diff --git a/.github/workflows/habitat-build.yml b/.github/workflows/habitat-build.yml new file mode 100644 index 0000000..9f89556 --- /dev/null +++ b/.github/workflows/habitat-build.yml @@ -0,0 +1,116 @@ +name: Build Habitat packages + +on: + push: + branches: + - workstation-LTS + pull_request: + branches: + - workstation-LTS + +env: + # BLDR URL Defined as: 'https://bldr.habitat.sh/' but as an env var in workspace settings. + BLDR_URL: ${{ vars.BLDR_URL }} + # HAB_ORIGIN Defined as: 'chef' defined in workspace settings. + HAB_ORIGIN: ${{ vars.HAB_ORIGIN }} + # BLDR_CHANNEL defaulted to unstable, but can be switched to stable, it is defined via the environment setting https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#using-an-environment + BLDR_CHANNEL: ${{ vars.BLDR_CHANNEL }} + # HABITAT_VERSION_SET this is the version of habitat CLI you are using, defaults to latest. + HABITAT_VERSION_SET: ${{ vars.HABITAT_VERSION_SET }} + # HAB_AUTH_TOKEN your orgs/projects auth token value + HAB_AUTH_TOKEN: ${{ secrets.HAB_AUTH_TOKEN }} + # HABITAT_TARGET this is the CPU arch for the linux CLI tool, its defaulted to x86_64 + #HABITAT_TARGET: $#{{vars.HABITAT_TARGET}} + HAB_FALLBACK_CHANNEL: ${{ vars.HAB_FALLBACK_CHANNEL }} + +permissions: + contents: write + +jobs: + pre-build: + name: Setup before building packages + runs-on: ubuntu-latest + outputs: + app_version: ${{ steps.app_version.outputs.APP_VERSION }} + steps: + - name: Get branch name + id: get_branch_name + run: | + echo "BRANCH_NAME=${GITHUB_REF_NAME//\//-}" >> "$GITHUB_OUTPUT" + - name: Get version from tag + id: app_version + run: | + echo "APP_VERSION=${{ github.ref_type == 'tag' && github.ref_name || format('{0}-{1}', steps.get_branch_name.outputs.BRANCH_NAME, github.sha) }}" >> "$GITHUB_OUTPUT" + agent-matrix: + strategy: + fail-fast: false + matrix: + os: [ubuntu-latest, windows-latest] + # matrix strategy is described at https://docs.github.com/en/actions/using-jobs/using-a-matrix-for-your-jobs + + runs-on: ${{ matrix.os }} + # free runner types are https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners + # from macos-latest, windows-latest, ubuntu-latest, ubuntu-20.04, ubuntu-18.04, ubuntu-16.04, windows-2019, windows-2016 + # included software packages on runners are at https://github.com/actions/runner-images#available-images + # defaulted to unstable, but can be switched to stable, it is defined via the environment setting https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#using-an-environment + # environment: unstable + steps: + - name: print OS + run: echo "--- ${{ matrix.os }}" + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: install habitat on Linux + if: ${{ matrix.os == 'ubuntu-latest' }} + shell: bash + run: | + echo "--- STARTING HAB INSTALL ON ${{ matrix.os }} UBUNTU with habitat version:${{vars.HABITAT_VERSION_SET}}" + export HABITAT_VERSION="${{vars.HABITAT_VERSION_SET}}" + export HAB_FALLBACK_CHANNEL="${{vars.HAB_FALLBACK_CHANNEL}}" + HABITAT_VERSION="${HABITAT_VERSION:?HABITAT_VERSION must be set}" + HABITAT_TARGET="${HABITAT_TARGET:-x86_64-linux}" + curl https://raw.githubusercontent.com/habitat-sh/habitat/master/components/hab/install.sh | sudo bash -s -- -v "$HABITAT_VERSION" -t "$HABITAT_TARGET" + - name: run Habitat packaging (linux) + if: ${{ matrix.os == 'ubuntu-latest' }} + shell: bash + run: | + hab license accept + hab origin key download $HAB_ORIGIN + hab origin key download --auth $HAB_AUTH_TOKEN --secret $HAB_ORIGIN + echo "--- running linux hab build" + hab pkg build . + hartfile=$(ls ./results | grep "chef-vault" | tail -n 1) + sudo hab license accept + export CHEF_LICENSE="accept-no-persist" + export HAB_LICENSE="accept-no-persist" + export HAB_NONINTERACTIVE="true" + sudo hab pkg install ./results/$hartfile + . ./results/last_build.env + export pkg_ident + chmod +x habitat/tests/test.sh + habitat/tests/test.sh + - name: Install Habitat on Windows + if: ${{ matrix.os == 'windows-latest' }} + shell: pwsh + run: | + write-output "--- STARTING HAB INSTALL ON ${{ matrix.os }} WINDOWS with habitat version:${{vars.HABITAT_VERSION_SET}}" + $env:HAB_LICENSE = "accept-no-persist" + $env:HAB_NONINTERACTIVE = "true" + $env:HAB_FALLBACK_CHANNEL= "${{vars.HAB_FALLBACK_CHANNEL}}" + Invoke-Expression "& { $(Invoke-RestMethod https://raw.githubusercontent.com/habitat-sh/habitat/main/components/hab/install.ps1) } -Version ${{vars.HABITAT_VERSION_SET}}" + - name: run habitat packaging windows + if: ${{ matrix.os == 'windows-latest' }} + shell: pwsh + run: | + $env:Path += ";C:\ProgramData\Habitat" + hab license accept + hab origin key download ${{ env.HAB_ORIGIN }} + hab origin key download --auth ${{ secrets.HAB_AUTH_TOKEN }} --secret ${{ env.HAB_ORIGIN }} + write-output "--- running windows hab build" + hab pkg build . + $hartfile=(ls ./results -Name | findstr "chef-vault") + hab pkg install ./results/$hartfile + . ./results/last_build.ps1 + habitat/tests/test.ps1 $pkg_ident \ No newline at end of file diff --git a/.github/workflows/habitat-publish.yml b/.github/workflows/habitat-publish.yml new file mode 100644 index 0000000..d9b7df2 --- /dev/null +++ b/.github/workflows/habitat-publish.yml @@ -0,0 +1,111 @@ +name: Publish Habitat packages + +on: + push: + branches: + - workstation-LTS + release: + types: + - created + +env: + # BLDR URL Defined as: 'https://bldr.habitat.sh/' but as an env var in workspace settings. + BLDR_URL: ${{ vars.BLDR_URL }} + # HAB_ORIGIN Defined as: 'chef' defined in workspace settings. + HAB_ORIGIN: ${{ vars.HAB_ORIGIN }} + # BLDR_CHANNEL defaulted to unstable, but can be switched to stable, it is defined via the environment setting https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#using-an-environment + BLDR_CHANNEL: ${{ vars.BLDR_CHANNEL }} + # HABITAT_VERSION_SET this is the version of habitat CLI you are using, defaults to latest. + HABITAT_VERSION_SET: ${{ vars.HABITAT_VERSION_SET }} + # HAB_PACKAGE is the name of the project you are on, IE: node-management-agent + HAB_PACKAGE: ${{ vars.HAB_PACKAGE }} + # HAB_AUTH_TOKEN your orgs/projects auth token value + HAB_AUTH_TOKEN: ${{ secrets.HAB_AUTH_TOKEN }} + HAB_FALLBACK_CHANNEL: ${{ vars.HAB_FALLBACK_CHANNEL }} + # HABITAT_TARGET this is the CPU arch for the linux CLI tool, its defaulted to x86_64 + #HABITAT_TARGET: $#{{vars.HABITAT_TARGET}} + # org-wide access token on https://github.com/organizations/progress-platform-services/settings/secrets/actions + +permissions: + contents: write + +jobs: + pre-build: + name: Setup before building packages + runs-on: ubuntu-latest + outputs: + app_version: ${{ steps.app_version.outputs.APP_VERSION }} + steps: + - name: Get branch name + id: get_branch_name + run: | + echo "BRANCH_NAME=${GITHUB_REF_NAME//\//-}" >> "$GITHUB_OUTPUT" + - name: Get version from tag + id: app_version + run: | + echo "APP_VERSION=${{ github.ref_type == 'tag' && github.ref_name || format('{0}-{1}', steps.get_branch_name.outputs.BRANCH_NAME, github.sha) }}" >> "$GITHUB_OUTPUT" + agent-matrix: + strategy: + fail-fast: false + matrix: + os: [ubuntu-latest, windows-latest] + # matrix strategy is described at https://docs.github.com/en/actions/using-jobs/using-a-matrix-for-your-jobs + + runs-on: ${{ matrix.os }} + # free runner types are https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners + # from macos-latest, windows-latest, ubuntu-latest, ubuntu-20.04, ubuntu-18.04, ubuntu-16.04, windows-2019, windows-2016 + # included software packages on runners are at https://github.com/actions/runner-images#available-images + # environment: unstable + steps: + - name: print OS + run: echo "--- ${{ matrix.os }}" + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: install habitat on Linux + if: ${{ matrix.os == 'ubuntu-latest' }} + shell: bash + run: | + echo "--- STARTING HAB INSTALL ON ${{ matrix.os }} UBUNTU with habitat version:${{vars.HABITAT_VERSION_SET}}" + export HABITAT_VERSION="${{vars.HABITAT_VERSION_SET}}" + HABITAT_VERSION="${HABITAT_VERSION:?HABITAT_VERSION must be set}" + HABITAT_TARGET="${HABITAT_TARGET:-x86_64-linux}" + export HAB_FALLBACK_CHANNEL="${{vars.HAB_FALLBACK_CHANNEL}}" + curl https://raw.githubusercontent.com/habitat-sh/habitat/master/components/hab/install.sh | sudo bash -s -- -v "$HABITAT_VERSION" -t "$HABITAT_TARGET" + - name: run Habitat packaging (linux) + if: ${{ matrix.os == 'ubuntu-latest' }} + shell: bash + run: | + hab license accept + hab origin key download $HAB_ORIGIN + hab origin key download --auth $HAB_AUTH_TOKEN --secret $HAB_ORIGIN + echo "--- running linux hab build" + hab pkg build . + echo "--- pushing to ${{ env.BLDR_URL }}/#/${{ env.HAB_ORIGIN }}/${{ env.HAB_PACKAGE }}..." + source results/last_build.env + hab pkg upload --auth $HAB_AUTH_TOKEN results/$pkg_artifact + echo "--- push complete!!" + - name: Install Habitat on Windows + if: ${{ matrix.os == 'windows-latest' }} + shell: pwsh + run: | + write-output "--- STARTING HAB INSTALL ON ${{ matrix.os }} WINDOWS with habitat version:${{vars.HABITAT_VERSION_SET}}" + $env:HAB_LICENSE = "accept-no-persist" + $env:HAB_FALLBACK_CHANNEL= "${{vars.HAB_FALLBACK_CHANNEL}}" + Invoke-Expression "& { $(Invoke-RestMethod https://raw.githubusercontent.com/habitat-sh/habitat/main/components/hab/install.ps1) } -Version ${{vars.HABITAT_VERSION_SET}}" + - name: run habitat packaging windows + if: ${{ matrix.os == 'windows-latest' }} + shell: pwsh + run: | + $env:Path += ";C:\ProgramData\Habitat" + hab license accept + hab origin key download ${{ env.HAB_ORIGIN }} + hab origin key download --auth ${{ secrets.HAB_AUTH_TOKEN }} --secret ${{ env.HAB_ORIGIN }} + write-output "--- running windows hab build" + hab pkg build . + write-output "--- pushing hab to unstable channel" + . results\last_build.ps1 + hab pkg upload results\$pkg_artifact --auth ${{ secrets.HAB_AUTH_TOKEN }} + write-output "--- push complete!!" diff --git a/.github/workflows/unit.yml b/.github/workflows/unit.yml index 1b97629..60583e9 100644 --- a/.github/workflows/unit.yml +++ b/.github/workflows/unit.yml @@ -27,5 +27,4 @@ jobs: with: token: ${{ secrets.GITHUB_TOKEN }} failedThreshold: 90 - resultPath: coverage/.last_run.json - + resultPath: coverage/.last_run.json diff --git a/CHANGELOG.md b/CHANGELOG.md index ae18b46..47fb5f4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,17 @@ # chef-vault Change Log - -## [v4.1.12](https://github.com/chef/chef-vault/tree/v4.1.12) (2023-03-27) + +## [v4.1.13](https://github.com/chef/chef-vault/tree/v4.1.13) (2024-09-25) #### Merged Pull Requests -- Integrating with sonarQube [#406](https://github.com/chef/chef-vault/pull/406) ([nikhil2611](https://github.com/nikhil2611)) +- CHEF-3710-chef-vault warning message includes sensitive info [#414](https://github.com/chef/chef-vault/pull/414) ([nikhil2611](https://github.com/nikhil2611)) ### Changes not yet released to rubygems.org #### Merged Pull Requests +- CHEF-3710-chef-vault warning message includes sensitive info [#414](https://github.com/chef/chef-vault/pull/414) ([nikhil2611](https://github.com/nikhil2611)) - Integrating with sonarQube [#406](https://github.com/chef/chef-vault/pull/406) ([nikhil2611](https://github.com/nikhil2611)) diff --git a/VERSION b/VERSION index 8ead3a8..068399f 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.1.12 \ No newline at end of file +4.1.13 \ No newline at end of file diff --git a/habitat/tests/test.ps1 b/habitat/tests/test.ps1 new file mode 100644 index 0000000..ec127ee --- /dev/null +++ b/habitat/tests/test.ps1 @@ -0,0 +1,22 @@ +param ( + [Parameter()] + [string]$PackageIdentifier = $(throw "Usage: test.ps1 [test_pkg_ident] e.g. test.ps1 