fix(environment): decrypt secrets

2024-11-23 20:35:24 +01:00 · 2024-07-18 00:41:11 +05:00 · 2024-07-18 00:41:11 +05:00 · fef54a1d5f
commit fef54a1d5f
parent 734cc91ac8
5 changed files with 62 additions and 76 deletions
--- a/api/projects/environment.go
+++ b/api/projects/environment.go
@ -2,11 +2,9 @@ package projects

 import (
 	"fmt"
-	"net/http"
-	"strings"
-
 	"github.com/ansible-semaphore/semaphore/api/helpers"
 	"github.com/ansible-semaphore/semaphore/db"
+	"net/http"

 	"github.com/gorilla/context"
 )
@ -80,35 +78,11 @@ func EnvironmentMiddleware(next http.Handler) http.Handler {
 			return
 		}

-		keys, err := helpers.Store(r).GetEnvironmentSecrets(env.ProjectID, env.ID)
-
-		if err != nil {
+		if err = db.FillEnvironmentSecrets(helpers.Store(r), &env, false); err != nil {
 			helpers.WriteError(w, err)
 			return
 		}

-		for _, k := range keys {
-			var secretName string
-			var secretType db.EnvironmentSecretType
-
-			if strings.HasPrefix(k.Name, string(db.EnvironmentSecretVar)+".") {
-				secretType = db.EnvironmentSecretVar
-				secretName = strings.TrimPrefix(k.Name, string(db.EnvironmentSecretVar)+".")
-			} else if strings.HasPrefix(k.Name, string(db.EnvironmentSecretEnv)+".") {
-				secretType = db.EnvironmentSecretEnv
-				secretName = strings.TrimPrefix(k.Name, string(db.EnvironmentSecretEnv)+".")
-			} else {
-				secretType = db.EnvironmentSecretVar
-				secretName = k.Name
-			}
-
-			env.Secrets = append(env.Secrets, db.EnvironmentSecret{
-				ID:   k.ID,
-				Name: secretName,
-				Type: secretType,
-			})
-		}
-
 		context.Set(r, "environment", env)
 		next.ServeHTTP(w, r)
 	})
--- a/db/Environment.go
+++ b/db/Environment.go
@ -3,6 +3,7 @@ package db
 import (
 	"encoding/json"
 	"errors"
+	"strings"
 )

 type EnvironmentSecretOperation string
@ -67,3 +68,43 @@ func (env *Environment) Validate() error {

 	return nil
 }
+
+func FillEnvironmentSecrets(store Store, env *Environment, deserializeSecret bool) error {
+	keys, err := store.GetEnvironmentSecrets(env.ProjectID, env.ID)
+
+	if err != nil {
+		return err
+	}
+
+	for _, k := range keys {
+		var secretName string
+		var secretType EnvironmentSecretType
+
+		if strings.HasPrefix(k.Name, string(EnvironmentSecretVar)+".") {
+			secretType = EnvironmentSecretVar
+			secretName = strings.TrimPrefix(k.Name, string(EnvironmentSecretVar)+".")
+		} else if strings.HasPrefix(k.Name, string(EnvironmentSecretEnv)+".") {
+			secretType = EnvironmentSecretEnv
+			secretName = strings.TrimPrefix(k.Name, string(EnvironmentSecretEnv)+".")
+		} else {
+			secretType = EnvironmentSecretVar
+			secretName = k.Name
+		}
+
+		if deserializeSecret {
+			err = k.DeserializeSecret()
+			if err != nil {
+				return err
+			}
+		}
+
+		env.Secrets = append(env.Secrets, EnvironmentSecret{
+			ID:     k.ID,
+			Name:   secretName,
+			Type:   secretType,
+			Secret: k.String,
+		})
+	}
+
+	return nil
+}
--- a/services/tasks/LocalJob.go
+++ b/services/tasks/LocalJob.go
@ -147,7 +147,7 @@ func (t *LocalJob) getEnvironmentExtraVarsJSON(username string, incomingVersion
 	return
 }

