File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change 11secrets :
22 - name : " example-secret"
33 valueVar : " EXAMPLE_SECRET"
4+ # Optional: restrict which secret resources can be attached for this name.
5+ # If omitted, any attached secret with this name is accepted.
6+ # allowedSecrets:
7+ # - workspaceId: "workspace-uuid"
8+ # resourceId: "secret-resource-uuid"
Original file line number Diff line number Diff line change @@ -158,6 +158,8 @@ for i in $(seq 0 $((PIPE_SECRET_COUNT - 1))); do
158158 exit 1
159159 fi
160160
161+ validate_allowed_secret " ${SECRET_ENTRY} " " ${SECRET_WORKSPACE_ID} " " ${SECRET_RESOURCE_ID} "
162+
161163 echo " Retrieving secret: ${SECRET_NAME} "
162164
163165 { set +o xtrace; } 2> /dev/null
Original file line number Diff line number Diff line change @@ -56,15 +56,17 @@ if [[ ! -f "${SECRETS_JSON}" ]]; then
5656 exit 1
5757fi
5858
59- secret_name =" $( jq -r --arg registry " ${registry_hostname} " \
60- ' .[] | select(.dockerRegistry == $registry) | .name ' \
61- " ${SECRETS_JSON} " | head -1 ) "
59+ secret_entry =" $( jq --arg registry " ${registry_hostname} " \
60+ ' .[] | select(.dockerRegistry == $registry)' \
61+ " ${SECRETS_JSON} " ) "
6262
63- if [[ -z " ${secret_name} " ]]; then
63+ if [[ -z " ${secret_entry} " || " ${secret_entry} " == " null " ]]; then
6464 echo " Error: No secret configured for registry ${registry_hostname} " >&2
6565 exit 1
6666fi
6767
68+ secret_name=" $( echo " ${secret_entry} " | jq -r ' .name' ) "
69+
6870# shellcheck source=/dev/null
6971source /home/core/metadata-utils.sh
7072# shellcheck source=/dev/null
@@ -115,6 +117,8 @@ if [[ -z "${secret_workspace_id}" || "${secret_workspace_id}" == "null" || \
115117 exit 1
116118fi
117119
120+ validate_allowed_secret " ${secret_entry} " " ${secret_workspace_id} " " ${secret_resource_id} "
121+
118122credential=" $( retrieve_secret TOKEN " ${WSM_URL} " " ${RESOURCE_ID} " " ${KEY_FILE} " \
119123 " ${secret_workspace_id} " " ${secret_resource_id} " ) "
120124
Original file line number Diff line number Diff line change @@ -96,3 +96,37 @@ function retrieve_secret() {
9696 echo -n " ${secret_value_b64} " | base64 -d
9797}
9898readonly -f retrieve_secret
99+
100+ # Validates that an attached secret is permitted by the entry's allowedSecrets list.
101+ # No-op if allowedSecrets is not specified in the entry.
102+ # Args:
103+ # $1 - secret entry JSON (from secrets.json)
104+ # $2 - workspace ID of the attached secret
105+ # $3 - resource ID of the attached secret
106+ # Returns: 0 if allowed (or no restriction), 1 if not allowed
107+ function validate_allowed_secret() {
108+ local secret_entry=" $1 "
109+ local workspace_id=" $2 "
110+ local resource_id=" $3 "
111+
112+ local allowed_secrets
113+ allowed_secrets=" $( echo " ${secret_entry} " | jq ' .allowedSecrets // empty' ) "
114+
115+ if [[ -z " ${allowed_secrets} " ]]; then
116+ return 0
117+ fi
118+
119+ local match
120+ match=" $( echo " ${allowed_secrets} " | jq -e \
121+ --arg wid " ${workspace_id} " \
122+ --arg rid " ${resource_id} " \
123+ ' [.[] | select(.workspaceId == $wid and .resourceId == $rid)] | length > 0' ) "
124+
125+ if [[ " ${match} " != " true" ]]; then
126+ local secret_name
127+ secret_name=" $( echo " ${secret_entry} " | jq -r ' .name' ) "
128+ >&2 echo " ERROR: Attached secret '${secret_name} ' (workspace=${workspace_id} , resource=${resource_id} ) is not in allowedSecrets."
129+ return 1
130+ fi
131+ }
132+ readonly -f validate_allowed_secret
You can’t perform that action at this time.
0 commit comments