From e80fec1502810419a689a340c4bc47a45f572208 Mon Sep 17 00:00:00 2001 From: Vitalie D Date: Mon, 26 Sep 2022 14:42:17 +0300 Subject: [PATCH 1/2] Hashicorp Vault Integration (#280) --- .../scheduler/serialize/worker/config/decrypt.rb | 6 ++++++ spec/travis/scheduler/serialize/worker/config_spec.rb | 10 ++++++++++ 2 files changed, 16 insertions(+) diff --git a/lib/travis/scheduler/serialize/worker/config/decrypt.rb b/lib/travis/scheduler/serialize/worker/config/decrypt.rb index 160bc039..0a9439b6 100644 --- a/lib/travis/scheduler/serialize/worker/config/decrypt.rb +++ b/lib/travis/scheduler/serialize/worker/config/decrypt.rb @@ -9,12 +9,18 @@ def apply config[key] = process_env(config[key]) if config[key] end + force_vault_to_be_secure!(config) + config[:vault] = decryptor.decrypt(config[:vault]) if config[:vault] config[:addons] = decryptor.decrypt(config[:addons]) if config[:addons] config end private + def force_vault_to_be_secure!(config) + config[:vault].delete(:token) if config.dig(:vault, :token).is_a?(String) + end + def secure_env? !!options[:secure_env] end diff --git a/spec/travis/scheduler/serialize/worker/config_spec.rb b/spec/travis/scheduler/serialize/worker/config_spec.rb index aec1cfb0..fe2fd553 100644 --- a/spec/travis/scheduler/serialize/worker/config_spec.rb +++ b/spec/travis/scheduler/serialize/worker/config_spec.rb @@ -71,6 +71,16 @@ def encrypt(string) let(:env) { [{ FOO: 'foo', BAR: 'bar' }, encrypt('BAZ=baz')] } it { should eql env: ['FOO=foo', 'BAR=bar', 'SECURE BAZ=baz'], global_env: ['FOO=foo', 'BAR=bar', 'SECURE BAZ=baz'] } end + + describe 'decrypts vault secure token' do + let(:config) { { vault: { token: { secure: encrypt('my_key') } } } } + it { should eql vault: {token: 'my_key'} } + end + + describe 'clears vault unsecure token' do + let(:config) { { vault: { token: 'my_key' } } } + it { should eql vault: {} } + end end describe 'with secure env disabled' do From 5f29c6c89ece31caddd889d23a6f8fa8a3cc35b3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 5 Oct 2022 22:48:30 +0000 Subject: [PATCH 2/2] Bump addressable from 2.5.1 to 2.8.1 Bumps [addressable](https://github.com/sporkmonger/addressable) from 2.5.1 to 2.8.1. - [Release notes](https://github.com/sporkmonger/addressable/releases) - [Changelog](https://github.com/sporkmonger/addressable/blob/main/CHANGELOG.md) - [Commits](https://github.com/sporkmonger/addressable/compare/addressable-2.5.1...addressable-2.8.1) --- updated-dependencies: - dependency-name: addressable dependency-type: indirect ... Signed-off-by: dependabot[bot] --- Gemfile.lock | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 99e4b61e..cc3b976f 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -75,8 +75,13 @@ GIT virtus GEM - remote: https://rubygems.org/ remote: https://gems.contribsys.com/ + specs: + sidekiq-pro (3.4.0) + sidekiq (>= 4.1.5) + +GEM + remote: https://rubygems.org/ specs: HDRHistogram (0.1.3) activemodel (4.2.10) @@ -91,8 +96,8 @@ GEM minitest (~> 5.1) thread_safe (~> 0.3, >= 0.3.4) tzinfo (~> 1.1) - addressable (2.5.1) - public_suffix (~> 2.0, >= 2.0.2) + addressable (2.8.1) + public_suffix (>= 2.0.2, < 6.0) amq-protocol (2.3.0) arel (6.0.4) atomic (1.1.99) @@ -157,7 +162,7 @@ GEM pry (0.11.3) coderay (~> 1.1.0) method_source (~> 0.9.0) - public_suffix (2.0.5) + public_suffix (5.0.0) rack (2.2.3) rack-protection (2.0.1) rack @@ -189,8 +194,6 @@ GEM connection_pool (~> 2.2, >= 2.2.0) rack-protection (>= 1.5.0) redis (~> 3.2, >= 3.2.1) - sidekiq-pro (3.4.0) - sidekiq (>= 4.1.5) thread_safe (0.3.6) travis-config (1.1.3) hashr (~> 2.0)