fix(build, secrets): fix secrets validation error when rendering config

Signed-off-by: Yaroslav Pershin <62902094+iapershin@users.noreply.github.com>

Author: iapershin

Diff for: go.mod

@@ -273,7 +273,7 @@ require (
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-runewidth v0.0.15 // indirect
 	github.com/mattn/go-shellwords v1.0.12 // indirect
-	github.com/mattn/go-sqlite3 v1.14.22 // indirect
+	github.com/mattn/go-sqlite3 v2.0.1+incompatible // indirect
 	github.com/miekg/pkcs11 v1.1.1 // indirect
 	github.com/mistifyio/go-zfs/v3 v3.0.1 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect

Diff for: go.sum

@@ -951,8 +951,8 @@ github.com/mattn/go-sqlite3 v1.6.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOq
 github.com/mattn/go-sqlite3 v1.14.0/go.mod h1:JIl7NbARA7phWnGvh0LKTyg7S9BA+6gx71ShQilpsus=
 github.com/mattn/go-sqlite3 v1.14.6/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU=
 github.com/mattn/go-sqlite3 v1.14.7/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU=
-github.com/mattn/go-sqlite3 v1.14.22 h1:2gZY6PC6kBnID23Tichd1K+Z0oS6nE/XwU+Vz/5o4kU=
-github.com/mattn/go-sqlite3 v1.14.22/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
+github.com/mattn/go-sqlite3 v2.0.1+incompatible h1:xQ15muvnzGBHpIpdrNi1DA5x0+TcBZzsIDwmw9uTHzw=
+github.com/mattn/go-sqlite3 v2.0.1+incompatible/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc=
 github.com/mattn/go-zglob v0.0.1/go.mod h1:9fxibJccNxU2cnpIKLRRFA7zX7qhkJIQWBb449FYHOo=
 github.com/mattn/go-zglob v0.0.6 h1:mP8RnmCgho4oaUYDIDn6GNxYk+qJGUs8fJLn+twYj2A=
 github.com/mattn/go-zglob v0.0.6/go.mod h1:MxxjyoXXnMxfIpxTK2GAkw1w8glPsQILx3N5wrKakiY=

Diff for: pkg/build/builder/ansible.go

@@ -16,6 +16,7 @@ import (
 
 	"github.com/werf/common-go/pkg/util"
 	"github.com/werf/logboek"
+	"github.com/werf/werf/v2/pkg/build/secrets"
 	"github.com/werf/werf/v2/pkg/config"
 	"github.com/werf/werf/v2/pkg/container_backend"
 	"github.com/werf/werf/v2/pkg/container_backend/stage_builder"
@@ -247,7 +248,7 @@ func (b *Ansible) stageHostWorkDir(userStageName string) (string, error) {
 
 func (b *Ansible) addBuildSecretsVolumes(stageHostTmpDir string, fn func(string)) error {
 	for _, s := range b.secrets {
-		secretPath, err := s.GetMountPath(stageHostTmpDir)
+		secretPath, err := secrets.GetMountPath(s, stageHostTmpDir)
 		if err != nil {
 			return err
 		}

Diff for: pkg/build/builder/shell.go

@@ -11,6 +11,7 @@ import (
 
 	"github.com/werf/common-go/pkg/util"
 	"github.com/werf/logboek"
+	"github.com/werf/werf/v2/pkg/build/secrets"
 	"github.com/werf/werf/v2/pkg/config"
 	"github.com/werf/werf/v2/pkg/container_backend"
 	"github.com/werf/werf/v2/pkg/container_backend/stage_builder"
@@ -200,7 +201,7 @@ func (b *Shell) containerTmpDir() string {
 
 func (b *Shell) addBuildSecretsVolumes(stageHostTmpDir string, fn func(string)) error {
 	for _, s := range b.secrets {
-		secretPath, err := s.GetMountPath(stageHostTmpDir)
+		secretPath, err := secrets.GetMountPath(s, stageHostTmpDir)
 		if err != nil {
 			return err
 		}

