Merge pull request #40 from Aishwarya-Lad/CI-14277

Ompragash · web-flow · commit d4e7f3dca972 · 2024-10-23T20:08:44.000+05:30
CI-14277:add support for base64 encoded env secret docker secrets
diff --git a/app.go b/app.go
@@ -275,6 +275,16 @@ func Run() {
 			Usage:  "secret key value pair eg id=MYSECRET",
 			EnvVar: "PLUGIN_SECRET",
 		},
+		cli.StringSliceFlag{
+			Name:   "encoded-secrets-from-env",
+			Usage:  "list of secret env that are base64 encoded",
+			EnvVar: "PLUGIN_ENCODED_ENV_SECRET",
+		},
+		cli.BoolFlag{
+			Name:   "decode-env-secret",
+			Usage:  "decode env values default-false",
+			EnvVar: "PLUGIN_DECODE_ENV_SECRET",
+		},
 		cli.StringSliceFlag{
 			Name:   "secrets-from-env",
 			Usage:  "secret key value pair eg secret_name=secret",
@@ -382,33 +392,35 @@ func run(c *cli.Context) error {
 		ArtifactFile:     c.String("artifact-file"),
 		CacheMetricsFile: c.String("cache-metrics-file"),
 		Build: Build{
-			Remote:      c.String("remote.url"),
-			Name:        c.String("commit.sha"),
-			Dockerfile:  c.String("dockerfile"),
-			Context:     c.String("context"),
-			Tags:        c.StringSlice("tags"),
-			Args:        c.StringSlice("args"),
-			ArgsEnv:     c.StringSlice("args-from-env"),
-			Target:      c.String("target"),
-			Squash:      c.Bool("squash"),
-			Pull:        c.BoolT("pull-image"),
-			CacheFrom:   c.Generic("cache-from").(*CustomStringSliceFlag).GetValue(),
-			CacheTo:     c.Generic("cache-to").(*CustomStringSliceFlag).GetValue(),
-			Compress:    c.Bool("compress"),
-			Repo:        c.String("repo"),
-			Labels:      c.StringSlice("custom-labels"),
-			LabelSchema: c.StringSlice("label-schema"),
-			AutoLabel:   c.BoolT("auto-label"),
-			Link:        c.String("link"),
-			NoCache:     c.Bool("no-cache"),
-			Secret:      c.String("secret"),
-			SecretEnvs:  c.StringSlice("secrets-from-env"),
-			SecretFiles: c.StringSlice("secrets-from-file"),
-			AddHost:     c.StringSlice("add-host"),
-			Quiet:       c.Bool("quiet"),
-			Platform:    c.String("platform"),
-			SSHAgentKey: c.String("ssh-agent-key"),
-			BuildxLoad:  c.Bool("buildx-load"),
+			Remote:            c.String("remote.url"),
+			Name:              c.String("commit.sha"),
+			Dockerfile:        c.String("dockerfile"),
+			Context:           c.String("context"),
+			Tags:              c.StringSlice("tags"),
+			Args:              c.StringSlice("args"),
+			ArgsEnv:           c.StringSlice("args-from-env"),
+			Target:            c.String("target"),
+			Squash:            c.Bool("squash"),
+			Pull:              c.BoolT("pull-image"),
+			CacheFrom:         c.Generic("cache-from").(*CustomStringSliceFlag).GetValue(),
+			CacheTo:           c.Generic("cache-to").(*CustomStringSliceFlag).GetValue(),
+			Compress:          c.Bool("compress"),
+			Repo:              c.String("repo"),
+			Labels:            c.StringSlice("custom-labels"),
+			LabelSchema:       c.StringSlice("label-schema"),
+			AutoLabel:         c.BoolT("auto-label"),
+			Link:              c.String("link"),
+			NoCache:           c.Bool("no-cache"),
+			Secret:            c.String("secret"),
+			SecretEnvs:        c.StringSlice("secrets-from-env"),
+			SecretFiles:       c.StringSlice("secrets-from-file"),
+			AddHost:           c.StringSlice("add-host"),
+			Quiet:             c.Bool("quiet"),
+			Platform:          c.String("platform"),
+			SSHAgentKey:       c.String("ssh-agent-key"),
+			BuildxLoad:        c.Bool("buildx-load"),
+			DecodeEnvSecret:   c.Bool("decode-env-secret"),
+			EncodedSecretEnvs: c.StringSlice("encoded-secrets-from-env"),
 		},
 		Daemon: Daemon{
 			Registry:         c.String("docker.registry"),
diff --git a/docker.go b/docker.go
@@ -1,8 +1,10 @@
 package docker
 
 import (
+	"encoding/base64"
 	"encoding/json"
 	"fmt"
+	"log"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -53,34 +55,36 @@ type (
 
