Skip to content

Commit a97cebb

Browse files
committed
Allow specifying allowedSecrets section to whitelist
1 parent fcbd3db commit a97cebb

4 files changed

Lines changed: 49 additions & 4 deletions

File tree

src/vscode-secrets/secrets.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,8 @@
11
secrets:
22
- name: "example-secret"
33
valueVar: "EXAMPLE_SECRET"
4+
# Optional: restrict which secret resources can be attached for this name.
5+
# If omitted, any attached secret with this name is accepted.
6+
# allowedSecrets:
7+
# - workspaceId: "workspace-uuid"
8+
# resourceId: "secret-resource-uuid"

startupscript/butane/055-provide-secrets.sh

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -158,6 +158,8 @@ for i in $(seq 0 $((PIPE_SECRET_COUNT - 1))); do
158158
exit 1
159159
fi
160160

161+
validate_allowed_secret "${SECRET_ENTRY}" "${SECRET_WORKSPACE_ID}" "${SECRET_RESOURCE_ID}"
162+
161163
echo "Retrieving secret: ${SECRET_NAME}"
162164

163165
{ set +o xtrace; } 2>/dev/null

startupscript/butane/docker-credential-secrets.sh

Lines changed: 8 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -56,15 +56,17 @@ if [[ ! -f "${SECRETS_JSON}" ]]; then
5656
exit 1
5757
fi
5858

59-
secret_name="$(jq -r --arg registry "${registry_hostname}" \
60-
'.[] | select(.dockerRegistry == $registry) | .name' \
61-
"${SECRETS_JSON}" | head -1)"
59+
secret_entry="$(jq --arg registry "${registry_hostname}" \
60+
'.[] | select(.dockerRegistry == $registry)' \
61+
"${SECRETS_JSON}")"
6262

63-
if [[ -z "${secret_name}" ]]; then
63+
if [[ -z "${secret_entry}" || "${secret_entry}" == "null" ]]; then
6464
echo "Error: No secret configured for registry ${registry_hostname}" >&2
6565
exit 1
6666
fi
6767

68+
secret_name="$(echo "${secret_entry}" | jq -r '.name')"
69+
6870
# shellcheck source=/dev/null
6971
source /home/core/metadata-utils.sh
7072
# shellcheck source=/dev/null
@@ -115,6 +117,8 @@ if [[ -z "${secret_workspace_id}" || "${secret_workspace_id}" == "null" || \
115117
exit 1
116118
fi
117119

120+
validate_allowed_secret "${secret_entry}" "${secret_workspace_id}" "${secret_resource_id}"
121+
118122
credential="$(retrieve_secret TOKEN "${WSM_URL}" "${RESOURCE_ID}" "${KEY_FILE}" \
119123
"${secret_workspace_id}" "${secret_resource_id}")"
120124

startupscript/butane/secret-utils.sh

Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -96,3 +96,37 @@ function retrieve_secret() {
9696
echo -n "${secret_value_b64}" | base64 -d
9797
}
9898
readonly -f retrieve_secret
99+
100+
# Validates that an attached secret is permitted by the entry's allowedSecrets list.
101+
# No-op if allowedSecrets is not specified in the entry.
102+
# Args:
103+
# $1 - secret entry JSON (from secrets.json)
104+
# $2 - workspace ID of the attached secret
105+
# $3 - resource ID of the attached secret
106+
# Returns: 0 if allowed (or no restriction), 1 if not allowed
107+
function validate_allowed_secret() {
108+
local secret_entry="$1"
109+
local workspace_id="$2"
110+
local resource_id="$3"
111+
112+
local allowed_secrets
113+
allowed_secrets="$(echo "${secret_entry}" | jq '.allowedSecrets // empty')"
114+
115+
if [[ -z "${allowed_secrets}" ]]; then
116+
return 0
117+
fi
118+
119+
local match
120+
match="$(echo "${allowed_secrets}" | jq -e \
121+
--arg wid "${workspace_id}" \
122+
--arg rid "${resource_id}" \
123+
'[.[] | select(.workspaceId == $wid and .resourceId == $rid)] | length > 0')"
124+
125+
if [[ "${match}" != "true" ]]; then
126+
local secret_name
127+
secret_name="$(echo "${secret_entry}" | jq -r '.name')"
128+
>&2 echo "ERROR: Attached secret '${secret_name}' (workspace=${workspace_id}, resource=${resource_id}) is not in allowedSecrets."
129+
return 1
130+
fi
131+
}
132+
readonly -f validate_allowed_secret

0 commit comments

Comments
 (0)