ci/user-windows/1.0.0/20190812103929") +) + + +Write-Host "--- :fire: Smokish test" +# Pester the Package +$help_message=hab pkg exec "${pkg_ident}" -- chef-vault -h +$original_message="Usage: chef-vault" + +Write-Host "Checking the help message of the package" +Write-Host "Expected: $original_message" +Write-Host "Actual: $help_message" +if ($help_message.Contains($original_message)) +{ + Write "Chef-vault is working fine" +} +else { + Write-Error "chef-vault binary doesn't return the correct usage message " + throw "Chef-vault windows pipeline not working for hab pkg" +} diff --git a/habitat/tests/test.sh b/habitat/tests/test.sh new file mode 100644 index 0000000..bb5f881 --- /dev/null +++ b/habitat/tests/test.sh @@ -0,0 +1,25 @@ +#!/bin/bash + +set -euo pipefail + +project_root="$(git rev-parse --show-toplevel)" + +# print error message followed by usage and exit +error () { + local message="$1" + + echo -e "\nERROR: ${message}\n" >&2 + + exit 1 +} + +[[ -n "$pkg_ident" ]] || error 'no hab package identity provided' + +package_version=$(awk -F / '{print $3}' <<<"$pkg_ident") + +cd "${project_root}" + +echo "--- :mag_right: Testing ${pkg_ident} executables" +help_message=$(hab pkg exec "${pkg_ident}" -- chef-vault -h) +original_help="Usage: chef-vault" +[[ $help_message =~ $original_help ]] || error "chef-vault help command is not as expected" diff --git a/lib/chef-vault/version.rb b/lib/chef-vault/version.rb index 6436819..2b92c91 100644 --- a/lib/chef-vault/version.rb +++ b/lib/chef-vault/version.rb @@ -15,6 +15,6 @@ # limitations under the License. class ChefVault - VERSION = "4.1.12" + VERSION = "4.1.13" MAJOR, MINOR, TINY = VERSION.split(".") end diff --git a/lib/chef/knife/mixin/helper.rb b/lib/chef/knife/mixin/helper.rb index 2654d32..daec93c 100644 --- a/lib/chef/knife/mixin/helper.rb +++ b/lib/chef/knife/mixin/helper.rb @@ -49,16 +49,26 @@ def values_from_json(json) # Raises `InvalidValue` if any of the json's values contain non-printable characters. def validate_json(json) begin - evaled_json = eval(json) # rubocop: disable Security/Eval - rescue SyntaxError + parsed_json = JSON.parse(json) + rescue JSON::ParserError raise ChefVault::Exceptions::InvalidValue, "#{json} is not valid JSON!" end - if evaled_json.is_a?(Hash) - evaled_json.each do |key, value| - next unless printable?(value.to_s) + check_value(parsed_json) # Start checking from the root of the parsed JSON + end + + def check_value(value, parent_key = nil) + if value.is_a?(Array) + value.each { |item| check_value(item, parent_key) } + elsif value.is_a?(Hash) + value.each do |key, nested_value| + next if key == "password" # Skip the password key - msg = "Value '#{value}' of key '#{key}' contains non-printable characters. Check that backslashes are escaped with another backslash (e.g. C:\\\\Windows) in double-quoted strings." + check_value(nested_value, key) + end + else + unless printable?(value.to_s) + msg = "Value '#{value}' of key '#{parent_key}' contains non-printable characters." ChefVault::Log.warn(msg) end end @@ -69,7 +79,7 @@ def validate_json(json) # returns true if string is free of non-printable characters (escape sequences) # this returns false for whitespace escape sequences as well, e.g. \n\t def printable?(string) - /[^[:print:]]|[[:space:]]/.match(string) + !/[[:^print:]]/.match?(string) # Returns true if the string is printable end end end diff --git a/spec/chef/helper_spec.rb b/spec/chef/helper_spec.rb index d1f4eb7..f1b7bc1 100644 --- a/spec/chef/helper_spec.rb +++ b/spec/chef/helper_spec.rb @@ -20,7 +20,7 @@ it "not to raise error if data consist of tab/new line OR space" do %w{abc\tabc abc\nabc}.each do |pass| json_data_with_slash = json.merge("password": pass) - expect { validate_json(json_data_with_slash.to_s) }.to_not raise_error + expect { validate_json(json_data_with_slash.to_json) }.to_not raise_error end end end