allow referencing secrets by name in manifests

Signed-off-by: Lucy Ekatarina <lucy@dragnof.pro>
2023-02-07 02:38:02 +00:00 · 2023-02-07 02:38:02 +00:00 · 6117c412fc
parent e36caade11
commit 6117c412fc
6 changed files with 46 additions and 7 deletions
--- a/api/graph/manifest.go
+++ b/api/graph/manifest.go
@ -51,7 +51,7 @@ func LoadManifest(in string) (*Manifest, error) {

 	for _, sec := range manifest.Secrets {
 		_, err := uuid.Parse(sec)
-		if err != nil {
+		if err != nil && (len(sec) <= 3 || len(sec) >= 512) {
 			return nil, err
 		}
 	}
--- a/buildsrht/manifest.py
+++ b/buildsrht/manifest.py
@ -82,10 +82,21 @@ class Manifest:
            if not isinstance(env, dict):
                raise Exception("Expected environment to be a dictionary")
        if secrets:
-            if not isinstance(secrets, list) or not all([isinstance(s, str) for s in secrets]):
-                raise Exception("Expected secrets to be a UUID array")
-            # Will throw exception on invalid UUIDs as well
-            secrets = list(map(uuid.UUID, secrets))
+            if not isinstance(secrets, list) or not all(
+                [isinstance(s, str) for s in secrets]
+            ):
+                raise Exception("Expected secrets to be a UUID/String array")
+
+            def uuid_or_string(s):
+                try:
+                    uuid.UUID(s)
+                except ValueError:
+                    if len(s) >= 3 and len(s) <= 512:
+                        s
+                    else:
+                        raise Exception("Secret names must be between 3 and 512 chars")
+
+            secrets = list(map(uuid_or_string, secrets))
        if shell is not None and not isinstance(shell, bool):
            raise Exception("Expected shell to be a boolean")
        if artifacts is not None and (
--- a/worker/database.go
+++ b/worker/database.go
@ -3,6 +3,8 @@ package main
 import (
 	"database/sql"
 	"time"
+
+	"github.com/google/uuid"
 )

 type Job struct {
@ -82,7 +84,15 @@ func GetJob(db *sql.DB, id int) (*Job, error) {
 	return &job, nil
 }

-func GetSecret(db *sql.DB, uuid string) (*Secret, error) {
+func GetSecret(db *sql.DB, sec string, ownerId int) (*Secret, error) {
+	_, err := uuid.Parse(sec)
+	if err != nil {
+		return GetSecretByName(db, sec, ownerId)
+	}
+	return GetSecretById(db, sec)
+}
+
+func GetSecretById(db *sql.DB, uuid string) (*Secret, error) {
 	row := db.QueryRow(`
 		SELECT
 			"id", "user_id", "created", "updated", "uuid",
@ -94,7 +104,23 @@ func GetSecret(db *sql.DB, uuid string) (*Secret, error) {
 		&secret.Id, &secret.UserId, &secret.Created, &secret.Updated,
 		&secret.Uuid, &secret.Name, &secret.SecretType, &secret.Secret,
 		&secret.Path, &secret.Mode); err != nil {
+		return nil, err
+	}
+	return &secret, nil
+}

+func GetSecretByName(db *sql.DB, uuid string, ownerId int) (*Secret, error) {
+	row := db.QueryRow(`
+		SELECT
+			"id", "user_id", "created", "updated", "uuid",
+			"name", "secret_type", "secret", "path", "mode"
+		FROM "secret" WHERE "name" = $1 AND "user_id" = $2;
+	`, uuid, ownerId)
+	var secret Secret
+	if err := row.Scan(
+		&secret.Id, &secret.UserId, &secret.Created, &secret.Updated,
+		&secret.Uuid, &secret.Name, &secret.SecretType, &secret.Secret,
+		&secret.Path, &secret.Mode); err != nil {
 		return nil, err
 	}
 	return &secret, nil
--- a/worker/go.mod
+++ b/worker/go.mod
@ -5,6 +5,7 @@ require (
 	github.com/go-redis/redis/v8 v8.2.3
 	github.com/gocelery/gocelery v0.0.0-20201111034804-825d89059344
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510
+	github.com/google/uuid v1.0.0
 	github.com/kr/pty v1.1.3
 	github.com/lib/pq v1.8.0
 	github.com/martinlindhe/base36 v1.1.0
--- a/worker/go.sum
+++ b/worker/go.sum
@ -212,6 +212,7 @@ github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hf
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
+github.com/google/uuid v1.0.0 h1:b4Gk+7WdP/d3HZH8EJsZpvV7EtDOgaZLtnaNGIu1adA=
 github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
--- a/worker/tasks.go
+++ b/worker/tasks.go
@ -262,7 +262,7 @@ func (ctx *JobContext) SendSecrets() error {
 	sshKeys := 0
 	for _, uuid := range ctx.Manifest.Secrets {
 		ctx.Log.Printf("Resolving secret %s\n", uuid)
-		secret, err := GetSecret(ctx.Db, uuid)
+		secret, err := GetSecret(ctx.Db, uuid, ctx.Job.OwnerId)
 		if err != nil {
 			return errors.Wrap(err, "GetSecret")
 		}