fix: do not log encoded secrets

dariuszd21 · dariuszd21 · commit 27ca53edc95a · 2024-12-13T11:53:11.000-05:00
Signed-off-by: Dariusz Duda &lt;dariusz.duda@canonical.com&gt;
diff --git a/craft_application/application.py b/craft_application/application.py
@@ -435,6 +435,9 @@ def run_managed(self, platform: str | None, build_for: str | None) -> None:
                 # If using build secrets, put them in the environment of the managed
                 # instance.
                 secret_values = cast(secrets.BuildSecrets, self._secrets)
+                # disable logging CRAFT_SECRETS value passed to the managed instance
+                craft_cli.emit.set_secrets(list(secret_values.environment.values()))
+
                 env.update(secret_values.environment)
 
             extra_args["env"] = env
diff --git a/tests/unit/test_application.py b/tests/unit/test_application.py
@@ -559,17 +559,35 @@ def test_run_managed_failure(app, fake_project, fake_build_plan):
 
 
 @pytest.mark.enable_features("build_secrets")
-def test_run_managed_secrets(app, fake_project, fake_build_plan):
+@pytest.mark.parametrize(
+    "fake_encoded_environment",
+    [
+        pytest.param({}, id="empty"),
+        pytest.param(
+            {
+                "CRAFT_TEST": "banana",
+            },
+            id="fake-env",
+        ),
+        pytest.param(
+            {
+                "CRAFT_TEST_FRUIT": "banana",
+                "CRAFT_TEST_VEGETABLE": "cucumber",
+            },
+            id="multiple-entries-env",
+        ),
+    ],
+)
+def test_run_managed_secrets(
+    app, fake_project, fake_build_plan, fake_encoded_environment: dict[str, str], check
+):
     mock_provider = mock.MagicMock(spec_set=services.ProviderService)
     instance = mock_provider.instance.return_value.__enter__.return_value
     mock_execute = instance.execute_run
     app.services.provider = mock_provider
     app.project = fake_project
     app._build_plan = fake_build_plan
 
-    fake_encoded_environment = {
-        "CRAFT_TEST": "banana",
-    }
     app._secrets = secrets.BuildSecrets(
         environment=fake_encoded_environment,
         secret_strings=set(),
@@ -581,7 +599,11 @@ def test_run_managed_secrets(app, fake_project, fake_build_plan):
     assert len(mock_execute.mock_calls) == 1
     call = mock_execute.mock_calls[0]
     execute_env = call.kwargs["env"]
-    assert execute_env["CRAFT_TEST"] == "banana"
+    for key, val in fake_encoded_environment.items():
+        with check:
+            assert execute_env[key] == val
+            assert key in craft_cli.emit._log_filepath.read_text()
+            assert val not in craft_cli.emit._log_filepath.read_text()
 
 
 def test_run_managed_multiple(app, fake_project):
