Don't bother trying to hide secrets in values [#34]
While testing this I discovered the secrets are revealed anyway, since the lint/upgrade jobs' debug output includes the command they generated. Might as well make the code a little simpler.
This commit is contained in:
Erin Call
parent
8f7b481934
commit
22aa1df894
13
internal/env/config.go
vendored
13
internal/env/config.go
vendored
|
|
@ -89,12 +89,12 @@ func NewConfig(stdout, stderr io.Writer) (*Config, error) {
|
||||||
cfg.Timeout = fmt.Sprintf("%ss", cfg.Timeout)
|
cfg.Timeout = fmt.Sprintf("%ss", cfg.Timeout)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
cfg.loadValuesSecrets()
|
||||||
|
|
||||||
if cfg.Debug && cfg.Stderr != nil {
|
if cfg.Debug && cfg.Stderr != nil {
|
||||||
cfg.logDebug()
|
cfg.logDebug()
|
||||||
}
|
}
|
||||||
|
|
||||||
cfg.loadValuesSecrets()
|
|
||||||
|
|
||||||
cfg.deprecationWarn()
|
cfg.deprecationWarn()
|
||||||
|
|
||||||
return &cfg, nil
|
return &cfg, nil
|
||||||
|
|
@ -108,9 +108,6 @@ func (cfg *Config) loadValuesSecrets() {
|
||||||
varName = sigils.ReplaceAllString(varName, "")
|
varName = sigils.ReplaceAllString(varName, "")
|
||||||
|
|
||||||
if value, ok := os.LookupEnv(varName); ok {
|
if value, ok := os.LookupEnv(varName); ok {
|
||||||
if cfg.Debug {
|
|
||||||
fmt.Fprintf(cfg.Stderr, "Replaced $%s with value in environment\n", varName)
|
|
||||||
}
|
|
||||||
return value
|
return value
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -120,13 +117,7 @@ func (cfg *Config) loadValuesSecrets() {
|
||||||
return ""
|
return ""
|
||||||
}
|
}
|
||||||
|
|
||||||
if cfg.Debug {
|
|
||||||
fmt.Fprintf(cfg.Stderr, "Replacing environment variable references in Values\n")
|
|
||||||
}
|
|
||||||
cfg.Values = findVar.ReplaceAllStringFunc(cfg.Values, replacer)
|
cfg.Values = findVar.ReplaceAllStringFunc(cfg.Values, replacer)
|
||||||
if cfg.Debug {
|
|
||||||
fmt.Fprintf(cfg.Stderr, "Replacing environment variable references in StringValues\n")
|
|
||||||
}
|
|
||||||
cfg.StringValues = findVar.ReplaceAllStringFunc(cfg.StringValues, replacer)
|
cfg.StringValues = findVar.ReplaceAllStringFunc(cfg.StringValues, replacer)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
11
internal/env/config_test.go
vendored
11
internal/env/config_test.go
vendored
|
|
@ -208,15 +208,8 @@ func (suite *ConfigTestSuite) TestValuesSecretsWithDebugLogging() {
|
||||||
_, err := NewConfig(&strings.Builder{}, &stderr)
|
_, err := NewConfig(&strings.Builder{}, &stderr)
|
||||||
suite.Require().NoError(err)
|
suite.Require().NoError(err)
|
||||||
|
|
||||||
// Make a good-faith effort to avoid putting secrets in the log output, but still mention they were found
|
suite.Contains(stderr.String(), "Values:fire=Eru_Ilúvatar,water=")
|
||||||
suite.Contains(stderr.String(), "Values:fire=$SECRET_FIRE,water=$SECRET_WATER")
|
suite.Contains(stderr.String(), `$SECRET_WATER not present in environment, replaced with ""`)
|
||||||
suite.Contains(stderr.String(), `
|
|
||||||
Replacing environment variable references in Values
|
|
||||||
Replaced $SECRET_FIRE with value in environment
|
|
||||||
$SECRET_WATER not present in environment, replaced with ""
|
|
||||||
Replacing environment variable references in StringValues
|
|
||||||
Replaced $SECRET_FIRE with value in environment
|
|
||||||
`)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func (suite *ConfigTestSuite) setenv(key, val string) {
|
func (suite *ConfigTestSuite) setenv(key, val string) {
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue