        &c.Value,
-		Images:       &c.Images,
-		Events:       &c.Events,
-		AllowCommand: &c.AllowCommand,
+		Type:              &c.Type,
+		Org:               &c.Org,
+		Repo:              &c.Repo,
+		Team:              &c.Team,
+		Name:              &c.Name,
+		Value:             &c.Value,
+		Images:            &c.Images,
+		Events:            &c.Events,
+		AllowCommand:      c.AllowCommand,
+		AllowSubstitution: c.AllowSubstitution,
 	}
 
 	logrus.Tracef("modifying secret %s/%s/%s/%s/%s", c.Engine, c.Type, c.Org, name, c.Name)
@@ -139,18 +140,19 @@ func (c *Config) UpdateFromFile(client *vela.Client) error {
 			//
 			// https://pkg.go.dev/github.com/go-vela/cli/action/secret?tab=doc#Config
 			s := &Config{
-				Action:       "update",
-				Engine:       f.Metadata.Engine,
-				Type:         s.GetType(),
-				Org:          s.GetOrg(),
-				Repo:         s.GetRepo(),
-				Team:         s.GetTeam(),
-				Name:         s.GetName(),
-				Value:        s.GetValue(),
-				Images:       s.GetImages(),
-				Events:       s.GetEvents(),
-				AllowCommand: s.GetAllowCommand(),
-				Output:       c.Output,
+				Action:            "update",
+				Engine:            f.Metadata.Engine,
+				Type:              s.GetType(),
+				Org:               s.GetOrg(),
+				Repo:              s.GetRepo(),
+				Team:              s.GetTeam(),
+				Name:              s.GetName(),
+				Value:             s.GetValue(),
+				Images:            s.GetImages(),
+				Events:            s.GetEvents(),
+				AllowCommand:      s.AllowCommand,
+				AllowSubstitution: s.AllowSubstitution,
+				Output:            c.Output,
 			}
 
 			// validate secret configuration

diff --git a/command/secret/add.go b/command/secret/add.go
@@ -4,6 +4,7 @@ package secret
 
 import (
 	"fmt"
+	"slices"
 
