Fix BuildConfig Environment Variable Modification #19532
Conversation
openshift-ci-robot
added
the
size/M
|
/assign @bparees |
| @@ -163,8 +164,7 @@ func TestSafeForLoggingS2IConfig(t *testing.T) { | |||
| if redactedRegex.MatchString(config.ScriptDownloadProxyConfig.HTTPSProxy.String()) { | |||
| t.Errorf("credentials stripped from original scripts proxy: %v", config.ScriptDownloadProxyConfig.HTTPSProxy) | |||
| } | |||
| //checkEnvList(t, config.Environment, true) | |||
|
|
|||
| checkEnvList(t, config.Environment, true) | |||
There was a problem hiding this comment.
we should also make sure none of the other proxy fields changed in the original, e.g. ScriptDownloadProxyConfig.HTTPProxy, etc.
| } | ||
| if redactedRegex.MatchString(*proxyBuild.Spec.Source.Git.HTTPSProxy) { | ||
| t.Errorf("improperly redacted credentials in https proxy value: %s", *stripped.Spec.Source.Git.HTTPSProxy) | ||
| } |
There was a problem hiding this comment.
ah i see you're covering that here
pkg/build/util/util.go
Outdated
| newUrl := *u | ||
| newUrl.User = url.User("redacted") | ||
| return &newUrl | ||
| newURL := *u |
There was a problem hiding this comment.
Even though you added a deepcopy higher in the stack, there's no guarantee every caller to SafeForLoggingURL is coming in via that path (in fact I don't think they all are, see: SafeForLoggingS2IConfig for example)
So I think it's still important to deepcopy the url arg here, we shouldn't be mutating the input to the function.
openshift-ci-robot
added
size/L
| newUrl := *u | ||
| newUrl.User = url.User("redacted") | ||
| return &newUrl | ||
| newURL, err := url.Parse(u.String()) |
There was a problem hiding this comment.
url doesn't support DeepCopy(), so I re-parsed the string instead.
adambkaplan
force-pushed
the
bugfix/logging-modified-url
branch
2 times, most recently
from
9cfa978
to
6f37562
Compare
|
please add an explicit unit test for |
pkg/build/util/util_test.go
Outdated
| func TestSafeForLoggingURL(t *testing.T) { | ||
| cases := []string{ | ||
| "https://user:password@hostname.com", | ||
| "https://www.redhat.com", |
There was a problem hiding this comment.
Explicit unit test for SafeForLoggingURL - other cases to add?
There was a problem hiding this comment.
(sorry if these were here before and i missed them)
|
/retest |
|
@bparees done & tests passing |
pkg/build/util/util_test.go
Outdated
| @@ -188,7 +189,7 @@ func checkEnvList(t *testing.T, envs s2iapi.EnvironmentList, orig bool) { | |||
| if credsRegex.MatchString(env.Value) { | |||
| t.Errorf("credentials not stripped from env value %v", env) | |||
| } | |||
| if !redactedRegex.MatchString(env.Value) { | |||
| if isURL(env.Value) && urlStringHasPassword(env.Value) && !redactedRegex.MatchString(env.Value) { | |||
There was a problem hiding this comment.
isn't urlStringHasPassword always going to be false if the redaction worked, so the redactedRegex check will never happen?
There was a problem hiding this comment.
good catch. The redacted regex won't run in this case, but we are assured that the url string doesn't contain a password (may have a username)
There was a problem hiding this comment.
just removing the redactedRegex check is probably fine. I dno't want to leave it there to potentially confuse someone in the future though.
or you can go for bonus points and fix the logic to actually invoke that check.
|
one last question |
|
and go ahead and squash your commits |
adambkaplan
force-pushed
the
bugfix/logging-modified-url
branch
from
07b514f
to
a8f4226
Compare
There was a problem hiding this comment.
@bparees squashed & rebased. Please see my comment re: source-to-image.
| if reflect.DeepEqual(url, outURL) { | ||
| t.Errorf("url %v was not properly redacted", outURL) | ||
| } | ||
| if !redactedRegex.MatchString(outURL.String()) { |
There was a problem hiding this comment.
Moved explicit check for "redacted" string here.
| @@ -238,17 +239,23 @@ func SafeForLoggingURL(u *url.URL) *url.URL { | |||
| if u == nil { | |||
| return nil | |||
| } | |||
| newUrl := *u | |||
| newUrl.User = url.User("redacted") | |||
There was a problem hiding this comment.
source-to-image has a similar SafeForLoggingURL method, which parses an input string and always adds the "redacted" user (even if there is no user info on the URL). Worth adding this logic to s2i as well?
There was a problem hiding this comment.
the logic that only manipulates the value if a password is set? I suppose, not critical, vendoring the change definitely doesn't need to be part of this PR.
|
/lgtm |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: adambkaplan, bparees The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
approved
|
/retest |
|
/retest |
|
/retest because of known HAProxy flake |
adambkaplan
force-pushed
the
bugfix/logging-modified-url
branch
from
a8f4226
to
51b3047
Compare
|
/retest |
|
@bparees needs lgtm - I rebased to bring in @gabemontero fix with test runs. |
|
@adambkaplan fyi you shouldn't need to rebase for that, your PR is always merged/rebased on top of master before being tested. /lgtm |
|
/retest |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest |
Fixes bug BZ-1571349