Skip to content

Commit

Permalink
Merge pull request #66 from DataDog/anmarchenko/ssh_credentials_cleanup
Browse files Browse the repository at this point in the history 
[CIVIS-7918] Add more cleanups for user credentials
  • Loading branch information
@anmarchenko
anmarchenko authored Nov 10, 2023
2 parents ef6e234 + 478ce78 commit 7c6106a
Show file tree
Hide file tree
Showing 18 changed files with 2,032 additions and 48 deletions.
15 changes: 5 additions & 10 deletions lib/datadog/ci/ext/environment/extractor.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@

require_relative "../git"
require_relative "../../utils/git"
require_relative "../../utils/url"
require_relative "providers"

module Datadog
Expand Down Expand Up @@ -68,14 +69,14 @@ def tags

def normalize_git!
branch_ref = @tags[Git::TAG_BRANCH]
if Datadog::CI::Utils::Git.is_git_tag?(branch_ref)
if Utils::Git.is_git_tag?(branch_ref)
@tags[Git::TAG_TAG] = branch_ref
@tags.delete(Git::TAG_BRANCH)
end

@tags[Git::TAG_TAG] = Datadog::CI::Utils::Git.normalize_ref(@tags[Git::TAG_TAG])
@tags[Git::TAG_BRANCH] = Datadog::CI::Utils::Git.normalize_ref(@tags[Git::TAG_BRANCH])
@tags[Git::TAG_REPOSITORY_URL] = filter_sensitive_info(
@tags[Git::TAG_TAG] = Utils::Git.normalize_ref(@tags[Git::TAG_TAG])
@tags[Git::TAG_BRANCH] = Utils::Git.normalize_ref(@tags[Git::TAG_BRANCH])
@tags[Git::TAG_REPOSITORY_URL] = Utils::Url.filter_sensitive_info(
@tags[Git::TAG_REPOSITORY_URL]
)
end
Expand All @@ -87,12 +88,6 @@ def expand_workspace!
@tags[TAG_WORKSPACE_PATH] = File.expand_path(workspace_path)
end
end

def filter_sensitive_info(url)
return nil if url.nil?

url.gsub(%r{(https?://)[^/]*@}, '\1')
end
end
end
end
Expand Down
17 changes: 13 additions & 4 deletions lib/datadog/ci/ext/environment/providers/github_actions.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
require "json"

require_relative "base"
require_relative "../../../utils/url"

module Datadog
module CI
Expand All @@ -25,7 +26,7 @@ def job_name
end

def job_url
"#{env["GITHUB_SERVER_URL"]}/#{env["GITHUB_REPOSITORY"]}/commit/#{env["GITHUB_SHA"]}/checks"
"#{github_server_url}/#{env["GITHUB_REPOSITORY"]}/commit/#{env["GITHUB_SHA"]}/checks"
end

def pipeline_id
Expand All @@ -41,7 +42,7 @@ def pipeline_number
end

def pipeline_url
res = "#{env["GITHUB_SERVER_URL"]}/#{env["GITHUB_REPOSITORY"]}/actions/runs/#{env["GITHUB_RUN_ID"]}"
res = "#{github_server_url}/#{env["GITHUB_REPOSITORY"]}/actions/runs/#{env["GITHUB_RUN_ID"]}"
res = "#{res}/attempts/#{env["GITHUB_RUN_ATTEMPT"]}" if env["GITHUB_RUN_ATTEMPT"]
res
end
Expand All @@ -51,7 +52,7 @@ def workspace_path
end

def git_repository_url
"#{env["GITHUB_SERVER_URL"]}/#{env["GITHUB_REPOSITORY"]}.git"
"#{github_server_url}/#{env["GITHUB_REPOSITORY"]}.git"
end

def git_commit_sha
Expand All @@ -66,12 +67,20 @@ def git_branch_or_tag

def ci_env_vars
{
"GITHUB_SERVER_URL" => env["GITHUB_SERVER_URL"],
"GITHUB_SERVER_URL" => github_server_url,
"GITHUB_REPOSITORY" => env["GITHUB_REPOSITORY"],
"GITHUB_RUN_ID" => env["GITHUB_RUN_ID"],
"GITHUB_RUN_ATTEMPT" => env["GITHUB_RUN_ATTEMPT"]
}.reject { |_, v| v.nil? }.to_json
end

private

def github_server_url
return @github_server_url if defined?(@github_server_url)

