renovate/lib/config/secrets.ts

133 lines
3.9 KiB
TypeScript
Raw Normal View History

2021-03-22 14:51:38 +00:00
import is from '@sindresorhus/is';
import {
CONFIG_SECRETS_INVALID,
CONFIG_VALIDATION,
} from '../constants/error-messages';
import { logger } from '../logger';
import { regEx } from '../util/regex';
import { addSecretForSanitizing } from '../util/sanitize';
import type { AllConfig, RenovateConfig } from './types';
2021-03-22 14:51:38 +00:00
const secretNamePattern = '[A-Za-z][A-Za-z0-9_]*';
const secretNameRegex = regEx(`^${secretNamePattern}$`);
const secretTemplateRegex = regEx(`{{ secrets\\.(${secretNamePattern}) }}`);
function validateSecrets(secrets_: unknown): void {
if (!secrets_) {
return;
}
const validationErrors: string[] = [];
if (is.plainObject(secrets_)) {
for (const [secretName, secretValue] of Object.entries(secrets_)) {
if (!secretNameRegex.test(secretName)) {
validationErrors.push(`Invalid secret name "${secretName}"`);
}
if (!is.string(secretValue)) {
validationErrors.push(
`Secret values must be strings. Found type ${typeof secretValue} for secret ${secretName}`
);
}
}
} else {
validationErrors.push(
`Config secrets must be a plain object. Found: ${typeof secrets_}`
);
}
if (validationErrors.length) {
logger.error({ validationErrors }, 'Invalid secrets configured');
throw new Error(CONFIG_SECRETS_INVALID);
}
}
2021-06-02 09:25:10 +00:00
export function validateConfigSecrets(config: AllConfig): void {
2021-03-22 14:51:38 +00:00
validateSecrets(config.secrets);
if (config.repositories) {
for (const repository of config.repositories) {
if (is.plainObject(repository)) {
validateSecrets(repository.secrets);
}
}
}
}
function replaceSecretsInString(
key: string,
value: string,
secrets: Record<string, string>
): string {
// do nothing if no secret template found
if (!secretTemplateRegex.test(value)) {
return value;
}
const disallowedPrefixes = ['branch', 'commit', 'group', 'pr', 'semantic'];
if (disallowedPrefixes.some((prefix) => key.startsWith(prefix))) {
const error = new Error(CONFIG_VALIDATION);
error.validationSource = 'config';
2021-03-22 14:51:38 +00:00
error.validationError = 'Disallowed secret substitution';
error.validationMessage = `The field ${key} may not use secret substitution`;
throw error;
}
return value.replace(secretTemplateRegex, (_, secretName) => {
if (secrets?.[secretName]) {
2021-03-22 14:51:38 +00:00
return secrets[secretName];
}
const error = new Error(CONFIG_VALIDATION);
error.validationSource = 'config';
2021-03-22 14:51:38 +00:00
error.validationError = 'Unknown secret name';
error.validationMessage = `The following secret name was not found in config: ${String(
secretName
)}`;
throw error;
});
}
function replaceSecretsInObject(
2021-03-22 14:51:38 +00:00
config_: RenovateConfig,
secrets: Record<string, string>,
deleteSecrets: boolean
2021-03-22 14:51:38 +00:00
): RenovateConfig {
const config = { ...config_ };
if (deleteSecrets) {
delete config.secrets;
}
2021-03-22 14:51:38 +00:00
for (const [key, value] of Object.entries(config)) {
if (is.plainObject(value)) {
config[key] = replaceSecretsInObject(value, secrets, deleteSecrets);
2021-03-22 14:51:38 +00:00
}
if (is.string(value)) {
config[key] = replaceSecretsInString(key, value, secrets);
}
if (is.array(value)) {
for (const [arrayIndex, arrayItem] of value.entries()) {
if (is.plainObject(arrayItem)) {
value[arrayIndex] = replaceSecretsInObject(
arrayItem,
secrets,
deleteSecrets
);
2021-03-22 14:51:38 +00:00
} else if (is.string(arrayItem)) {
value[arrayIndex] = replaceSecretsInString(key, arrayItem, secrets);
2021-03-22 14:51:38 +00:00
}
}
}
}
return config;
}
export function applySecretsToConfig(
config: RenovateConfig,
secrets = config.secrets,
deleteSecrets = true
): RenovateConfig {
2021-03-22 14:51:38 +00:00
// Add all secrets to be sanitized
if (is.plainObject(secrets)) {
for (const secret of Object.values(secrets)) {
2023-01-03 12:29:07 +00:00
addSecretForSanitizing(secret);
2021-03-22 14:51:38 +00:00
}
}
// TODO: fix types (#9610)
return replaceSecretsInObject(config, secrets as never, deleteSecrets);
2021-03-22 14:51:38 +00:00
}