Skip to content

Commit 4f32b01

Browse files
katymcclkatymccl
authored
Update Run.ps1
Obfuscate api keys, connection strings, subscription id, resource group name, resource name in recordings.
1 parent e3623c8 commit 4f32b01

File tree

1 file changed

+85
-1
lines changed

1 file changed

+85
-1
lines changed

src/quantum/tests.live/Run.ps1

Lines changed: 85 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,87 @@ function Invoke-SASTokenObfuscation {
2525
}
2626
}
2727

28+
function Invoke-APIKeyObfuscation {
29+
param (
30+
[Parameter(mandatory=$true)]
31+
$RecordingsFolderPath
32+
)
33+
34+
Get-ChildItem "$RecordingsFolderPath" -Filter *.yaml |
35+
Foreach-Object {
36+
$RecordingFileName = $_.Name
37+
$PathToRecording = "$RecordingsFolderPath\$RecordingFileName"
38+
Write-Verbose -Message "Searching for API Keys in ""$PathToRecording"" and obfuscating it..."
39+
(Get-Content $PathToRecording) -replace 'api_key=[\w%]+','api_key=REDACTED' | Set-Content $PathToRecording
40+
}
41+
}
42+
43+
function Invoke-QuantumWorkspaceDataObfuscation {
44+
param (
45+
[Parameter(mandatory=$true)]
46+
$RecordingsFolderPath
47+
)
48+
49+
Get-ChildItem "$RecordingsFolderPath" -Filter *.yaml |
50+
Foreach-Object {
51+
$RecordingFileName = $_.Name
52+
$PathToRecording = "$RecordingsFolderPath\$RecordingFileName"
53+
Write-Host "Starting obfuscation of sensitive fields in recording file: $PathToRecording"
54+
55+
# Read full content
56+
$content = Get-Content $PathToRecording -Raw
57+
Write-Host "Loaded file content."
58+
59+
# Obfuscate primaryKey and secondaryKey inside JSON strings
60+
$content = $content -replace '"primaryKey"\s*:\s*\{[^}]*"key"\s*:\s*"[^"]+"', '"primaryKey":{"key":"REDACTED"'
61+
Write-Host "Obfuscated 'primaryKey'."
62+
63+
$content = $content -replace '"secondaryKey"\s*:\s*\{[^}]*"key"\s*:\s*"[^"]+"', '"secondaryKey":{"key":"REDACTED"'
64+
Write-Host "Obfuscated 'secondaryKey'."
65+
66+
# Obfuscate primary and secondary connection strings
67+
$connectionPattern = '"(primary|secondary)ConnectionString"\s*:\s*"SubscriptionId=[^;]+;ResourceGroupName=[^;]+;WorkspaceName=[^;]+;ApiKey=[^;]+;QuantumEndpoint=[^"]+"'
68+
$replacementConnection = '"$1ConnectionString":"SubscriptionId=REDACTED;ResourceGroupName=REDACTED;WorkspaceName=REDACTED;ApiKey=REDACTED;QuantumEndpoint=REDACTED"'
69+
$content = $content -replace $connectionPattern, $replacementConnection
70+
Write-Host "Obfuscated primary and secondary connection strings."
71+
72+
# Obfuscate standalone ApiKey
73+
$content = $content -replace 'ApiKey=[\w-]+;', 'ApiKey=REDACTED;'
74+
Write-Host "Obfuscated standalone ApiKey values."
75+
76+
# Obfuscate apiKeyEnabled boolean
77+
$content = $content -replace '"apiKeyEnabled"\s*:\s*(true|false)', '"apiKeyEnabled":REDACTED'
78+
Write-Host "Obfuscated 'apiKeyEnabled' values."
79+
80+
# Obfuscate resourceName
81+
$content = $content -replace '"resourceName"\s*:\s*"[^"]+"', '"resourceName":"REDACTED"'
82+
Write-Host "Obfuscated 'resourceName' values."
83+
84+
# Obfuscate quantumWorkspaceName
85+
$content = $content -replace '"quantumWorkspaceName"\s*:\s*\{\s*"type"\s*:\s*"String",\s*"value"\s*:\s*"[^"]+"\s*\}', '"quantumWorkspaceName":{"type":"String","value":"REDACTED"}'
86+
Write-Host "Obfuscated 'quantumWorkspaceName'."
87+
88+
# Obfuscate location and storageAccountLocation
89+
$content = $content -replace '"(location|storageAccountLocation)"\s*:\s*\{\s*"type"\s*:\s*"String",\s*"value"\s*:\s*"[^"]+"\s*\}', '"$1":{"type":"String","value":"REDACTED"}'
90+
Write-Host "Obfuscated 'location' and 'storageAccountLocation'."
91+
92+
# Obfuscate workspaceName in connection strings
93+
$content = $content -replace 'WorkspaceName=[^;]+;', 'WorkspaceName=REDACTED;'
94+
Write-Host "Obfuscated 'WorkspaceName' in connection strings."
95+
96+
# Obfuscate Set-Cookie headers
97+
$content = $content -replace 'ApplicationGatewayAffinityCORS=[\w-]+;', 'ApplicationGatewayAffinityCORS=REDACTED;'
98+
$content = $content -replace 'ApplicationGatewayAffinity=[\w-]+;', 'ApplicationGatewayAffinity=REDACTED;'
99+
$content = $content -replace 'ARRAffinity=[\w-]+;', 'ARRAffinity=REDACTED;'
100+
$content = $content -replace 'ARRAffinitySameSite=[\w-]+;', 'ARRAffinitySameSite=REDACTED;'
101+
Write-Host "Obfuscated sensitive Set-Cookie headers."
102+
103+
# Save the modified content
104+
Set-Content -Path $PathToRecording -Value $content
105+
Write-Host "Finished obfuscation. Changes saved to: $PathToRecording"
106+
}
107+
}
108+
28109
# For debug, print all relevant environment variables:
29110
Get-ChildItem env:AZURE*, env:*VERSION, env:*OUTDIR | ForEach-Object {
30111
Write-Host $_.Name "=" $_.Value
@@ -47,5 +128,8 @@ azdev test quantum --live --verbose --xml-path $RecordingsFolderPath
47128
# Make sure we don't check-in SAS-tokens
48129
Invoke-SASTokenObfuscation -RecordingsFolderPath $RecordingsFolderPath
49130

131+
# Make sure we don't check-in API keys, Connection strings and quantum workspace data
132+
Invoke-QuantumWorkspaceDataObfuscation -RecordingsFolderPath $RecordingsFolderPath
133+
50134
# Restoring to initial folder location
51-
Pop-Location
135+
Pop-Location

0 commit comments

Comments
 (0)