Skip to content

Commit

Permalink
Merge pull request from GHSA-wqq8-664f-54hh
Browse files Browse the repository at this point in the history 
* test(core): verify that JobRequest.maskedTokenizedCommand really masks

* feat(core): add aws.bakery-defaults.maskedPackerParameters configuration parameter

with default value [ 'aws_access_key', 'aws_secret_key' ] to match what AWSBakeHandler uses and hide potentially secret information by default.
  • Loading branch information
@dbyron-sf
dbyron-sf committed Dec 8, 2022
1 parent f1e67be commit 577d19c
Show file tree
Hide file tree
Showing 4 changed files with 39 additions and 6 deletions.
7 changes: 6 additions & 1 deletion rosco-core/src/main/groovy/com/netflix/spinnaker/rosco/providers/aws/AWSBakeHandler.groovy
View file
Original file line number Diff line number Diff line change
Expand Up @@ -231,6 +231,11 @@ public class AWSBakeHandler extends CloudProviderBakeHandler {
return new Bake(id: bakeId, ami: amiId, image_name: imageName, artifacts: artifacts)
}

@Override
List<String> getMaskedPackerParameters() {
return awsBakeryDefaults.maskedPackerParameters
}

private String lookupAmiByName(String name, String region, String account, VmType vmType, boolean mostRecent) {
def images = AuthenticatedRequest.allowAnonymous(
{
Expand All @@ -247,7 +252,7 @@ public class AWSBakeHandler extends CloudProviderBakeHandler {
} else {
image = images?.find { it.attributes.virtualizationType == vmType }
}

return image?.amis?.get(region)?.first()
}
}
1 change: 1 addition & 0 deletions ...main/groovy/com/netflix/spinnaker/rosco/providers/aws/config/RoscoAWSConfiguration.groovy
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,7 @@ class RoscoAWSConfiguration {
String templateFile
BakeRequest.VmType defaultVirtualizationType
List<AWSOperatingSystemVirtualizationSettings> baseImages = []
List<String> maskedPackerParameters = [ 'aws_access_key', 'aws_secret_key' ]
}

static class AWSOperatingSystemVirtualizationSettings {
Expand Down
26 changes: 26 additions & 0 deletions ...-core/src/test/groovy/com/netflix/spinnaker/rosco/providers/aws/AWSBakeHandlerSpec.groovy
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1441,6 +1441,32 @@ class AWSBakeHandlerSpec extends Specification implements TestDefaults {
1 * packerCommandFactoryMock.buildPackerCommand("", parameterMap, null, "$configDir/$awsBakeryDefaults.templateFile")
}
void 'getMaskedPackerParameters returns the expected default'() {
setup:
@Subject
AWSBakeHandler awsBakeHandler = new AWSBakeHandler(awsBakeryDefaults: new RoscoAWSConfiguration.AWSBakeryDefaults())
when:
def maskedPackerParams = awsBakeHandler.maskedPackerParameters
then:
maskedPackerParams == [ 'aws_access_key', 'aws_secret_key' ]
}
void 'getMaskedPackerParameters returns the expected default'() {
setup:
def paramsToMask = [ 'foo' ]
@Subject
AWSBakeHandler awsBakeHandler = new AWSBakeHandler(awsBakeryDefaults: new RoscoAWSConfiguration.AWSBakeryDefaults(maskedPackerParameters: paramsToMask))
when:
def maskedPackerParams = awsBakeHandler.maskedPackerParameters
then:
maskedPackerParams == paramsToMask
}
static class NoSleepRetry extends RetrySupport {
void sleep(long time) {}
}
Expand Down
11 changes: 6 additions & 5 deletions ...om/netflix/spinnaker/rosco/providers/util/LocalJobFriendlyPackerCommandFactorySpec.groovy
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,18 +75,19 @@ class LocalJobFriendlyPackerCommandFactorySpec extends Specification implements
when:
def packerCommand = packerCommandFactory.buildPackerCommand("", parameterMap, null, "")
def jobRequest = new JobRequest(tokenizedCommand: packerCommand, maskedParameters: maskedPackerParameters, jobId: SOME_UUID)
def commandLine = new CommandLine(jobRequest.tokenizedCommand[0])
def arguments = (String []) Arrays.copyOfRange(jobRequest.tokenizedCommand.toArray(), 1, jobRequest.tokenizedCommand.size())
def maskedTokenizedCommand = jobRequest.maskedTokenizedCommand
def commandLine = new CommandLine(maskedTokenizedCommand[0])
def arguments = (String []) Arrays.copyOfRange(maskedTokenizedCommand.toArray(), 1, maskedTokenizedCommand.size())
commandLine.addArguments(arguments, false)
def g = commandLine.toString()
def cmdLineList = commandLine.toStrings().toList()


then:
cmdLineList == expectedCommandLine

where:
parameterMap | maskedPackerParameters | expectedCommandLine
[packages: "package1 package2"] | [] | ["packer", "build", "-color=false", "-var", "packages=package1 package2"]
parameterMap | maskedPackerParameters | expectedCommandLine
[packages: "package1 package2"] | [] | ["packer", "build", "-color=false", "-var", "packages=package1 package2"]
[packages: "package1 package2", secret: "mysecret"] | ["secret"] | ["packer", "build", "-color=false", "-var", "packages=package1 package2", "-var", "secret=******"]
}
}

0 comments on commit 577d19c

Please sign in to comment.