@github_server_url ||= Utils::Url.filter_sensitive_info(env["GITHUB_SERVER_URL"])
end
end
end
end
Expand Down
15 changes: 15 additions & 0 deletions lib/datadog/ci/utils/url.rb
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
# frozen_string_literal: true

module Datadog
module CI
module Utils
module Url
def self.filter_sensitive_info(url)
return nil if url.nil?

url.gsub(%r{((https?|ssh)://)[^/]*@}, '\1')
end
end
end
end
end
2 changes: 0 additions & 2 deletions sig/datadog/ci/ext/environment/extractor.rbs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,8 +18,6 @@ module Datadog
def normalize_git!: () -> void

def expand_workspace!: () -> void

def filter_sensitive_info: (String? url) -> String?
end
end
end
Expand Down
5 changes: 5 additions & 0 deletions sig/datadog/ci/ext/environment/providers/github_actions.rbs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ module Datadog
module Providers
class GithubActions < Extractor
@ref: String
@github_server_url: String?

def provider_name: () -> "github"

Expand All @@ -29,6 +30,10 @@ module Datadog
def git_branch_or_tag: () -> String?

def ci_env_vars: () -> String?

private

def github_server_url: () -> String?
end
end
end
Expand Down
9 changes: 9 additions & 0 deletions sig/datadog/ci/utils/url.rbs
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
module Datadog
module CI
module Utils
module Url
def self.filter_sensitive_info: (String? url) -> String?
end
end
end
end
196 changes: 196 additions & 0 deletions spec/support/fixtures/ci/azurepipelines.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -677,5 +677,201 @@
"git.commit.message": "azure-pipelines-commit-message",
"git.repository_url": "https://dev.azure.com/fabrikamfiber/repo.git"
}
],
[
{
"BUILD_BUILDID": "azure-pipelines-build-id",
"BUILD_DEFINITIONNAME": "azure-pipelines-name",
"BUILD_REPOSITORY_URI": "https://user:[email protected]:1234/fabrikamfiber/repo.git",
"BUILD_REQUESTEDFOREMAIL": "[email protected]",
"BUILD_REQUESTEDFORID": "azure-pipelines-commit-author",
"BUILD_SOURCEVERSIONMESSAGE": "azure-pipelines-commit-message",
"SYSTEM_JOBID": "azure-pipelines-job-id",
"SYSTEM_TASKINSTANCEID": "azure-pipelines-task-id",
"SYSTEM_TEAMFOUNDATIONSERVERURI": "https://azure-pipelines-server-uri.com/",
"SYSTEM_TEAMPROJECTID": "azure-pipelines-project-id",
"TF_BUILD": "True"
},
{
"_dd.ci.env_vars": "{\"SYSTEM_TEAMPROJECTID\":\"azure-pipelines-project-id\",\"BUILD_BUILDID\":\"azure-pipelines-build-id\",\"SYSTEM_JOBID\":\"azure-pipelines-job-id\"}",
"ci.job.url": "https://azure-pipelines-server-uri.com/azure-pipelines-project-id/_build/results?buildId=azure-pipelines-build-id&view=logs&j=azure-pipelines-job-id&t=azure-pipelines-task-id",
"ci.pipeline.id": "azure-pipelines-build-id",
"ci.pipeline.name": "azure-pipelines-name",
"ci.pipeline.number": "azure-pipelines-build-id",
"ci.pipeline.url": "https://azure-pipelines-server-uri.com/azure-pipelines-project-id/_build/results?buildId=azure-pipelines-build-id",
"ci.provider.name": "azurepipelines",
"git.commit.author.email": "[email protected]",
