Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
12 changed files
with
335 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
// Jest Snapshot v1, https://goo.gl/fbAQLP | ||
|
||
exports[`config/secrets applySecretsToConfig(config) replaces secrets in a array of objects 1`] = ` | ||
Object { | ||
"hostRules": Array [ | ||
Object { | ||
"hostType": "npm", | ||
"token": "abc123==", | ||
}, | ||
], | ||
} | ||
`; | ||
|
||
exports[`config/secrets applySecretsToConfig(config) replaces secrets in a array of strings 1`] = ` | ||
Object { | ||
"allowedManagers": Array [ | ||
"npm", | ||
], | ||
} | ||
`; | ||
|
||
exports[`config/secrets applySecretsToConfig(config) replaces secrets in a subobject 1`] = ` | ||
Object { | ||
"npm": Object { | ||
"npmToken": "abc123==", | ||
}, | ||
} | ||
`; | ||
|
||
exports[`config/secrets applySecretsToConfig(config) replaces secrets in the top level 1`] = ` | ||
Object { | ||
"npmToken": "abc123==", | ||
} | ||
`; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,101 @@ | ||
import { defaultConfig, getName } from '../../test/util'; | ||
import { | ||
CONFIG_SECRETS_INVALID, | ||
CONFIG_VALIDATION, | ||
} from '../constants/error-messages'; | ||
import { applySecretsToConfig, validateConfigSecrets } from './secrets'; | ||
|
||
describe(getName(__filename), () => { | ||
describe('validateConfigSecrets(config)', () => { | ||
it('works with default config', () => { | ||
expect(() => validateConfigSecrets(defaultConfig)).not.toThrow(); | ||
}); | ||
it('returns if no secrets', () => { | ||
expect(validateConfigSecrets({})).toBeUndefined(); | ||
}); | ||
it('throws if secrets is not an object', () => { | ||
expect(() => validateConfigSecrets({ secrets: 'hello' } as any)).toThrow( | ||
CONFIG_SECRETS_INVALID | ||
); | ||
}); | ||
it('throws for invalid secret names', () => { | ||
expect(() => | ||
validateConfigSecrets({ secrets: { '123': 'abc' } }) | ||
).toThrow(CONFIG_SECRETS_INVALID); | ||
}); | ||
it('throws for non-string secret', () => { | ||
expect(() => | ||
validateConfigSecrets({ secrets: { abc: 123 } } as any) | ||
).toThrow(CONFIG_SECRETS_INVALID); | ||
}); | ||
it('throws for secrets inside repositories', () => { | ||
expect(() => | ||
validateConfigSecrets({ | ||
repositories: [ | ||
{ repository: 'abc/def', secrets: { abc: 123 } }, | ||
] as any, | ||
}) | ||
).toThrow(CONFIG_SECRETS_INVALID); | ||
}); | ||
}); | ||
|
||
describe('applySecretsToConfig(config)', () => { | ||
it('works with default config', () => { | ||
expect(() => applySecretsToConfig(defaultConfig)).not.toThrow(); | ||
}); | ||
|
||
it('throws if disallowed field is used', () => { | ||
const config = { | ||
prTitle: '{{ secrets.ARTIFACTORY_TOKEN }}', | ||
secrets: { | ||
ARTIFACTORY_TOKEN: 'abc123==', | ||
}, | ||
}; | ||
expect(() => applySecretsToConfig(config)).toThrow(CONFIG_VALIDATION); | ||
}); | ||
it('throws if an unknown secret is used', () => { | ||
const config = { | ||
npmToken: '{{ secrets.ARTIFACTORY_TOKEN }}', | ||
}; | ||
expect(() => applySecretsToConfig(config)).toThrow(CONFIG_VALIDATION); | ||
}); | ||
it('replaces secrets in the top level', () => { | ||
const config = { | ||
secrets: { ARTIFACTORY_TOKEN: 'abc123==' }, | ||
npmToken: '{{ secrets.ARTIFACTORY_TOKEN }}', | ||
}; | ||
const res = applySecretsToConfig(config); | ||
expect(res).toMatchSnapshot(); | ||
expect(Object.keys(res)).not.toContain('secrets'); | ||
}); | ||
it('replaces secrets in a subobject', () => { | ||
const config = { | ||
secrets: { ARTIFACTORY_TOKEN: 'abc123==' }, | ||
npm: { npmToken: '{{ secrets.ARTIFACTORY_TOKEN }}' }, | ||
}; | ||
const res = applySecretsToConfig(config); | ||
expect(res).toMatchSnapshot(); | ||
expect(Object.keys(res)).not.toContain('secrets'); | ||
}); | ||
it('replaces secrets in a array of objects', () => { | ||
const config = { | ||
secrets: { ARTIFACTORY_TOKEN: 'abc123==' }, | ||
hostRules: [ | ||
{ hostType: 'npm', token: '{{ secrets.ARTIFACTORY_TOKEN }}' }, | ||
], | ||
}; | ||
const res = applySecretsToConfig(config); | ||
expect(res).toMatchSnapshot(); | ||
expect(Object.keys(res)).not.toContain('secrets'); | ||
}); | ||
it('replaces secrets in a array of strings', () => { | ||
const config = { | ||
secrets: { SECRET_MANAGER: 'npm' }, | ||
allowedManagers: ['{{ secrets.SECRET_MANAGER }}'], | ||