-func (t *LocalJob) getEnvironmentENV() (arr []string, err error) {
+func (t *LocalJob) getEnvironmentENV() (res []string, err error) {
 	environmentVars := make(map[string]string)

 	if t.Environment.ENV != nil {
@ -158,7 +158,14 @@ func (t *LocalJob) getEnvironmentENV() (arr []string, err error) {
 	}

 	for key, val := range environmentVars {
-		arr = append(arr, fmt.Sprintf("%s=%s", key, val))
+		res = append(res, fmt.Sprintf("%s=%s", key, val))
+	}
+
+	for _, secret := range t.Environment.Secrets {
+		if secret.Type != db.EnvironmentSecretEnv {
+			continue
+		}
+		res = append(res, fmt.Sprintf("%s=%s", secret.Name, secret.Secret))
 	}

 	return
@ -211,6 +218,9 @@ func (t *LocalJob) getTerraformArgs(username string, incomingVersion *string) (a
 	}

 	for _, secret := range t.Environment.Secrets {
+		if secret.Type != db.EnvironmentSecretVar {
+			continue
+		}
 		args = append(args, "-var", fmt.Sprintf("%s=%s", secret.Name, secret.Secret))
 	}

@ -311,6 +321,9 @@ func (t *LocalJob) getPlaybookArgs(username string, incomingVersion *string) (ar
 	}

 	for _, secret := range t.Environment.Secrets {
+		if secret.Type != db.EnvironmentSecretVar {
+			continue
+		}
 		args = append(args, "--extra-vars", fmt.Sprintf("%s=%s", secret.Name, secret.Secret))
 	}

--- a/services/tasks/TaskRunner.go
+++ b/services/tasks/TaskRunner.go
@ -274,24 +274,10 @@ func (t *TaskRunner) populateDetails() error {
 		if err != nil {
 			return err
 		}
-		var secrets []db.AccessKey
-		secrets, err = t.pool.store.GetEnvironmentSecrets(t.Template.ProjectID, *t.Template.EnvironmentID)
-		if err != nil {
+
+		if err = db.FillEnvironmentSecrets(t.pool.store, &t.Environment, true); err != nil {
 			return err
 		}
-
-		for _, s := range secrets {
-			err = s.DeserializeSecret()
-			if err != nil {
-				return err
-			}
-			t.Environment.Secrets = append(t.Environment.Secrets, db.EnvironmentSecret{
-				ID:     s.ID,
-				Name:   s.Name,
-				Secret: s.String,
-			})
-		}
-
 	}

 	if t.Task.Environment != "" {
--- a/web/src/components/EnvironmentForm.vue
+++ b/web/src/components/EnvironmentForm.vue
@ -117,18 +117,6 @@
      <v-subheader class="px-0 mt-4">
        <v-icon class="mr-1">mdi-application-settings</v-icon>
        {{ $t('environmentVariables') }}
-        <v-spacer />
-        <v-tooltip bottom color="black" open-delay="300">
-          <template v-slot:activator="{ on, attrs }">
-            <v-icon
-              class="ml-1"
-              v-bind="attrs"
-              v-on="on"
-              color="lightgray"
-            >mdi-help-circle</v-icon>
-          </template>
-          <span>Variables passed as process environment variables.</span>
-        </v-tooltip>
      </v-subheader>
      <v-data-table
        :items="env"
@ -182,22 +170,6 @@
    <div>
      <v-subheader class="px-0 mt-4">
        <v-icon class="mr-1">mdi-lock</v-icon>{{ $t('Secrets') }}
-        <v-spacer />
-        <v-tooltip bottom color="black" open-delay="300" max-width="400">
-          <template v-slot:activator="{ on, attrs }">
-            <v-icon
-              class="ml-1"
-              v-bind="attrs"
-              v-on="on"
-              color="lightgray"
-            >mdi-help-circle</v-icon>
-          </template>
-          <span>
-            Secrets are stored in the database in encrypted form.
-            Secrets passed via <code>--extra-vars</code> (Ansible) or
-            <code>-var</code> (Terraform/OpenTofu).
-          </span>
-        </v-tooltip>
      </v-subheader>

      <v-data-table
@ -266,7 +238,7 @@
              <v-list-item-icon>
                <v-icon>mdi-variable</v-icon>
              </v-list-item-icon>
-              <v-list-item-title>{{ $t('Extra Variable') }}</v-list-item-title>
+              <v-list-item-title>{{ $t('Secret Extra Variable') }}</v-list-item-title>
            </v-list-item>
            <v-list-item
              link
@ -275,7 +247,7 @@
              <v-list-item-icon>
                <v-icon>mdi-application-settings</v-icon>
              </v-list-item-icon>
-              <v-list-item-title>{{ $t('Environment Variable') }}</v-list-item-title>
+              <v-list-item-title>{{ $t('Secret Environment Variable') }}</v-list-item-title>
            </v-list-item>
          </v-list>
        </v-menu>