Diff for: pkg/build/image/dockerfile.go

@@ -13,6 +13,7 @@ import (
 
 	"github.com/werf/common-go/pkg/util"
 	"github.com/werf/logboek"
+	"github.com/werf/werf/v2/pkg/build/secrets"
 	"github.com/werf/werf/v2/pkg/build/stage"
 	stage_instruction "github.com/werf/werf/v2/pkg/build/stage/instruction"
 	"github.com/werf/werf/v2/pkg/config"
@@ -86,6 +87,15 @@ func mapDockerfileToImagesSets(ctx context.Context, cfg *dockerfile.Dockerfile,
 		}{WerfImageName: werfImageName, Stage: stage, Level: level})
 	}
 
+	buildSecrets := make([]string, 0, len(dockerfileImageConfig.Secrets))
+	for _, s := range dockerfileImageConfig.Secrets {
+		secret, err := secrets.GetSecretStringArg(s)
+		if err != nil {
+			return nil, fmt.Errorf("unable to get build secrets: %w", err)
+		}
+		buildSecrets = append(buildSecrets, secret)
+	}
+
 	for len(queue) > 0 {
 		item := queue[0]
 		queue = queue[1:]
@@ -219,7 +229,7 @@ func mapDockerfileToImagesSets(ctx context.Context, cfg *dockerfile.Dockerfile,
 			case *dockerfile.DockerfileStageInstruction[*instructions.OnbuildCommand]:
 				stg = stage_instruction.NewOnBuild(typedInstr, dockerfileImageConfig.Dependencies, !isFirstStage, &baseStageOptions)
 			case *dockerfile.DockerfileStageInstruction[*instructions.RunCommand]:
-				stg = stage_instruction.NewRun(typedInstr, dockerfileImageConfig.Dependencies, !isFirstStage, &baseStageOptions, dockerfileImageConfig.Secrets, dockerfileImageConfig.SSH)
+				stg = stage_instruction.NewRun(typedInstr, dockerfileImageConfig.Dependencies, !isFirstStage, &baseStageOptions, buildSecrets, dockerfileImageConfig.SSH)
 			case *dockerfile.DockerfileStageInstruction[*instructions.ShellCommand]:
 				stg = stage_instruction.NewShell(typedInstr, dockerfileImageConfig.Dependencies, !isFirstStage, &baseStageOptions)
 			case *dockerfile.DockerfileStageInstruction[*instructions.StopSignalCommand]:
@@ -320,6 +330,15 @@ func mapLegacyDockerfileToImage(ctx context.Context, metaConfig *config.Meta, do
 		ProjectName:    opts.ProjectName,
 	}
 
+	buildSecrets := make([]string, 0, len(dockerfileImageConfig.Secrets))
+	for _, s := range dockerfileImageConfig.Secrets {
+		secret, err := secrets.GetSecretStringArg(s)
+		if err != nil {
+			return nil, fmt.Errorf("unable to get build secrets: %w", err)
+		}
+		buildSecrets = append(buildSecrets, secret)
+	}
+
 	imageCacheVersion := option.ValueOrDefault(dockerfileImageConfig.CacheVersion(), metaConfig.Build.CacheVersion)
 
 	dockerfileStage := stage.GenerateFullDockerfileStage(stage.NewDockerRunArgs(
@@ -332,7 +351,7 @@ func mapLegacyDockerfileToImage(ctx context.Context, metaConfig *config.Meta, do
 		dockerfileImageConfig.AddHost,
 		dockerfileImageConfig.Network,
 		dockerfileImageConfig.SSH,
-		dockerfileImageConfig.Secrets,
+		buildSecrets,
 	), ds, stage.NewContextChecksum(dockerIgnorePathMatcher), baseStageOptions, dockerfileImageConfig.Dependencies, imageCacheVersion)
 
 	img.stages = append(img.stages, dockerfileStage)

