mask shell cmd rendering and add retrieve value fromVault template func

stephencheng · stephencheng · commit 13c1f3b0994c · 2020-09-30T22:11:11.000+10:00
diff --git a/biz/impl/shellfunc.go b/biz/impl/shellfunc.go
@@ -17,6 +17,7 @@ import (
 	"io"
 	"os"
 	"os/exec"
+	"regexp"
 	"strconv"
 	"strings"
 	"time"
@@ -167,13 +168,17 @@ func (f *ShellFuncAction) Exec() {
 	for idx, tcmd := range f.Cmds {
 		u.Pfv("cmd(%2d):\n", idx+1)
 		u.Pvv(tcmd)
+		cleansed := func() string {
+			re := regexp.MustCompile(`{{.*\.secure_.*}}`)
+			return re.ReplaceAllString(tcmd, `SECURE_SENSITIVE_INFO_MASKED`)
+		}()
 		cmd := Render(tcmd, f.Vars)
-		u.Pfvvvv("cmd=>:\n%s\n", color.HiBlueString("%s", cmd))
+		cleansedCmd := Render(cleansed, f.Vars)
+		u.Pfvvvv("cmd=>:\n%s\n", color.HiBlueString("%s", cleansedCmd))
 		runCmd(f, cmd, idx+1)
 		u.SubStepStatus("..", f.Result.Code)
 		u.Dvvvvv(f.Result)
 	}
 
 	StepRuntime().Result = &f.Result
-
 }
diff --git a/biz/impl/template.go b/biz/impl/template.go
@@ -96,6 +96,16 @@ func FuncMapInit() {
 
 			return encrypted
 		},
+		//retrieve value from vault
+		"fromVault": func(varname string) string {
+			var val string = "NotExistInVault"
+			opt := GetVault().Get(varname)
+			if opt != nil {
+				val = opt.(string)
+			}
+
+			return val
+		},
 		//regObj will keep the golang object intact and register it to cache
 		//same effect of: '{{ func_return_a_obj arg | objToYml|ymlToObj|reg "instances" }}'
 		"regObj": func(varname string, obj interface{}) interface{} {
diff --git a/tests/functests/c0203.yml b/tests/functests/c0203.yml
@@ -0,0 +1,35 @@
+doc_meta: |
+  folder: security
+  title: mask senstive info in shell execution
+  head: |
+    When you use verbose level greater than vvv, it will print out the debugging final shell scripts rendered, which possiblly contains the secure vars. In such a case, upcmd will automatically mask the senstive variable with SECURE_SENSITIVE_INFO_MASKED
+
+  sections:
+    - title: Demo
+      log: yes
+
+tasks:
+  -
+    name: task
+    task:
+      -
+        func: shell
+        dvars:
+          - name: enc_key
+            value: my_enc_key
+            flags:
+              - secret
+
+          - name: value_encrypted
+            value: '{{ "ENV_AAA" | encryptAES .enc_key }}'
+            flags:
+              - vvvv
+              - taskScope
+
+          - name: ENV_AAA
+            value: '{{.value_encrypted}}'
+            flags:
+              - secure
+
+        do: |
+          echo "hello, this is a secrt value: {{.secure_ENV_AAA}}"
diff --git a/tests/functests/c0204.yml b/tests/functests/c0204.yml
@@ -0,0 +1,30 @@
+doc_meta: |
+  folder: security
+  title: retrieve secret from valut
+  head: |
+    When you put senstive information into vault, you can use a template func to retrieve it and use it in template rendering
+
+    This example shows that you can not get the secret value in general cache, unless you use fromVault template func
+
+  sections:
+    - title: Demo
+      log: yes
+
+tasks:
+  -
+    name: task
+    task:
+      -
+        func: cmd
+        dvars:
+          - name: my_secret
+            value: you_will_never_know
+            flags:
+              - secret
+
+        do:
+          - name: print
+            cmd: |
+              hello, this is a secrt value: {{.my_secret}}
+              hello, this is a secrt value: {{ "my_secret" | fromVault}}
+              hello, this is a secrt value: {{ "a_secret_does_not_exist_in_vault" | fromVault}}
diff --git a/utils/shared.go b/utils/shared.go
@@ -34,15 +34,15 @@ var (
 		"black":     color.FgBlack,
 		"red":       color.FgRed,
 		"green":     color.FgGreen,
-		"yello":     color.FgYellow,
+		"yellow":    color.FgYellow,
 		"blue":      color.FgBlue,
 		"magenta":   color.FgMagenta,
 		"cyan":      color.FgCyan,
 		"white":     color.FgWhite,
 		"hiblack":   color.FgHiBlack,
 		"hiRed":     color.FgHiRed,
 		"higreen":   color.FgHiGreen,
-		"hiyello":   color.FgHiYellow,
+		"hiyellow":  color.FgHiYellow,
 		"hiblue":    color.FgHiBlue,
 		"himagenta": color.FgHiMagenta,
 		"hicyan":    color.FgHiCyan,
@@ -53,15 +53,15 @@ var (
 		"black":     color.BgBlack,
 		"red":       color.BgRed,
 		"green":     color.BgGreen,
-		"yello":     color.BgYellow,
+		"yellow":    color.BgYellow,
 		"blue":      color.BgBlue,
 		"magenta":   color.BgMagenta,
 		"cyan":      color.BgCyan,
 		"white":     color.BgWhite,
 		"hiblack":   color.BgHiBlack,
 		"hiRed":     color.BgHiRed,
 		"higreen":   color.BgHiGreen,
-		"hiyello":   color.BgHiYellow,
+		"hiyellow":  color.BgHiYellow,
 		"hiblue":    color.BgHiBlue,
 		"himagenta": color.BgHiMagenta,
 		"hicyan":    color.BgHiCyan,