"git.commit.author.name": "azure-pipelines-commit-author",
"git.commit.message": "azure-pipelines-commit-message",
"git.repository_url": "https://dev.azure.com:1234/fabrikamfiber/repo.git"
}
],
[
{
"BUILD_BUILDID": "azure-pipelines-build-id",
"BUILD_DEFINITIONNAME": "azure-pipelines-name",
"BUILD_REPOSITORY_URI": "https://user:[email protected]:1234/fabrikamfiber/repo.git",
"BUILD_REQUESTEDFOREMAIL": "[email protected]",
"BUILD_REQUESTEDFORID": "azure-pipelines-commit-author",
"BUILD_SOURCEVERSIONMESSAGE": "azure-pipelines-commit-message",
"SYSTEM_JOBID": "azure-pipelines-job-id",
"SYSTEM_TASKINSTANCEID": "azure-pipelines-task-id",
"SYSTEM_TEAMFOUNDATIONSERVERURI": "https://azure-pipelines-server-uri.com/",
"SYSTEM_TEAMPROJECTID": "azure-pipelines-project-id",
"TF_BUILD": "True"
},
{
"_dd.ci.env_vars": "{\"SYSTEM_TEAMPROJECTID\":\"azure-pipelines-project-id\",\"BUILD_BUILDID\":\"azure-pipelines-build-id\",\"SYSTEM_JOBID\":\"azure-pipelines-job-id\"}",
"ci.job.url": "https://azure-pipelines-server-uri.com/azure-pipelines-project-id/_build/results?buildId=azure-pipelines-build-id&view=logs&j=azure-pipelines-job-id&t=azure-pipelines-task-id",
"ci.pipeline.id": "azure-pipelines-build-id",
"ci.pipeline.name": "azure-pipelines-name",
"ci.pipeline.number": "azure-pipelines-build-id",
"ci.pipeline.url": "https://azure-pipelines-server-uri.com/azure-pipelines-project-id/_build/results?buildId=azure-pipelines-build-id",
"ci.provider.name": "azurepipelines",
"git.commit.author.email": "[email protected]",
"git.commit.author.name": "azure-pipelines-commit-author",
"git.commit.message": "azure-pipelines-commit-message",
"git.repository_url": "https://1.1.1.1:1234/fabrikamfiber/repo.git"
}
],
[
{
"BUILD_BUILDID": "azure-pipelines-build-id",
"BUILD_DEFINITIONNAME": "azure-pipelines-name",
"BUILD_REPOSITORY_URI": "https://user:[email protected]:1234/fabrikamfiber/repo_with_@_yeah.git",
"BUILD_REQUESTEDFOREMAIL": "[email protected]",
"BUILD_REQUESTEDFORID": "azure-pipelines-commit-author",
"BUILD_SOURCEVERSIONMESSAGE": "azure-pipelines-commit-message",
"SYSTEM_JOBID": "azure-pipelines-job-id",
"SYSTEM_TASKINSTANCEID": "azure-pipelines-task-id",
"SYSTEM_TEAMFOUNDATIONSERVERURI": "https://azure-pipelines-server-uri.com/",
"SYSTEM_TEAMPROJECTID": "azure-pipelines-project-id",
"TF_BUILD": "True"
},
{
"_dd.ci.env_vars": "{\"SYSTEM_TEAMPROJECTID\":\"azure-pipelines-project-id\",\"BUILD_BUILDID\":\"azure-pipelines-build-id\",\"SYSTEM_JOBID\":\"azure-pipelines-job-id\"}",
"ci.job.url": "https://azure-pipelines-server-uri.com/azure-pipelines-project-id/_build/results?buildId=azure-pipelines-build-id&view=logs&j=azure-pipelines-job-id&t=azure-pipelines-task-id",
"ci.pipeline.id": "azure-pipelines-build-id",
"ci.pipeline.name": "azure-pipelines-name",
"ci.pipeline.number": "azure-pipelines-build-id",
"ci.pipeline.url": "https://azure-pipelines-server-uri.com/azure-pipelines-project-id/_build/results?buildId=azure-pipelines-build-id",
"ci.provider.name": "azurepipelines",
"git.commit.author.email": "[email protected]",
"git.commit.author.name": "azure-pipelines-commit-author",