 	"github.com/go-vela/cli/action"
 	"github.com/go-vela/cli/action/secret"
@@ -91,9 +92,16 @@ var CommandAdd = &cli.Command{
 		},
 		&cli.StringFlag{
 			EnvVars: []string{"VELA_COMMAND", "SECRET_COMMAND"},
-			Name:    "commands",
+			Name:    internal.FlagSecretCommands,
 			Aliases: []string{"c"},
-			Usage:   "enable a secret to be used for a step with commands",
+			Usage:   "enable a secret to be used for a step with commands (default is false for shared secrets)",
+			Value:   "true",
+		},
+		&cli.StringFlag{
+			EnvVars: []string{"VELA_SUBSTITUTION", "SECRET_SUBSTITUTION"},
+			Name:    internal.FlagSecretSubstitution,
+			Aliases: []string{"s"},
+			Usage:   "enable a secret to be substituted (default is false for shared secrets)",
 			Value:   "true",
 		},
 		&cli.StringFlag{
@@ -114,24 +122,26 @@ var CommandAdd = &cli.Command{
 	},
 	CustomHelpTemplate: fmt.Sprintf(`%s
 EXAMPLES:
-  1. Add a repository secret.
-    $ {{.HelpName}} --secret.engine native --secret.type repo --org MyOrg --repo MyRepo --name foo --value bar
-  2. Add an organization secret.
-    $ {{.HelpName}} --secret.engine native --secret.type org --org MyOrg --name foo --value bar
-  3. Add a shared secret.
-    $ {{.HelpName}} --secret.engine native --secret.type shared --org MyOrg --team octokitties --name foo --value bar
-  4. Add a repository secret with all event types enabled.
+   1. Add a repository secret.
+     $ {{.HelpName}} --secret.engine native --secret.type repo --org MyOrg --repo MyRepo --name foo --value bar
+   2. Add a repository secret and disallow usage in commands.
+     $ {{.HelpName}} --secret.engine native --secret.type repo --org MyOrg --repo MyRepo --name foo --value bar --commands false
+   3. Add an organization secret.
+     $ {{.HelpName}} --secret.engine native --secret.type org --org MyOrg --name foo --value bar
+   4. Add a shared secret.
+     $ {{.HelpName}} --secret.engine native --secret.type shared --org MyOrg --team octokitties --name foo --value bar
+   5. Add a repository secret with all event types enabled.
      $ {{.HelpName}} --secret.engine native --secret.type repo --org MyOrg --repo MyRepo --name foo --value bar --event comment --event deployment --event pull_request --event push --event tag
-  5. Add a repository secret with an image whitelist.
-    $ {{.HelpName}} --secret.engine native --secret.type repo --org MyOrg --repo MyRepo --name foo --value bar --image alpine --image golang:* --image postgres:latest
-  6. Add a secret with value from a file.
-    $ {{.HelpName}} --secret.engine native --secret.type repo --org MyOrg --repo MyRepo --name foo --value @secret.txt
-  7. Add a repository secret with json output.
-    $ {{.HelpName}} --secret.engine native --secret.type repo --org MyOrg --repo MyRepo --name foo --value bar --output json
-  8. Add a secret or secrets from a file.
-    $ {{.HelpName}} --file secret.yml
-  9. Add a secret when config or environment variables are set.
-    $ {{.HelpName}} --org MyOrg --repo MyRepo --name foo --value bar
+   6. Add a repository secret with an image whitelist.
+     $ {{.HelpName}} --secret.engine native --secret.type repo --org MyOrg --repo MyRepo --name foo --value bar --image alpine --image golang:* --image postgres:latest
+   7. Add a secret with value from a file.
+     $ {{.HelpName}} --secret.engine native --secret.type repo --org MyOrg --repo MyRepo --name foo --value @secret.txt
+   8. Add a repository secret with json output.
+     $ {{.HelpName}} --secret.engine native --secret.type repo --org MyOrg --repo MyRepo --name foo --value bar --output json
+   9. Add a secret or secrets from a file.
+     $ {{.HelpName}} --file secret.yml
+  10. Add a secret when config or environment variables are set.
+     $ {{.HelpName}} --org MyOrg --repo MyRepo --name foo --value bar
 
 DOCUMENTATION:
 
@@ -162,19 +172,30 @@ func add(c *cli.Context) error {
 	//
 	// https://pkg.go.dev/github.com/go-vela/cli/action/secret?tab=doc#Config
 	s := &secret.Config{
-		Action:       internal.ActionAdd,
-		Engine:       c.String(internal.FlagSecretEngine),
-		Type:         c.String(internal.FlagSecretType),
-		Org:          c.String(internal.FlagOrg),
-		Repo:         c.String(internal.FlagRepo),
-		Team:         c.String("team"),
-		Name:         c.String("name"),
-		Value:        c.String("value"),
-		AllowCommand: c.Bool("commands"),
-		Images:       c.StringSlice("image"),
-		Events:       c.StringSlice("event"),
-		File:         c.String("file"),
-		Output:       c.String(internal.FlagOutput),
+		Action: internal.ActionAdd,
+		Engine: c.String(internal.FlagSecretEngine),
+		Type:   c.String(internal.FlagSecretType),
+		Org:    c.String(internal.FlagOrg),
+		Repo:   c.String(internal.FlagRepo),
+		Team:   c.String("team"),
+		Name:   c.String("name"),
+		Value:  c.String("value"),
+		Images: c.StringSlice("image"),
+		Events: c.StringSlice("event"),
+		File:   c.String("file"),
+		Output: c.String(internal.FlagOutput),
+	}
+
+	// check if allow_command and allow_substitution are provided
+	// if they are not, server will not update the fields
+	if slices.Contains(c.FlagNames(), internal.FlagSecretCommands) {
+		val := c.Bool(internal.FlagSecretCommands)
+		s.AllowCommand = &val
+	}
+
+	if slices.Contains(c.FlagNames(), internal.FlagSecretSubstitution) {
+		val := c.Bool(internal.FlagSecretSubstitution)
+		s.AllowSubstitution = &val
 	}
 
 	// validate secret configuration