Redact sensitive informations like password in chart url

Signed-off-by: Lüchinger Dominic <dev@snowgarden.ch>
2022-04-12 09:49:42 +02:00 · 2022-04-12 09:49:42 +02:00 · f89234e5dc
parent c7b23a67cb
commit f89234e5dc
2 changed files with 96 additions and 6 deletions
--- a/pkg/helmexec/exec.go
+++ b/pkg/helmexec/exec.go
@ -4,6 +4,7 @@ import (
 	"bytes"
 	"fmt"
 	"io"
+	"net/url"
 	"os"
 	"path/filepath"
 	"strconv"
@ -82,6 +83,14 @@ func getHelmVersion(helmBinary string, runner Runner) (semver.Version, error) {
 	return parseHelmVersion(string(outBytes))
 }

+func redactedUrl(chart string) string {
+	chartUrl, err := url.ParseRequestURI(chart)
+	if err != nil {
+		return chart
+	}
+	return chartUrl.Redacted()
+}
+
 // New for running helm commands
 func New(helmBinary string, logger *zap.SugaredLogger, kubeContext string, runner Runner) *execer {
 	// TODO: proper error handling
@ -196,7 +205,7 @@ func (helm *execer) UpdateDeps(chart string) error {
 }

 func (helm *execer) SyncRelease(context HelmContext, name, chart string, flags ...string) error {
-	helm.logger.Infof("Upgrading release=%v, chart=%v", name, chart)
+	helm.logger.Infof("Upgrading release=%v, chart=%v", name, redactedUrl(chart))
 	preArgs := context.GetTillerlessArgs(helm)
 	env := context.getTillerlessEnv()

@ -348,7 +357,7 @@ func (helm *execer) DecryptSecret(context HelmContext, name string, flags ...str
 }

 func (helm *execer) TemplateRelease(name string, chart string, flags ...string) error {
-	helm.logger.Infof("Templating release=%v, chart=%v", name, chart)
+	helm.logger.Infof("Templating release=%v, chart=%v", name, redactedUrl(chart))
 	var args []string
 	if helm.IsHelm3() {
 		args = []string{"template", name, chart}
@ -387,9 +396,9 @@ func (helm *execer) TemplateRelease(name string, chart string, flags ...string)

 func (helm *execer) DiffRelease(context HelmContext, name, chart string, suppressDiff bool, flags ...string) error {
 	if context.Writer != nil {
-		fmt.Fprintf(context.Writer, "Comparing release=%v, chart=%v\n", name, chart)
+		fmt.Fprintf(context.Writer, "Comparing release=%v, chart=%v\n", name, redactedUrl(chart))
 	} else {
-		helm.logger.Infof("Comparing release=%v, chart=%v", name, chart)
+		helm.logger.Infof("Comparing release=%v, chart=%v", name, redactedUrl(chart))
 	}
 	preArgs := context.GetTillerlessArgs(helm)
 	env := context.getTillerlessEnv()
@ -427,7 +436,7 @@ func (helm *execer) Lint(name, chart string, flags ...string) error {
 }