"git.commit.message": "azure-pipelines-commit-message",
"git.repository_url": "https://1.1.1.1:1234/fabrikamfiber/repo_with_@_yeah.git"
}
],
[
{
"BUILD_BUILDID": "azure-pipelines-build-id",
"BUILD_DEFINITIONNAME": "azure-pipelines-name",
"BUILD_REPOSITORY_URI": "https://[email protected]/fabrikamfiber/repo.git",
"BUILD_REQUESTEDFOREMAIL": "[email protected]",
"BUILD_REQUESTEDFORID": "azure-pipelines-commit-author",
"BUILD_SOURCEVERSIONMESSAGE": "azure-pipelines-commit-message",
"SYSTEM_JOBID": "azure-pipelines-job-id",
"SYSTEM_TASKINSTANCEID": "azure-pipelines-task-id",
"SYSTEM_TEAMFOUNDATIONSERVERURI": "https://azure-pipelines-server-uri.com/",
"SYSTEM_TEAMPROJECTID": "azure-pipelines-project-id",
"TF_BUILD": "True"
},
{
"_dd.ci.env_vars": "{\"SYSTEM_TEAMPROJECTID\":\"azure-pipelines-project-id\",\"BUILD_BUILDID\":\"azure-pipelines-build-id\",\"SYSTEM_JOBID\":\"azure-pipelines-job-id\"}",
"ci.job.url": "https://azure-pipelines-server-uri.com/azure-pipelines-project-id/_build/results?buildId=azure-pipelines-build-id&view=logs&j=azure-pipelines-job-id&t=azure-pipelines-task-id",
"ci.pipeline.id": "azure-pipelines-build-id",
"ci.pipeline.name": "azure-pipelines-name",
"ci.pipeline.number": "azure-pipelines-build-id",
"ci.pipeline.url": "https://azure-pipelines-server-uri.com/azure-pipelines-project-id/_build/results?buildId=azure-pipelines-build-id",
"ci.provider.name": "azurepipelines",
"git.commit.author.email": "[email protected]",
"git.commit.author.name": "azure-pipelines-commit-author",
"git.commit.message": "azure-pipelines-commit-message",
"git.repository_url": "https://dev.azure.com/fabrikamfiber/repo.git"
}
],
[
{
"BUILD_BUILDID": "azure-pipelines-build-id",
"BUILD_DEFINITIONNAME": "azure-pipelines-name",
"BUILD_REPOSITORY_URI": "ssh://[email protected]:port/path/to/repo.git/",
"BUILD_REQUESTEDFOREMAIL": "[email protected]",
"BUILD_REQUESTEDFORID": "azure-pipelines-commit-author",
"BUILD_SOURCEVERSIONMESSAGE": "azure-pipelines-commit-message",
"SYSTEM_JOBID": "azure-pipelines-job-id",
"SYSTEM_TASKINSTANCEID": "azure-pipelines-task-id",
"SYSTEM_TEAMFOUNDATIONSERVERURI": "https://azure-pipelines-server-uri.com/",
"SYSTEM_TEAMPROJECTID": "azure-pipelines-project-id",
"TF_BUILD": "True"
},
{
"_dd.ci.env_vars": "{\"SYSTEM_TEAMPROJECTID\":\"azure-pipelines-project-id\",\"BUILD_BUILDID\":\"azure-pipelines-build-id\",\"SYSTEM_JOBID\":\"azure-pipelines-job-id\"}",
"ci.job.url": "https://azure-pipelines-server-uri.com/azure-pipelines-project-id/_build/results?buildId=azure-pipelines-build-id&view=logs&j=azure-pipelines-job-id&t=azure-pipelines-task-id",
"ci.pipeline.id": "azure-pipelines-build-id",
"ci.pipeline.name": "azure-pipelines-name",
"ci.pipeline.number": "azure-pipelines-build-id",
"ci.pipeline.url": "https://azure-pipelines-server-uri.com/azure-pipelines-project-id/_build/results?buildId=azure-pipelines-build-id",
"ci.provider.name": "azurepipelines",
"git.commit.author.email": "[email protected]",
"git.commit.author.name": "azure-pipelines-commit-author",
"git.commit.message": "azure-pipelines-commit-message",
"git.repository_url": "ssh://host.xz:port/path/to/repo.git/"
