fix: do not log encoded secrets

Signed-off-by: Dariusz Duda <dariusz.duda@canonical.com>
canonical · Jan 13, 2025 · cc644d1 · cc644d1
1 parent 96f17af
commit cc644d1
Show file tree

Hide file tree

Showing 3 changed files with 58 additions and 8 deletions.
diff --git a/craft_application/application.py b/craft_application/application.py
@@ -437,6 +437,9 @@ def run_managed(self, platform: str | None, build_for: str | None) -> None:
                 # If using build secrets, put them in the environment of the managed
                 # instance.
                 secret_values = cast(secrets.BuildSecrets, self._secrets)
+                # disable logging CRAFT_SECRETS value passed to the managed instance
+                craft_cli.emit.set_secrets(list(secret_values.environment.values()))
+
                 env.update(secret_values.environment)
 
             extra_args["env"] = env

diff --git a/docs/reference/changelog.rst b/docs/reference/changelog.rst
@@ -4,6 +4,22 @@
 Changelog
 *********
 
+4.8.1 (2025-MMM-DD)
+-------------------
+
+Application
+===========
+
+- Do not log encoded secrets in managed mode if ``build_secrets``
+  ``AppFeature`` is enabled.
+
+Documentation
+=============
+
+- Add missing links to the GitHub releases.
+
+For a complete list of commits, check out the `4.8.1`_ release on GitHub.
+
 4.8.0 (2025-Jan-13)
 -------------------
 
@@ -21,6 +37,8 @@ Utils
 - Add ``is_managed_mode()`` helper to check if running in managed mode.
 - Add ``get_hostname()`` helper to get a name of current host.
 
+For a complete list of commits, check out the `4.8.0`_ release on GitHub.
+
 4.7.0 (2024-Dec-19)
 -------------------
 
@@ -29,6 +47,8 @@ Application
 
 - Allow applications to implement multi-base build plans.
 
+For a complete list of commits, check out the `4.7.0`_ release on GitHub.
+
 4.6.0 (2024-Dec-13)
 -------------------
 
@@ -69,7 +89,7 @@ Git
 - Use ``craft.git`` for Git-related operations run with ``subprocess`` in
   ``GitRepo``.
 
-.. For a complete list of commits, check out the `4.6.0`_ release on GitHub.
+For a complete list of commits, check out the `4.6.0`_ release on GitHub.
 
 4.5.0 (2024-Nov-28)
 -------------------
@@ -99,8 +119,8 @@ Services
 
 - Add version to the template generation context of ``InitService``.
 
-..
-  For a complete list of commits, check out the `4.5.0`_ release on GitHub.
+
+For a complete list of commits, check out the `4.5.0`_ release on GitHub.
 
 4.4.0 (2024-Nov-08)
 -------------------
@@ -483,3 +503,6 @@ For a complete list of commits, check out the `2.7.0`_ release on GitHub.
 .. _4.4.0: https://github.com/canonical/craft-application/releases/tag/4.4.0
 .. _4.5.0: https://github.com/canonical/craft-application/releases/tag/4.5.0
 .. _4.6.0: https://github.com/canonical/craft-application/releases/tag/4.6.0
+.. _4.7.0: https://github.com/canonical/craft-application/releases/tag/4.7.0
+.. _4.8.0: https://github.com/canonical/craft-application/releases/tag/4.8.0
+.. _4.8.1: https://github.com/canonical/craft-application/releases/tag/4.8.1
diff --git a/tests/unit/test_application.py b/tests/unit/test_application.py
@@ -559,17 +559,35 @@ def test_run_managed_failure(app, fake_project, fake_build_plan):
 
 
 @pytest.mark.enable_features("build_secrets")
-def test_run_managed_secrets(app, fake_project, fake_build_plan):
+@pytest.mark.parametrize(
+    "fake_encoded_environment",
+    [
+        pytest.param({}, id="empty"),
+        pytest.param(
+            {
+                "CRAFT_TEST": "banana",
+            },
+            id="fake-env",
+        ),
+        pytest.param(
+            {
+                "CRAFT_TEST_FRUIT": "banana",
+                "CRAFT_TEST_VEGETABLE": "cucumber",
+            },
+            id="multiple-entries-env",
+        ),
+    ],
+)
+def test_run_managed_secrets(
+    app, fake_project, fake_build_plan, fake_encoded_environment: dict[str, str], check
+):
     mock_provider = mock.MagicMock(spec_set=services.ProviderService)
     instance = mock_provider.instance.return_value.__enter__.return_value
     mock_execute = instance.execute_run
     app.services.provider = mock_provider
     app.project = fake_project
     app._build_plan = fake_build_plan
 
-    fake_encoded_environment = {
-        "CRAFT_TEST": "banana",
-    }
     app._secrets = secrets.BuildSecrets(
         environment=fake_encoded_environment,
         secret_strings=set(),
@@ -581,7 +599,13 @@ def test_run_managed_secrets(app, fake_project, fake_build_plan):
     assert len(mock_execute.mock_calls) == 1
     call = mock_execute.mock_calls[0]
     execute_env = call.kwargs["env"]
-    assert execute_env["CRAFT_TEST"] == "banana"
+    for secret_key, secret_val in fake_encoded_environment.items():
+        with check:
+            # value is passed to the underlying provider
+            assert execute_env[secret_key] == secret_val
+            assert secret_key in craft_cli.emit._log_filepath.read_text()
+            # value is not leaking in logs
+            assert secret_val not in craft_cli.emit._log_filepath.read_text()
 
 
 def test_run_managed_multiple(app, fake_project):