 func (helm *execer) Fetch(chart string, flags ...string) error {
-	helm.logger.Infof("Fetching %v", chart)
+	helm.logger.Infof("Fetching %v", redactedUrl(chart))
 	out, err := helm.exec(append([]string{"fetch", chart}, flags...), map[string]string{})
 	helm.info(out)
 	return err
--- a/pkg/helmexec/exec_test.go
+++ b/pkg/helmexec/exec_test.go
@ -253,6 +253,18 @@ exec: helm --kube-context dev upgrade --install --reset-values release chart --t
 	err = helm.SyncRelease(HelmContext{}, "release", "chart")
 	expected = `Upgrading release=release, chart=chart
 exec: helm --kube-context dev upgrade --install --reset-values release chart
+`
+	if err != nil {
+		t.Errorf("unexpected error: %v", err)
+	}
+	if buffer.String() != expected {
+		t.Errorf("helmexec.SyncRelease()\nactual = %v\nexpect = %v", buffer.String(), expected)
+	}
+
+	buffer.Reset()
+	err = helm.SyncRelease(HelmContext{}, "release", "https://example_user:example_password@repo.example.com/chart.tgz")
+	expected = `Upgrading release=release, chart=https://example_user:xxxxx@repo.example.com/chart.tgz
+exec: helm --kube-context dev upgrade --install --reset-values release https://example_user:example_password@repo.example.com/chart.tgz
 `
 	if err != nil {
 		t.Errorf("unexpected error: %v", err)
@ -420,6 +432,18 @@ exec: helm --kube-context dev diff upgrade --reset-values --allow-unreleased rel
 	err = helm.DiffRelease(HelmContext{}, "release", "chart", false)
 	expected = `Comparing release=release, chart=chart
 exec: helm --kube-context dev diff upgrade --reset-values --allow-unreleased release chart
+`
+	if err != nil {
+		t.Errorf("unexpected error: %v", err)
+	}
+	if buffer.String() != expected {
+		t.Errorf("helmexec.DiffRelease()\nactual = %v\nexpect = %v", buffer.String(), expected)
+	}
+
+	buffer.Reset()
+	err = helm.DiffRelease(HelmContext{}, "release", "https://example_user:example_password@repo.example.com/chart.tgz", false)
+	expected = `Comparing release=release, chart=https://example_user:xxxxx@repo.example.com/chart.tgz
+exec: helm --kube-context dev diff upgrade --reset-values --allow-unreleased release https://example_user:example_password@repo.example.com/chart.tgz
 `
 	if err != nil {
 		t.Errorf("unexpected error: %v", err)
@ -621,7 +645,52 @@ exec: helm --kube-context dev fetch chart --version 1.2.3 --untar --untardir /tm
 		t.Errorf("unexpected error: %v", err)
 	}
 	if buffer.String() != expected {
-		t.Errorf("helmexec.Lint()\nactual = %v\nexpect = %v", buffer.String(), expected)
+		t.Errorf("helmexec.Fetch()\nactual = %v\nexpect = %v", buffer.String(), expected)
+	}
+
+	buffer.Reset()
+	err = helm.Fetch("https://example_user:example_password@repo.example.com/chart.tgz", "--version", "1.2.3", "--untar", "--untardir", "/tmp/dir")
+	expected = `Fetching https://example_user:xxxxx@repo.example.com/chart.tgz
+exec: helm --kube-context dev fetch https://example_user:example_password@repo.example.com/chart.tgz --version 1.2.3 --untar --untardir /tmp/dir
+`
+	if err != nil {
+		t.Errorf("unexpected error: %v", err)
+	}
+	if buffer.String() != expected {
+		t.Errorf("helmexec.Fetch()\nactual = %v\nexpect = %v", buffer.String(), expected)
+	}
+}
+
+func Test_ChartPull(t *testing.T) {
+	var buffer bytes.Buffer
+	logger := NewLogger(&buffer, "debug")
+	helm := MockExecer(logger, "dev")
+	err := helm.ChartPull("chart", "--version", "1.2.3", "--untar", "--untardir", "/tmp/dir")
+	expected := `Pulling chart
+Exporting chart
+exec: helm --kube-context dev chart pull chart --version 1.2.3 --untar --untardir /tmp/dir
+`
+	if err != nil {
+		t.Errorf("unexpected error: %v", err)
+	}
+	if buffer.String() != expected {
+		t.Errorf("helmexec.ChartPull()\nactual = %v\nexpect = %v", buffer.String(), expected)
+	}
+}
+
+func Test_ChartExport(t *testing.T) {
+	var buffer bytes.Buffer
+	logger := NewLogger(&buffer, "debug")
+	helm := MockExecer(logger, "dev")
+	err := helm.ChartExport("chart", "--version", "1.2.3", "--untar", "--untardir", "/tmp/dir")
+	expected := `Exporting chart
+exec: helm --kube-context dev chart export chart --destination --version 1.2.3 --untar --untardir /tmp/dir
+`
+	if err != nil {
+		t.Errorf("unexpected error: %v", err)
+	}
+	if buffer.String() != expected {
+		t.Errorf("helmexec.ChartExport()\nactual = %v\nexpect = %v", buffer.String(), expected)
 	}
 }

@ -691,6 +760,18 @@ func Test_Template(t *testing.T) {
 	err := helm.TemplateRelease("release", "path/to/chart", "--values", "file.yml")
 	expected := `Templating release=release, chart=path/to/chart
 exec: helm --kube-context dev template path/to/chart --name release --values file.yml
+`
+	if err != nil {
+		t.Errorf("unexpected error: %v", err)
+	}
+	if buffer.String() != expected {
+		t.Errorf("helmexec.Template()\nactual = %v\nexpect = %v", buffer.String(), expected)
+	}
+
+	buffer.Reset()
+	err = helm.TemplateRelease("release", "https://example_user:example_password@repo.example.com/chart.tgz", "--values", "file.yml")
+	expected = `Templating release=release, chart=https://example_user:xxxxx@repo.example.com/chart.tgz
+exec: helm --kube-context dev template https://example_user:example_password@repo.example.com/chart.tgz --name release --values file.yml
 `
 	if err != nil {
 		t.Errorf("unexpected error: %v", err)