}
],
[
{
"BUILD_BUILDID": "azure-pipelines-build-id",
"BUILD_DEFINITIONNAME": "azure-pipelines-name",
"BUILD_REPOSITORY_URI": "ssh://user:[email protected]:port/path/to/repo.git/",
"BUILD_REQUESTEDFOREMAIL": "[email protected]",
"BUILD_REQUESTEDFORID": "azure-pipelines-commit-author",
"BUILD_SOURCEVERSIONMESSAGE": "azure-pipelines-commit-message",
"SYSTEM_JOBID": "azure-pipelines-job-id",
"SYSTEM_TASKINSTANCEID": "azure-pipelines-task-id",
"SYSTEM_TEAMFOUNDATIONSERVERURI": "https://azure-pipelines-server-uri.com/",
"SYSTEM_TEAMPROJECTID": "azure-pipelines-project-id",
"TF_BUILD": "True"
},
{
"_dd.ci.env_vars": "{\"SYSTEM_TEAMPROJECTID\":\"azure-pipelines-project-id\",\"BUILD_BUILDID\":\"azure-pipelines-build-id\",\"SYSTEM_JOBID\":\"azure-pipelines-job-id\"}",
"ci.job.url": "https://azure-pipelines-server-uri.com/azure-pipelines-project-id/_build/results?buildId=azure-pipelines-build-id&view=logs&j=azure-pipelines-job-id&t=azure-pipelines-task-id",
"ci.pipeline.id": "azure-pipelines-build-id",
"ci.pipeline.name": "azure-pipelines-name",
"ci.pipeline.number": "azure-pipelines-build-id",
"ci.pipeline.url": "https://azure-pipelines-server-uri.com/azure-pipelines-project-id/_build/results?buildId=azure-pipelines-build-id",
"ci.provider.name": "azurepipelines",
"git.commit.author.email": "[email protected]",
"git.commit.author.name": "azure-pipelines-commit-author",
"git.commit.message": "azure-pipelines-commit-message",
"git.repository_url": "ssh://host.xz:port/path/to/repo.git/"
}
],
[
{
"BUILD_BUILDID": "azure-pipelines-build-id",
"BUILD_DEFINITIONNAME": "azure-pipelines-name",
"BUILD_REPOSITORY_URI": "ssh://user:[email protected]:port/path/to/repo.git/",
"BUILD_REQUESTEDFOREMAIL": "[email protected]",
"BUILD_REQUESTEDFORID": "azure-pipelines-commit-author",
"BUILD_SOURCEVERSIONMESSAGE": "azure-pipelines-commit-message",
"SYSTEM_JOBID": "azure-pipelines-job-id",
"SYSTEM_TASKINSTANCEID": "azure-pipelines-task-id",
"SYSTEM_TEAMFOUNDATIONSERVERURI": "https://azure-pipelines-server-uri.com/",
"SYSTEM_TEAMPROJECTID": "azure-pipelines-project-id",
"TF_BUILD": "True"
},
{
"_dd.ci.env_vars": "{\"SYSTEM_TEAMPROJECTID\":\"azure-pipelines-project-id\",\"BUILD_BUILDID\":\"azure-pipelines-build-id\",\"SYSTEM_JOBID\":\"azure-pipelines-job-id\"}",
"ci.job.url": "https://azure-pipelines-server-uri.com/azure-pipelines-project-id/_build/results?buildId=azure-pipelines-build-id&view=logs&j=azure-pipelines-job-id&t=azure-pipelines-task-id",
"ci.pipeline.id": "azure-pipelines-build-id",
"ci.pipeline.name": "azure-pipelines-name",
"ci.pipeline.number": "azure-pipelines-build-id",
"ci.pipeline.url": "https://azure-pipelines-server-uri.com/azure-pipelines-project-id/_build/results?buildId=azure-pipelines-build-id",
"ci.provider.name": "azurepipelines",
"git.commit.author.email": "[email protected]",
"git.commit.author.name": "azure-pipelines-commit-author",
"git.commit.message": "azure-pipelines-commit-message",
"git.repository_url": "ssh://1.1.1.1:port/path/to/repo.git/"
}
]
]
Loading

0 comments on commit 7c6106a

Please sign in to comment.