 	// Build defines Docker build parameters.
 	Build struct {
-		Remote      string   // Git remote URL
-		Name        string   // Docker build using default named tag
-		Dockerfile  string   // Docker build Dockerfile
-		Context     string   // Docker build context
-		Tags        []string // Docker build tags
-		Args        []string // Docker build args
-		ArgsEnv     []string // Docker build args from env
-		Target      string   // Docker build target
-		Squash      bool     // Docker build squash
-		Pull        bool     // Docker build pull
-		CacheFrom   []string // Docker buildx cache-from
-		CacheTo     []string // Docker buildx cache-to
-		Compress    bool     // Docker build compress
-		Repo        string   // Docker build repository
-		LabelSchema []string // label-schema Label map
-		AutoLabel   bool     // auto-label bool
-		Labels      []string // Label map
-		Link        string   // Git repo link
-		NoCache     bool     // Docker build no-cache
-		Secret      string   // secret keypair
-		SecretEnvs  []string // Docker build secrets with env var as source
-		SecretFiles []string // Docker build secrets with file as source
-		AddHost     []string // Docker build add-host
-		Quiet       bool     // Docker build quiet
-		Platform    string   // Docker build platform
-		SSHAgentKey string   // Docker build ssh agent key
-		SSHKeyPath  string   // Docker build ssh key path
-		BuildxLoad  bool     // Docker buildx --load
+		Remote            string   // Git remote URL
+		Name              string   // Docker build using default named tag
+		Dockerfile        string   // Docker build Dockerfile
+		Context           string   // Docker build context
+		Tags              []string // Docker build tags
+		Args              []string // Docker build args
+		ArgsEnv           []string // Docker build args from env
+		Target            string   // Docker build target
+		Squash            bool     // Docker build squash
+		Pull              bool     // Docker build pull
+		CacheFrom         []string // Docker buildx cache-from
+		CacheTo           []string // Docker buildx cache-to
+		Compress          bool     // Docker build compress
+		Repo              string   // Docker build repository
+		LabelSchema       []string // label-schema Label map
+		AutoLabel         bool     // auto-label bool
+		Labels            []string // Label map
+		Link              string   // Git repo link
+		NoCache           bool     // Docker build no-cache
+		Secret            string   // secret keypair
+		SecretEnvs        []string // Docker build secrets with env var as source
+		SecretFiles       []string // Docker build secrets with file as source
+		AddHost           []string // Docker build add-host
+		Quiet             bool     // Docker build quiet
+		Platform          string   // Docker build platform
+		SSHAgentKey       string   // Docker build ssh agent key
+		SSHKeyPath        string   // Docker build ssh key path
+		BuildxLoad        bool     // Docker buildx --load
+		DecodeEnvSecret   bool     // Decode the secret value in env
+		EncodedSecretEnvs []string // Docker build env secrets that are encoded using base64
 	}
 
 	// Plugin defines the Docker plugin parameters.
@@ -150,7 +154,6 @@ func (p Plugin) Exec() error {
 		}
 		time.Sleep(time.Second * 1)
 	}
-
 	// for debugging purposes, log the type of authentication
 	// credentials that have been provided.
 	switch {
@@ -165,7 +168,6 @@ func (p Plugin) Exec() error {
 	default:
 		fmt.Println("Registry credentials or Docker config not provided. Guest mode enabled.")
 	}
-
 	// create Auth Config File
 	if p.Login.Config != "" {
 		os.MkdirAll(dockerHome, 0600)
@@ -467,6 +469,30 @@ func commandInfo() *exec.Cmd {
 	return exec.Command(dockerExe, "info")
 }
 
