diff options
author | Jaime Martinez <jmartinez@gitlab.com> | 2020-04-21 10:00:21 +0300 |
---|---|---|
committer | Vladimir Shushlin <v.shushlin@gmail.com> | 2020-05-08 15:06:07 +0300 |
commit | cf03e89ed1b63f763dab88b60d6e9148e2f70b19 (patch) | |
tree | cc91addcd016dffddffb5c3b868f590ae7be2eec /internal | |
parent | 2d9fda6b31bc405ddace566aba650ff79ebe061e (diff) |
Enforce loading secrets from file
Passing secrets via command line is not allowed anymore.
A config file should be used instead. The default filename is
`gitlab-pages-config`. The following command line options will
throw an error and prevent pages from running if set explicitly:
- `-auth-client-id`
- `-auth-client-secret`
- `-auth-secret`
Diffstat (limited to 'internal')
-rw-r--r-- | internal/deprecatedargs/deprecatedargs.go | 34 | ||||
-rw-r--r-- | internal/validateargs/validateargs.go | 44 | ||||
-rw-r--r-- | internal/validateargs/validateargs_test.go (renamed from internal/deprecatedargs/deprecatedargs_test.go) | 22 |
3 files changed, 61 insertions, 39 deletions
diff --git a/internal/deprecatedargs/deprecatedargs.go b/internal/deprecatedargs/deprecatedargs.go deleted file mode 100644 index 9bc5a049..00000000 --- a/internal/deprecatedargs/deprecatedargs.go +++ /dev/null @@ -1,34 +0,0 @@ -package deprecatedargs - -import ( - "fmt" - "strings" -) - -var deprecatedArgs = []string{"-auth-client-id", "-auth-client-secret", "-auth-secret", "-sentry-dsn"} - -// Validate checks if deprecated params have been used -func Validate(args []string) error { - foundDeprecatedArgs := []string{} - argMap := make(map[string]bool) - - for _, arg := range args { - keyValue := strings.Split(arg, "=") - if len(keyValue) >= 1 { - argMap[keyValue[0]] = true - } else { - argMap[arg] = true - } - } - - for _, deprecatedArg := range deprecatedArgs { - if argMap[deprecatedArg] { - foundDeprecatedArgs = append(foundDeprecatedArgs, deprecatedArg) - } - } - - if len(foundDeprecatedArgs) > 0 { - return fmt.Errorf("Deprecation message: %s should not be passed as a command line arguments", strings.Join(foundDeprecatedArgs, ", ")) - } - return nil -} diff --git a/internal/validateargs/validateargs.go b/internal/validateargs/validateargs.go new file mode 100644 index 00000000..263d3c52 --- /dev/null +++ b/internal/validateargs/validateargs.go @@ -0,0 +1,44 @@ +package validateargs + +import ( + "fmt" + "strings" +) + +var deprecatedArgs = []string{"-sentry-dsn"} +var notAllowedArgs = []string{"-auth-client-id", "-auth-client-secret", "-auth-secret"} + +// Deprecated checks if deprecated params have been used +func Deprecated(args []string) error { + var foundDeprecatedArgs []string + + argsStr := strings.Join(args, " ") + for _, deprecatedArg := range deprecatedArgs { + if strings.Contains(argsStr, deprecatedArg) { + foundDeprecatedArgs = append(foundDeprecatedArgs, deprecatedArg) + } + } + + if len(foundDeprecatedArgs) > 0 { + return fmt.Errorf("deprecation message: %s should not be passed as a command line arguments", strings.Join(foundDeprecatedArgs, ", ")) + } + return nil +} + +// NotAllowed checks if explicitly not allowed params have been used +func NotAllowed(args []string) error { + var foundNotAllowedArgs []string + + argsStr := strings.Join(args, " ") + for _, notAllowedArg := range notAllowedArgs { + if strings.Contains(argsStr, notAllowedArg) { + foundNotAllowedArgs = append(foundNotAllowedArgs, notAllowedArg) + } + } + + if len(foundNotAllowedArgs) > 0 { + return fmt.Errorf("%s should not be passed as a command line arguments", strings.Join(foundNotAllowedArgs, ", ")) + } + + return nil +} diff --git a/internal/deprecatedargs/deprecatedargs_test.go b/internal/validateargs/validateargs_test.go index d301ec3b..02f2f2ef 100644 --- a/internal/deprecatedargs/deprecatedargs_test.go +++ b/internal/validateargs/validateargs_test.go @@ -1,4 +1,4 @@ -package deprecatedargs +package validateargs import ( "testing" @@ -11,16 +11,28 @@ func TestValidParams(t *testing.T) { "-listen-http", ":3010", "-artifacts-server", "http://192.168.1.123:3000/api/v4", "-pages-domain", "127.0.0.1.xip.io"} - res := Validate(args) + res := Deprecated(args) require.Nil(t, res) } -func TestInvalidParms(t *testing.T) { +func TestInvalidDeprecatedParms(t *testing.T) { + tests := map[string][]string{ + "Sentry DSN passed": []string{"gitlab-pages", "-sentry-dsn", "abc123"}, + } + + for name, args := range tests { + t.Run(name, func(t *testing.T) { + err := Deprecated(args) + require.Error(t, err) + }) + } +} + +func TestInvalidNotAllowedParams(t *testing.T) { tests := map[string][]string{ "Client ID passed": []string{"gitlab-pages", "-auth-client-id", "abc123"}, "Client secret passed": []string{"gitlab-pages", "-auth-client-secret", "abc123"}, "Auth secret passed": []string{"gitlab-pages", "-auth-secret", "abc123"}, - "Sentry DSN passed": []string{"gitlab-pages", "-sentry-dsn", "abc123"}, "Multiple keys passed": []string{"gitlab-pages", "-auth-client-id", "abc123", "-auth-client-secret", "abc123"}, "key=value": []string{"gitlab-pages", "-auth-client-id=abc123"}, "multiple key=value": []string{"gitlab-pages", "-auth-client-id=abc123", "-auth-client-secret=abc123"}, @@ -28,7 +40,7 @@ func TestInvalidParms(t *testing.T) { for name, args := range tests { t.Run(name, func(t *testing.T) { - err := Validate(args) + err := NotAllowed(args) require.Error(t, err) }) } |