Diff for: pkg/build/secrets/build_secrets.go

@@ -0,0 +1,155 @@
+package secrets
+
+import (
+	"fmt"
+	"math"
+	"math/rand/v2"
+	"os"
+
+	"github.com/werf/common-go/pkg/util"
+	"github.com/werf/werf/v2/pkg/config"
+)
+
+type SecretFromEnv struct {
+	Id    string
+	Value string
+}
+
+type SecretFromSrc struct {
+	Id    string
+	Value string
+}
+
+type SecretFromPlainValue struct {
+	Id    string
+	Value string
+}
+
+type Secret interface {
+	GetSecretStringArg() (string, error)
+	GetMountPath(stageHostTmpDir string) (string, error)
+}
+
+func GetSecretStringArg(secret config.Secret) (string, error) {
+	s, err := parseSecret(secret)
+	if err != nil {
+		return "", fmt.Errorf("error parsing secrets: %w", err)
+	}
+	return s.GetSecretStringArg()
+}
+
+func (s *SecretFromEnv) GetSecretStringArg() (string, error) {
+	return fmt.Sprintf("id=%s,env=%s", s.Id, s.Value), nil
+}
+
+func (s *SecretFromSrc) GetSecretStringArg() (string, error) {
+	return fmt.Sprintf("id=%s,src=%s", s.Id, s.Value), nil
+}
+
+func (s *SecretFromPlainValue) GetSecretStringArg() (string, error) {
+	secret, err := s.setPlainValueAsEnv()
+	if err != nil {
+		return "", err
+	}
+	return secret.GetSecretStringArg()
+}
+
+func (s *SecretFromPlainValue) setPlainValueAsEnv() (*SecretFromEnv, error) {
+	envKey := fmt.Sprintf("tmpbuild%d_%s", rand.IntN(math.MaxInt32), s.Id) // generate unique value
+	if _, e := os.LookupEnv(envKey); e {
+		return nil, fmt.Errorf("can't set secret %s: id is not unique", s.Id) // should never be here
+	}
+
+	err := os.Setenv(envKey, s.Value)
+	if err != nil {
+		return nil, fmt.Errorf("can't set value")
+	}
+
+	return &SecretFromEnv{
+		Id:    s.Id,
+		Value: envKey,
+	}, nil
+}
+
+func GetMountPath(secret config.Secret, stageHostTmpDir string) (string, error) {
+	s, err := parseSecret(secret)
+	if err != nil {
+		return "", fmt.Errorf("unable to get secret mount path: %w", err)
+	}
+	return s.GetMountPath(stageHostTmpDir)
+}
+
+func parseSecret(secret config.Secret) (Secret, error) {
+	if secret.ValueFromEnv != "" {
+		return newSecretFromEnv(secret)
+	} else if secret.ValueFromSrc != "" {
+		return newSecretFromSrc(secret)
+	} else if secret.ValueFromPlain != "" {
+		return newSecretFromPlainValue(secret)
+	}
+	return nil, fmt.Errorf("unknown secret type")
+}
+
+func newSecretFromEnv(s config.Secret) (*SecretFromEnv, error) {
+	if _, exists := os.LookupEnv(s.ValueFromEnv); !exists {
+		return nil, fmt.Errorf("specified env variable `%s` is not set", s.ValueFromEnv)
+	}
+	return &SecretFromEnv{Id: s.Id, Value: s.ValueFromEnv}, nil
+}
+
+func newSecretFromSrc(s config.Secret) (*SecretFromSrc, error) {
+	absPath, err := util.ExpandPath(s.ValueFromSrc)
+	if err != nil {
+		return nil, fmt.Errorf("error load secret from src: %w", err)
+	}
+
+	if exists, _ := util.FileExists(absPath); !exists {
+		return nil, fmt.Errorf("error load secret from src: path %s doesn't exist", absPath)
+	}
+	return &SecretFromSrc{Id: s.Id, Value: absPath}, nil
+}
+
+func newSecretFromPlainValue(s config.Secret) (*SecretFromPlainValue, error) {
+	return &SecretFromPlainValue{Id: s.Id, Value: s.ValueFromPlain}, nil
+}
+
+func (s *SecretFromEnv) GetMountPath(stageHostTmpDir string) (string, error) {
+	data := []byte(os.Getenv(s.Value))
+	return getMountPath(s.Id, stageHostTmpDir, data)
+}
+
+func (s *SecretFromSrc) GetMountPath(stageHostTmpDir string) (string, error) {
+	return generateMountPath(s.Id, s.Value), nil
+}
+
+func (s *SecretFromPlainValue) GetMountPath(stageHostTmpDir string) (string, error) {
+	return getMountPath(s.Id, stageHostTmpDir, []byte(s.Value))
+}
+
+func getMountPath(secretId, stageHostTmpDir string, data []byte) (string, error) {
+	tmpFile, err := writeToTmpFile(stageHostTmpDir, data)
+	if err != nil {
+		return "", fmt.Errorf("unable to mount secret: %w", err)
+	}
+	return generateMountPath(secretId, tmpFile), nil
+}
+
+func writeToTmpFile(stageHostTmpDir string, data []byte) (string, error) {
+	tmpFile, err := os.CreateTemp(stageHostTmpDir, "stapel*")
+	if err != nil {
+		return "", err
+	}
+
+	tmpFilePath := tmpFile.Name()
+
+	if err := os.WriteFile(tmpFilePath, data, 0o400); err != nil {
+		return "", err
+	}
+
+	return tmpFilePath, nil
+}
+
+func generateMountPath(id, filepath string) string {
+	containerPath := fmt.Sprintf("/run/secrets/%s", id)
+	return fmt.Sprintf("%s:%s:ro", filepath, containerPath)
+}