}; | ||
const res = applySecretsToConfig(config); | ||
expect(res).toMatchSnapshot(); | ||
expect(Object.keys(res)).not.toContain('secrets'); | ||
}); | ||
}); | ||
}); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,124 @@ | ||
import is from '@sindresorhus/is'; | ||
import { | ||
CONFIG_SECRETS_INVALID, | ||
CONFIG_VALIDATION, | ||
} from '../constants/error-messages'; | ||
import { logger } from '../logger'; | ||
import { regEx } from '../util/regex'; | ||
import { add } from '../util/sanitize'; | ||
import { GlobalConfig, RenovateConfig } from './types'; | ||
|
||
const secretNamePattern = '[A-Za-z][A-Za-z0-9_]*'; | ||
|
||
const secretNameRegex = regEx(`^${secretNamePattern}$`); | ||
const secretTemplateRegex = regEx(`{{ secrets\\.(${secretNamePattern}) }}`); | ||
|
||
function validateSecrets(secrets_: unknown): void { | ||
if (!secrets_) { | ||
return; | ||
} | ||
const validationErrors: string[] = []; | ||
if (is.plainObject(secrets_)) { | ||
for (const [secretName, secretValue] of Object.entries(secrets_)) { | ||
if (!secretNameRegex.test(secretName)) { | ||
validationErrors.push(`Invalid secret name "${secretName}"`); | ||
} | ||
if (!is.string(secretValue)) { | ||
validationErrors.push( | ||
`Secret values must be strings. Found type ${typeof secretValue} for secret ${secretName}` | ||
); | ||
} | ||
} | ||
} else { | ||
validationErrors.push( | ||
`Config secrets must be a plain object. Found: ${typeof secrets_}` | ||
); | ||
} | ||
if (validationErrors.length) { | ||
logger.error({ validationErrors }, 'Invalid secrets configured'); | ||
throw new Error(CONFIG_SECRETS_INVALID); | ||
} | ||
} | ||
|
||
export function validateConfigSecrets(config: GlobalConfig): void { | ||
validateSecrets(config.secrets); | ||
if (config.repositories) { | ||
for (const repository of config.repositories) { | ||
if (is.plainObject(repository)) { | ||
validateSecrets(repository.secrets); | ||
} | ||
} | ||
} | ||
} | ||
|
||
function replaceSecretsInString( | ||
key: string, | ||
value: string, | ||
secrets: Record<string, string> | ||
): string { | ||
// do nothing if no secret template found | ||
if (!secretTemplateRegex.test(value)) { | ||
return value; | ||
} | ||
|
||
const disallowedPrefixes = ['branch', 'commit', 'group', 'pr', 'semantic']; | ||
if (disallowedPrefixes.some((prefix) => key.startsWith(prefix))) { | ||
const error = new Error(CONFIG_VALIDATION); | ||
error.configFile = 'config'; | ||
error.validationError = 'Disallowed secret substitution'; | ||
error.validationMessage = `The field ${key} may not use secret substitution`; | ||
throw error; | ||
} | ||
return value.replace(secretTemplateRegex, (_, secretName) => { | ||
if (secrets[secretName]) { | ||
return secrets[secretName]; | ||
} | ||
const error = new Error(CONFIG_VALIDATION); | ||
error.configFile = 'config'; | ||
error.validationError = 'Unknown secret name'; | ||
error.validationMessage = `The following secret name was not found in config: ${String( | ||
secretName | ||
)}`; | ||
throw error; | ||
}); | ||
} | ||
|
||
function replaceSecretsinObject( | ||
config_: RenovateConfig, | ||
secrets: Record<string, string> = {} | ||
): RenovateConfig { | ||
const config = { ...config_ }; | ||
delete config.secrets; | ||
for (const [key, value] of Object.entries(config)) { | ||
if (is.plainObject(value)) { | ||
config[key] = replaceSecretsinObject(value, secrets); | ||
} | ||
if (is.string(value)) { | ||
config[key] = replaceSecretsInString(key, value, secrets); | ||
} | ||
if (is.array(value)) { | ||
for (const [arrayIndex, arrayItem] of value.entries()) { | ||
if (is.plainObject(arrayItem)) { | ||
config[key][arrayIndex] = replaceSecretsinObject(arrayItem, secrets); | ||
} else if (is.string(arrayItem)) { | ||
config[key][arrayIndex] = replaceSecretsInString( | ||
key, | ||
arrayItem, | ||
secrets | ||
); | ||
} | ||
} | ||
} | ||
} | ||
return config; | ||
} | ||
|
||
export function applySecretsToConfig(config: RenovateConfig): RenovateConfig { | ||
// Add all secrets to be sanitized | ||
if (is.plainObject(config.secrets)) { | ||
for (const secret of Object.values(config.secrets)) { | ||
add(String(secret)); | ||
} | ||
} | ||
return replaceSecretsinObject(config, config.secrets); | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.