+// helper function to update env var value from base64 encoded to decoded
+func updateEnvWithDecodedValue(encodedEnvList []string) error {
+	for _, envName := range encodedEnvList {
+		// Get the current base64 encoded value
+		encodedValue := os.Getenv(envName)
+		if encodedValue == "" {
+			return fmt.Errorf("environment variable %s not found", envName)
+		}
+
+		// Decode the base64 value
+		decodedBytes, err := base64.StdEncoding.DecodeString(encodedValue)
+		if err != nil {
+			return fmt.Errorf("failed to decode value for %s: %v", envName, err)
+		}
+
+		// Update the environment variable with the decoded value
+		err = os.Setenv(envName, string(decodedBytes))
+		if err != nil {
+			return fmt.Errorf("failed to set environment variable %s: %v", envName, err)
+		}
+	}
+	return nil
+}
+
 // helper function to create the docker buildx command.
 func commandBuildx(build Build, builder Builder, dryrun bool, metadataFile string) *exec.Cmd {
 	args := []string{
@@ -523,6 +549,13 @@ func commandBuildx(build Build, builder Builder, dryrun bool, metadataFile strin
 	if build.Secret != "" {
 		args = append(args, "--secret", build.Secret)
 	}
+	// update the list of env variables that have been encoded with base64
+	if build.DecodeEnvSecret {
+		err := updateEnvWithDecodedValue(build.EncodedSecretEnvs)
+		if err != nil {
+			log.Printf("failed to decode harness secrets used as docker secrets in the build command: %v", err)
+		}
+	}
 	for _, secret := range build.SecretEnvs {
 		if arg, err := getSecretStringCmdArg(secret); err == nil {
 			args = append(args, "--secret", arg)
diff --git a/docker_test.go b/docker_test.go
@@ -207,14 +207,90 @@ func TestCommandBuildx(t *testing.T) {
 				"--metadata-file /tmp/metadata.json",
 			),
 		},
+		{
+			name: "encoded secrets from env",
+			build: Build{
+				Name:       "plugins/drone-docker:latest",
+				Dockerfile: "Dockerfile",
+				Context:    ".",
+				SecretEnvs: []string{
+					"foo_secret=FOO_SECRET_ENV_VAR",
+				},
+				EncodedSecretEnvs: []string{
+					"ENCODED_SECRET",
+				},
+				DecodeEnvSecret: true,
+				Repo:            "plugins/drone-docker",
+				Tags:            []string{"latest"},
+			},
+			want: exec.Command(
+				dockerExe,
+				"buildx",
+				"build",
+				"--rm=true",
+				"-f",
+				"Dockerfile",
+				"-t",
+				"plugins/drone-docker:latest",
+				"--push",
+				".",
+				"--secret", "id=foo_secret,env=FOO_SECRET_ENV_VAR",
+			),
+		},
+		{
+			name: "multiple secrets with encoding",
+			build: Build{
+				Name:       "plugins/drone-docker:latest",
+				Dockerfile: "Dockerfile",
+				Context:    ".",
+				SecretEnvs: []string{
+					"foo_secret=FOO_SECRET_ENV_VAR",
+					"bar_secret=BAR_SECRET_ENV_VAR",
+				},
+				EncodedSecretEnvs: []string{
+					"ENCODED_SECRET1",
+					"ENCODED_SECRET2",
+				},
+				DecodeEnvSecret: true,
+				Repo:            "plugins/drone-docker",
+				Tags:            []string{"latest"},
+			},
+			want: exec.Command(
+				dockerExe,
+				"buildx",
+				"build",
+				"--rm=true",
+				"-f",
+				"Dockerfile",
+				"-t",
+				"plugins/drone-docker:latest",
+				"--push",
+				".",
+				"--secret", "id=foo_secret,env=FOO_SECRET_ENV_VAR",
+				"--secret", "id=bar_secret,env=BAR_SECRET_ENV_VAR",
+			),
+		},
 	}
 
 	for _, tc := range tcs {
 		tc := tc
-
 		t.Run(tc.name, func(t *testing.T) {
-			cmd := commandBuildx(tc.build, tc.builder, tc.dryrun, tc.metadata)
+			// Set up test environment variables if needed
+			if tc.build.DecodeEnvSecret && len(tc.build.EncodedSecretEnvs) > 0 {
+				// Set sample encoded values
+				os.Setenv("ENCODED_SECRET", "SGVsbG8gV29ybGQ=")  // "Hello World" in base64
+				os.Setenv("ENCODED_SECRET1", "VGVzdFZhbHVlMQ==") // "TestValue1" in base64
+				os.Setenv("ENCODED_SECRET2", "VGVzdFZhbHVlMg==") // "TestValue2" in base64
 
+				// Clean up after test
+				defer func() {
+					os.Unsetenv("ENCODED_SECRET")
+					os.Unsetenv("ENCODED_SECRET1")
+					os.Unsetenv("ENCODED_SECRET2")
+				}()
+			}
+
+			cmd := commandBuildx(tc.build, tc.builder, tc.dryrun, tc.metadata)
 			if !reflect.DeepEqual(cmd.String(), tc.want.String()) {
 				t.Errorf("Got cmd %v, want %v", cmd, tc.want)
 			}