Diff for: pkg/config/image_from_dockerfile.go

@@ -20,7 +20,7 @@ type ImageFromDockerfile struct {
 	SSH             string
 	Dependencies    []*Dependency
 	Staged          bool
-	Secrets         []string
+	Secrets         []Secret
 	ImageSpec       *ImageSpec
 
 	cacheVersion string

Diff for: pkg/config/raw_image_from_dockerfile.go

@@ -145,16 +145,7 @@ func (c *rawImageFromDockerfile) toImageFromDockerfileDirective(giterminismManag
 		return nil, err
 	}
 
-	secretsArgs := make([]string, 0, len(secrets))
-	for _, s := range secrets {
-		secret, err := s.GetSecretStringArg()
-		if err != nil {
-			return nil, err
-		}
-		secretsArgs = append(secretsArgs, secret)
-	}
-
-	image.Secrets = secretsArgs
+	image.Secrets = secrets
 
 	if c.RawImageSpec != nil {
 		image.ImageSpec = c.RawImageSpec.toDirective()

Diff for: pkg/config/raw_image_from_dockerfile_test.go

@@ -53,7 +53,7 @@ var _ = Describe("rawImageFromDockerfile", func() {
 				Name:            "image1",
 				ContextAddFiles: []string{},
 				AddHost:         []string{},
-				Secrets:         []string{},
+				Secrets:         []Secret{},
 
 				cacheVersion: "docker-cache-version",
 				platform:     []string{},

Diff for: pkg/config/raw_secrets.go

@@ -59,6 +59,6 @@ func (s *rawSecret) toDirective() (Secret, error) {
 	case s.PlainValue != "":
 		return newSecretFromPlainValue(s)
 	default:
-		return nil, newDetailedConfigError("secret should be defined as `env`, `src` or `value`", s, s.parent.getDoc())
+		return Secret{}, newDetailedConfigError("secret should be defined as `env`, `src` or `value`", s, s.parent.getDoc())
 	}
 }