Skip to content

Commit

Permalink
fix: Mask assume role response in debug output (#102)
Browse files Browse the repository at this point in the history
  • Loading branch information
allisaurus authored Jul 29, 2020
1 parent ad85e9c commit df7d846
Show file tree
Hide file tree
Showing 3 changed files with 30 additions and 8 deletions.
8 changes: 4 additions & 4 deletions dist/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -231,19 +231,19 @@ function exportCredentials(params){

// AWS_ACCESS_KEY_ID:
// Specifies an AWS access key associated with an IAM user or role
core.exportVariable('AWS_ACCESS_KEY_ID', accessKeyId);
core.setSecret(accessKeyId);
core.exportVariable('AWS_ACCESS_KEY_ID', accessKeyId);

// AWS_SECRET_ACCESS_KEY:
// Specifies the secret key associated with the access key. This is essentially the "password" for the access key.
core.exportVariable('AWS_SECRET_ACCESS_KEY', secretAccessKey);
core.setSecret(secretAccessKey);
core.exportVariable('AWS_SECRET_ACCESS_KEY', secretAccessKey);

// AWS_SESSION_TOKEN:
// Specifies the session token value that is required if you are using temporary security credentials.
if (sessionToken) {
core.exportVariable('AWS_SESSION_TOKEN', sessionToken);
core.setSecret(sessionToken);
core.exportVariable('AWS_SESSION_TOKEN', sessionToken);
} else if (process.env.AWS_SESSION_TOKEN) {
// clear session token from previous credentials action
core.exportVariable('AWS_SESSION_TOKEN', '');
Expand All @@ -262,10 +262,10 @@ async function exportAccountId(maskAccountId, region) {
const sts = getStsClient(region);
const identity = await sts.getCallerIdentity().promise();
const accountId = identity.Account;
core.setOutput('aws-account-id', accountId);
if (!maskAccountId || maskAccountId.toLowerCase() == 'true') {
core.setSecret(accountId);
}
core.setOutput('aws-account-id', accountId);
return accountId;
}

Expand Down
8 changes: 4 additions & 4 deletions index.js
Original file line number Diff line number Diff line change
Expand Up @@ -98,19 +98,19 @@ function exportCredentials(params){

// AWS_ACCESS_KEY_ID:
// Specifies an AWS access key associated with an IAM user or role
core.exportVariable('AWS_ACCESS_KEY_ID', accessKeyId);
core.setSecret(accessKeyId);
core.exportVariable('AWS_ACCESS_KEY_ID', accessKeyId);

// AWS_SECRET_ACCESS_KEY:
// Specifies the secret key associated with the access key. This is essentially the "password" for the access key.
core.exportVariable('AWS_SECRET_ACCESS_KEY', secretAccessKey);
core.setSecret(secretAccessKey);
core.exportVariable('AWS_SECRET_ACCESS_KEY', secretAccessKey);

// AWS_SESSION_TOKEN:
// Specifies the session token value that is required if you are using temporary security credentials.
if (sessionToken) {
core.exportVariable('AWS_SESSION_TOKEN', sessionToken);
core.setSecret(sessionToken);
core.exportVariable('AWS_SESSION_TOKEN', sessionToken);
} else if (process.env.AWS_SESSION_TOKEN) {
// clear session token from previous credentials action
core.exportVariable('AWS_SESSION_TOKEN', '');
Expand All @@ -129,10 +129,10 @@ async function exportAccountId(maskAccountId, region) {
const sts = getStsClient(region);
const identity = await sts.getCallerIdentity().promise();
const accountId = identity.Account;
core.setOutput('aws-account-id', accountId);
if (!maskAccountId || maskAccountId.toLowerCase() == 'true') {
core.setSecret(accountId);
}
core.setOutput('aws-account-id', accountId);
return accountId;
}

Expand Down
22 changes: 22 additions & 0 deletions index.test.js
Original file line number Diff line number Diff line change
Expand Up @@ -594,4 +594,26 @@ describe('Configure AWS Credentials', () => {
})
});

test('masks variables before exporting', async () => {
let maskedValues = [];
const publicFields = ['AWS_REGION', 'AWS_DEFAULT_REGION'];
core.setSecret.mockReset();
core.setSecret.mockImplementation((secret) => {
maskedValues.push(secret);
});

core.exportVariable.mockReset();
core.exportVariable.mockImplementation((name, value) => {
if (!maskedValues.includes(value) && !publicFields.includes(name)) {
throw new Error(value + " for variable " + name + " is not masked yet!");
}
});

core.getInput = jest
.fn()
.mockImplementation(mockGetInput(ASSUME_ROLE_INPUTS));

await run();
});

});

0 comments on commit df7d846

Please sign in to comment.