Support sensitive for object parameters

This adds support for tracking object parameters as sensitive. However, if interpolating sub-properties of an object in templating, those will not get tracked as sensitive. Signed-off-by: Leo Bergnéhr <[email protected]>
getporter · Sep 30, 2024 · 7630bc3 · 7630bc3
1 parent 3cb1f10
commit 7630bc3
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 4 deletions.
diff --git a/pkg/runtime/runtime_manifest.go b/pkg/runtime/runtime_manifest.go
@@ -302,7 +302,7 @@ func (m *RuntimeManifest) buildSourceData() (map[string]interface{}, error) {
 			return nil, err
 		}
 		if param.Sensitive {
-			m.setSensitiveValue(val.(string))
+			m.setSensitiveValue(fmt.Sprint(val))
 		}
 		params[pe] = val
 	}

diff --git a/pkg/runtime/runtime_manifest_test.go b/pkg/runtime/runtime_manifest_test.go
@@ -294,18 +294,23 @@ func TestResolveSensitiveParameter(t *testing.T) {
 	ctx := context.Background()
 	testConfig := config.NewTestConfig(t)
 	testConfig.Setenv("SENSITIVE_PARAM", "deliciou$dubonnet")
+	testConfig.Setenv("SENSITIVE_OBJECT", "{ \"secret\": \"this_is_secret\" }")
 	testConfig.Setenv("REGULAR_PARAM", "regular param value")
 
 	mContent := `schemaVersion: 1.0.0
 parameters:
 - name: sensitive_param
   sensitive: true
+- name: sensitive_object
+  sensitive: true
+  type: object
 - name: regular_param
 
 install:
 - mymixin:
     Arguments:
     - ${ bundle.parameters.sensitive_param }
+    - '${ bundle.parameters.sensitive_object }'
     - ${ bundle.parameters.regular_param }
 `
 	rm := runtimeManifestFromStepYaml(t, testConfig, mContent)
@@ -322,12 +327,13 @@ install:
 	require.IsType(t, mixin["Arguments"], []interface{}{}, "Data.mymixin.Arguments has incorrect type")
 	args := mixin["Arguments"].([]interface{})
 
-	require.Len(t, args, 2)
+	require.Len(t, args, 3)
 	assert.Equal(t, "deliciou$dubonnet", args[0])
-	assert.Equal(t, "regular param value", args[1])
+  assert.Equal(t, "{\"secret\":\"this_is_secret\"}", args[1])
+	assert.Equal(t, "regular param value", args[2])
 
 	// There should now be one sensitive value tracked under the manifest
-	assert.Equal(t, []string{"deliciou$dubonnet"}, rm.GetSensitiveValues())
+  assert.Equal(t, []string{"deliciou$dubonnet", "{\"secret\":\"this_is_secret\"}"}, rm.GetSensitiveValues())
 }
 
 func TestResolveCredential(t *testing.T) {