From f89234e5dcca1bc9a310e6db42bb49abc472aee4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=BCchinger=20Dominic?= Date: Tue, 12 Apr 2022 09:49:42 +0200 Subject: [PATCH] Redact sensitive informations like password in chart url MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Lüchinger Dominic --- pkg/helmexec/exec.go | 19 ++++++--- pkg/helmexec/exec_test.go | 83 ++++++++++++++++++++++++++++++++++++++- 2 files changed, 96 insertions(+), 6 deletions(-) diff --git a/pkg/helmexec/exec.go b/pkg/helmexec/exec.go index ca39c305..ef54732f 100644 --- a/pkg/helmexec/exec.go +++ b/pkg/helmexec/exec.go @@ -4,6 +4,7 @@ import ( "bytes" "fmt" "io" + "net/url" "os" "path/filepath" "strconv" @@ -82,6 +83,14 @@ func getHelmVersion(helmBinary string, runner Runner) (semver.Version, error) { return parseHelmVersion(string(outBytes)) } +func redactedUrl(chart string) string { + chartUrl, err := url.ParseRequestURI(chart) + if err != nil { + return chart + } + return chartUrl.Redacted() +} + // New for running helm commands func New(helmBinary string, logger *zap.SugaredLogger, kubeContext string, runner Runner) *execer { // TODO: proper error handling @@ -196,7 +205,7 @@ func (helm *execer) UpdateDeps(chart string) error { } func (helm *execer) SyncRelease(context HelmContext, name, chart string, flags ...string) error { - helm.logger.Infof("Upgrading release=%v, chart=%v", name, chart) + helm.logger.Infof("Upgrading release=%v, chart=%v", name, redactedUrl(chart)) preArgs := context.GetTillerlessArgs(helm) env := context.getTillerlessEnv() @@ -348,7 +357,7 @@ func (helm *execer) DecryptSecret(context HelmContext, name string, flags ...str } func (helm *execer) TemplateRelease(name string, chart string, flags ...string) error { - helm.logger.Infof("Templating release=%v, chart=%v", name, chart) + helm.logger.Infof("Templating release=%v, chart=%v", name, redactedUrl(chart)) var args []string if helm.IsHelm3() { args = []string{"template", name, chart} @@ -387,9 +396,9 @@ func (helm *execer) TemplateRelease(name string, chart string, flags ...string) func (helm *execer) DiffRelease(context HelmContext, name, chart string, suppressDiff bool, flags ...string) error { if context.Writer != nil { - fmt.Fprintf(context.Writer, "Comparing release=%v, chart=%v\n", name, chart) + fmt.Fprintf(context.Writer, "Comparing release=%v, chart=%v\n", name, redactedUrl(chart)) } else { - helm.logger.Infof("Comparing release=%v, chart=%v", name, chart) + helm.logger.Infof("Comparing release=%v, chart=%v", name, redactedUrl(chart)) } preArgs := context.GetTillerlessArgs(helm) env := context.getTillerlessEnv() @@ -427,7 +436,7 @@ func (helm *execer) Lint(name, chart string, flags ...string) error { } func (helm *execer) Fetch(chart string, flags ...string) error { - helm.logger.Infof("Fetching %v", chart) + helm.logger.Infof("Fetching %v", redactedUrl(chart)) out, err := helm.exec(append([]string{"fetch", chart}, flags...), map[string]string{}) helm.info(out) return err diff --git a/pkg/helmexec/exec_test.go b/pkg/helmexec/exec_test.go index 8958a999..e9e83d44 100644 --- a/pkg/helmexec/exec_test.go +++ b/pkg/helmexec/exec_test.go @@ -253,6 +253,18 @@ exec: helm --kube-context dev upgrade --install --reset-values release chart --t err = helm.SyncRelease(HelmContext{}, "release", "chart") expected = `Upgrading release=release, chart=chart exec: helm --kube-context dev upgrade --install --reset-values release chart +` + if err != nil { + t.Errorf("unexpected error: %v", err) + } + if buffer.String() != expected { + t.Errorf("helmexec.SyncRelease()\nactual = %v\nexpect = %v", buffer.String(), expected) + } + + buffer.Reset() + err = helm.SyncRelease(HelmContext{}, "release", "https://example_user:example_password@repo.example.com/chart.tgz") + expected = `Upgrading release=release, chart=https://example_user:xxxxx@repo.example.com/chart.tgz +exec: helm --kube-context dev upgrade --install --reset-values release https://example_user:example_password@repo.example.com/chart.tgz ` if err != nil { t.Errorf("unexpected error: %v", err) @@ -420,6 +432,18 @@ exec: helm --kube-context dev diff upgrade --reset-values --allow-unreleased rel err = helm.DiffRelease(HelmContext{}, "release", "chart", false) expected = `Comparing release=release, chart=chart exec: helm --kube-context dev diff upgrade --reset-values --allow-unreleased release chart +` + if err != nil { + t.Errorf("unexpected error: %v", err) + } + if buffer.String() != expected { + t.Errorf("helmexec.DiffRelease()\nactual = %v\nexpect = %v", buffer.String(), expected) + } + + buffer.Reset() + err = helm.DiffRelease(HelmContext{}, "release", "https://example_user:example_password@repo.example.com/chart.tgz", false) + expected = `Comparing release=release, chart=https://example_user:xxxxx@repo.example.com/chart.tgz +exec: helm --kube-context dev diff upgrade --reset-values --allow-unreleased release https://example_user:example_password@repo.example.com/chart.tgz ` if err != nil { t.Errorf("unexpected error: %v", err) @@ -621,7 +645,52 @@ exec: helm --kube-context dev fetch chart --version 1.2.3 --untar --untardir /tm t.Errorf("unexpected error: %v", err) } if buffer.String() != expected { - t.Errorf("helmexec.Lint()\nactual = %v\nexpect = %v", buffer.String(), expected) + t.Errorf("helmexec.Fetch()\nactual = %v\nexpect = %v", buffer.String(), expected) + } + + buffer.Reset() + err = helm.Fetch("https://example_user:example_password@repo.example.com/chart.tgz", "--version", "1.2.3", "--untar", "--untardir", "/tmp/dir") + expected = `Fetching https://example_user:xxxxx@repo.example.com/chart.tgz +exec: helm --kube-context dev fetch https://example_user:example_password@repo.example.com/chart.tgz --version 1.2.3 --untar --untardir /tmp/dir +` + if err != nil { + t.Errorf("unexpected error: %v", err) + } + if buffer.String() != expected { + t.Errorf("helmexec.Fetch()\nactual = %v\nexpect = %v", buffer.String(), expected) + } +} + +func Test_ChartPull(t *testing.T) { + var buffer bytes.Buffer + logger := NewLogger(&buffer, "debug") + helm := MockExecer(logger, "dev") + err := helm.ChartPull("chart", "--version", "1.2.3", "--untar", "--untardir", "/tmp/dir") + expected := `Pulling chart +Exporting chart +exec: helm --kube-context dev chart pull chart --version 1.2.3 --untar --untardir /tmp/dir +` + if err != nil { + t.Errorf("unexpected error: %v", err) + } + if buffer.String() != expected { + t.Errorf("helmexec.ChartPull()\nactual = %v\nexpect = %v", buffer.String(), expected) + } +} + +func Test_ChartExport(t *testing.T) { + var buffer bytes.Buffer + logger := NewLogger(&buffer, "debug") + helm := MockExecer(logger, "dev") + err := helm.ChartExport("chart", "--version", "1.2.3", "--untar", "--untardir", "/tmp/dir") + expected := `Exporting chart +exec: helm --kube-context dev chart export chart --destination --version 1.2.3 --untar --untardir /tmp/dir +` + if err != nil { + t.Errorf("unexpected error: %v", err) + } + if buffer.String() != expected { + t.Errorf("helmexec.ChartExport()\nactual = %v\nexpect = %v", buffer.String(), expected) } } @@ -691,6 +760,18 @@ func Test_Template(t *testing.T) { err := helm.TemplateRelease("release", "path/to/chart", "--values", "file.yml") expected := `Templating release=release, chart=path/to/chart exec: helm --kube-context dev template path/to/chart --name release --values file.yml +` + if err != nil { + t.Errorf("unexpected error: %v", err) + } + if buffer.String() != expected { + t.Errorf("helmexec.Template()\nactual = %v\nexpect = %v", buffer.String(), expected) + } + + buffer.Reset() + err = helm.TemplateRelease("release", "https://example_user:example_password@repo.example.com/chart.tgz", "--values", "file.yml") + expected = `Templating release=release, chart=https://example_user:xxxxx@repo.example.com/chart.tgz +exec: helm --kube-context dev template https://example_user:example_password@repo.example.com/chart.tgz --name release --values file.yml ` if err != nil { t.Errorf("unexpected error: %v", err)