mask shell cmd rendering and add retrieve value fromVault template func

biz/impl/shellfunc.go

@@ -17,6 +17,7 @@ import (
  "io"
  "os"
  "os/exec"
+ "regexp"
  "strconv"
  "strings"
  "time"
@@ -167,13 +168,17 @@ func (f *ShellFuncAction) Exec() {
  for idx, tcmd := range f.Cmds {
  u.Pfv("cmd(%2d):\n", idx+1)
  u.Pvv(tcmd)
+ cleansed := func() string {
+ re := regexp.MustCompile(`{{.*\.secure_.*}}`)
+ return re.ReplaceAllString(tcmd, `SECURE_SENSITIVE_INFO_MASKED`)
+ }()
  cmd := Render(tcmd, f.Vars)
- u.Pfvvvv("cmd=>:\n%s\n", color.HiBlueString("%s", cmd))
+ cleansedCmd := Render(cleansed, f.Vars)
+ u.Pfvvvv("cmd=>:\n%s\n", color.HiBlueString("%s", cleansedCmd))
  runCmd(f, cmd, idx+1)
  u.SubStepStatus("..", f.Result.Code)
  u.Dvvvvv(f.Result)
  }
 
  StepRuntime().Result = &f.Result
-
 }

biz/impl/template.go

@@ -96,6 +96,16 @@ func FuncMapInit() {
 
  return encrypted
  },
+ //retrieve value from vault
+ "fromVault": func(varname string) string {
+ var val string = "NotExistInVault"
+ opt := GetVault().Get(varname)
+ if opt != nil {
+ val = opt.(string)
+ }
+
+ return val
+ },
  //regObj will keep the golang object intact and register it to cache
  //same effect of: '{{ func_return_a_obj arg | objToYml|ymlToObj|reg "instances" }}'
  "regObj": func(varname string, obj interface{}) interface{} {

tests/functests/c0203.yml

@@ -0,0 +1,35 @@
+doc_meta: |
+ folder: security
+ title: mask senstive info in shell execution
+ head: |
+ When you use verbose level greater than vvv, it will print out the debugging final shell scripts rendered, which possiblly contains the secure vars. In such a case, upcmd will automatically mask the senstive variable with SECURE_SENSITIVE_INFO_MASKED
+
+ sections:
+ - title: Demo
+ log: yes
+
+tasks:
+ -
+ name: task
+ task:
+ -
+ func: shell
+ dvars:
+ - name: enc_key
+ value: my_enc_key
+ flags:
+ - secret
+
+ - name: value_encrypted
+ value: '{{ "ENV_AAA" | encryptAES .enc_key }}'
+ flags:
+ - vvvv
+ - taskScope
+
+ - name: ENV_AAA
+ value: '{{.value_encrypted}}'
+ flags:
+ - secure
+
+ do: |
+ echo "hello, this is a secrt value: {{.secure_ENV_AAA}}"

tests/functests/c0204.yml

@@ -0,0 +1,30 @@
+doc_meta: |
+ folder: security
+ title: retrieve secret from valut
+ head: |
+ When you put senstive information into vault, you can use a template func to retrieve it and use it in template rendering
+
+ This example shows that you can not get the secret value in general cache, unless you use fromVault template func
+
+ sections:
+ - title: Demo
+ log: yes
+
+tasks:
+ -
+ name: task
+ task:
+ -
+ func: cmd
+ dvars:
+ - name: my_secret
+ value: you_will_never_know
+ flags:
+ - secret
+
+ do:
+ - name: print
+ cmd: |
+ hello, this is a secrt value: {{.my_secret}}
+ hello, this is a secrt value: {{ "my_secret" | fromVault}}
+ hello, this is a secrt value: {{ "a_secret_does_not_exist_in_vault" | fromVault}}

utils/shared.go

@@ -34,15 +34,15 @@ var (
  "black": color.FgBlack,
  "red": color.FgRed,
  "green": color.FgGreen,
- "yello":  color.FgYellow,
+ "yellow": color.FgYellow,
  "blue": color.FgBlue,
  "magenta": color.FgMagenta,
  "cyan": color.FgCyan,
  "white": color.FgWhite,
  "hiblack": color.FgHiBlack,
  "hiRed": color.FgHiRed,
  "higreen": color.FgHiGreen,
- "hiyello":  color.FgHiYellow,
+ "hiyellow": color.FgHiYellow,
  "hiblue": color.FgHiBlue,
  "himagenta": color.FgHiMagenta,
  "hicyan": color.FgHiCyan,
@@ -53,15 +53,15 @@ var (
  "black": color.BgBlack,
  "red": color.BgRed,
  "green": color.BgGreen,
- "yello":  color.BgYellow,
+ "yellow": color.BgYellow,
  "blue": color.BgBlue,
  "magenta": color.BgMagenta,
  "cyan": color.BgCyan,
  "white": color.BgWhite,
  "hiblack": color.BgHiBlack,
  "hiRed": color.BgHiRed,
  "higreen": color.BgHiGreen,
- "hiyello":  color.BgHiYellow,
+ "hiyellow": color.BgHiYellow,
  "hiblue": color.BgHiBlue,
  "himagenta": color.BgHiMagenta,
  "hicyan": color.BgHiCyan,