Skip to content

Commit a9a1b92

Browse files
burzburz
authored
Ensure that AWS inputs are masked as secrets (#220)
Using `setSecret` on the value of the secret provided as an input ensures that GitHub's runner will mask the value anywhere it shows up in logs. Fixes #219 References: * [`setSecret` docs](https://github.com/actions/toolkit/tree/main/packages/core#setting-a-secret)
1 parent 7fc77bb commit a9a1b92

File tree

3 files changed

+48
-6
lines changed

3 files changed

+48
-6
lines changed

__mocks__/@actions/core.ts

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,4 @@
11
export const setFailed = jest.fn();
22
export const getInput = jest.fn();
3-
export const setOutput = jest.fn();
3+
export const setOutput = jest.fn();
4+
export const setSecret = jest.fn();

__tests__/index.spec.ts

Lines changed: 30 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
import AWS from 'aws-sdk/global';
22
import { main, Props, Credentials, ExtraOptions } from '../src';
3-
import { setFailed, getInput, setOutput } from '../__mocks__/@actions/core';
3+
import { setFailed, getInput, setOutput, setSecret } from '../__mocks__/@actions/core';
44
import Lambda, { constructorMock } from '../__mocks__/aws-sdk/clients/lambda';
55

66
describe('invoke-aws-lambda', () => {
@@ -29,6 +29,7 @@ describe('invoke-aws-lambda', () => {
2929
getInput.mockClear();
3030
setFailed.mockClear();
3131
setOutput.mockClear();
32+
setSecret.mockClear();
3233
});
3334

3435
it('runs when provided the correct input', async () => {
@@ -39,6 +40,7 @@ describe('invoke-aws-lambda', () => {
3940
await main();
4041
expect(getInput).toHaveBeenCalledTimes(13);
4142
expect(setFailed).not.toHaveBeenCalled();
43+
expect(setSecret).toHaveBeenCalledTimes(2);
4244
expect(AWS.config.httpOptions).toMatchInlineSnapshot(`
4345
Object {
4446
"timeout": 220000,
@@ -95,6 +97,7 @@ describe('invoke-aws-lambda', () => {
9597
`);
9698
expect(setFailed).toHaveBeenCalled();
9799
expect(setOutput).not.toHaveBeenCalled();
100+
expect(setSecret).toHaveBeenCalledTimes(2);
98101
});
99102

100103
describe('when the function returns an error', () => {
@@ -122,6 +125,7 @@ describe('invoke-aws-lambda', () => {
122125

123126
expect(setOutput).toHaveBeenCalled();
124127
expect(setFailed).toHaveBeenCalled();
128+
expect(setSecret).toHaveBeenCalledTimes(2);
125129
});
126130

127131
it('should fail the action when SUCCEED_ON_FUNCTION_FAILURE is false', async () => {
@@ -140,6 +144,7 @@ describe('invoke-aws-lambda', () => {
140144

141145
expect(setOutput).toHaveBeenCalled();
142146
expect(setFailed).toHaveBeenCalled();
147+
expect(setSecret).toHaveBeenCalledTimes(2);
143148
});
144149

145150
it('should succeed the action when SUCCEED_ON_FUNCTION_FAILURE is true', async () => {
@@ -158,6 +163,30 @@ describe('invoke-aws-lambda', () => {
158163

159164
expect(setOutput).toHaveBeenCalled();
160165
expect(setFailed).not.toHaveBeenCalled();
166+
expect(setSecret).toHaveBeenCalledTimes(2);
167+
});
168+
169+
it("should call setSecret on AWS_SESSION_TOKEN when it's provided", async () => {
170+
const overriddenMockedInput = {
171+
...mockedInput,
172+
[Credentials.AWS_SESSION_TOKEN]: 'someSessionToken',
173+
};
174+
175+
getInput.mockImplementation(
176+
(key: Partial<Props & Credentials & 'REGION'>) => {
177+
return overriddenMockedInput[key];
178+
}
179+
);
180+
181+
const handler = jest.fn(() => ({ response: 'ok' }));
182+
183+
Lambda.__setResponseForMethods({ invoke: handler });
184+
185+
await main();
186+
187+
expect(getInput).toHaveBeenCalledTimes(13);
188+
expect(setFailed).not.toHaveBeenCalled();
189+
expect(setSecret).toHaveBeenCalledTimes(3);
161190
});
162191
});
163192
});

src/index.ts

Lines changed: 16 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
import AWS from 'aws-sdk/global';
22
import Lambda from 'aws-sdk/clients/lambda';
3-
import { getInput, setOutput, setFailed } from '@actions/core';
3+
import { getInput, setOutput, setFailed, setSecret } from '@actions/core';
44

55
const apiVersion = '2015-03-31';
66

@@ -26,10 +26,22 @@ export enum Props {
2626
}
2727

2828
const setAWSCredentials = () => {
29+
const accessKeyId = getInput(Credentials.AWS_ACCESS_KEY_ID);
30+
setSecret(accessKeyId);
31+
32+
const secretAccessKey = getInput(Credentials.AWS_SECRET_ACCESS_KEY);
33+
setSecret(secretAccessKey);
34+
35+
const sessionToken = getInput(Credentials.AWS_SESSION_TOKEN);
36+
// Make sure we only mask if specified
37+
if (sessionToken) {
38+
setSecret(sessionToken);
39+
}
40+
2941
AWS.config.credentials = {
30-
accessKeyId: getInput(Credentials.AWS_ACCESS_KEY_ID),
31-
secretAccessKey: getInput(Credentials.AWS_SECRET_ACCESS_KEY),
32-
sessionToken: getInput(Credentials.AWS_SESSION_TOKEN),
42+
accessKeyId,
43+
secretAccessKey,
44+
sessionToken,
3345
};
3446
};
3547

0 commit comments

Comments
 (0)