add support for secret plugin

Author: wass3r

action/pipeline/exec.go

@@ -250,8 +250,8 @@ func reportMissingSecrets(s map[string]string) {
 
 // collectMissingSecrets searches a given pipeline for used secrets
 // and returns a map of secrets not set in the current environment.
-// The map key is is the step or stage+step name formatted to match
-// the local exec log output.
+// The map key is is the step, stage+step, or secret name formatted
+// to match the local exec log output.
 func collectMissingSecrets(p *pipeline.Build) map[string]string {
 	if p == nil {
 		return make(map[string]string)
@@ -262,19 +262,28 @@ func collectMissingSecrets(p *pipeline.Build) map[string]string {
 	for _, stage := range p.Stages {
 		for _, step := range stage.Steps {
 			for _, secret := range step.Secrets {
-				stepName := formatStepIdentifier(stage.Name, step.Name)
+				stepName := formatStepIdentifier(stage.Name, step.Name, false)
 				secrets[stepName] = secret.Target
 			}
 		}
 	}
 
 	for _, step := range p.Steps {
 		for _, secret := range step.Secrets {
-			stepName := formatStepIdentifier("", step.Name)
+			stepName := formatStepIdentifier("", step.Name, false)
 			secrets[stepName] = secret.Target
 		}
 	}
 
+	for _, s := range p.Secrets {
+		if !s.Origin.Empty() {
+			for _, secret := range s.Origin.Secrets {
+				stepName := formatStepIdentifier("", s.Origin.Name, true)
+				secrets[stepName] = secret.Target
+			}
+		}
+	}
+
 	for step, secret := range secrets {
 		// if the secret was supplied, remove it from the map
 		// we only care about unset secrets
@@ -294,15 +303,25 @@ func collectMissingSecrets(p *pipeline.Build) map[string]string {
 // formatStepIdentifier formats a step name to be consistent with what
 // the worker logs to make it easier to associate a missing secret
 // with a step.
-func formatStepIdentifier(stageName, stepName string) string {
+func formatStepIdentifier(stageName, stepName string, isSecret bool) string {
+	const (
+		secretPrefix = "[secret: %s]" //nolint:gosec // false positive
+		stagePrefix  = "[stage: %s]"
+		stepPrefix   = "[step: %s]"
+	)
+
 	output := strings.Builder{}
 
 	if stageName != "" {
-		output.WriteString(fmt.Sprintf("[stage: %s]", stageName))
+		output.WriteString(fmt.Sprintf(stagePrefix, stageName))
 	}
 
 	if stepName != "" {
-		output.WriteString(fmt.Sprintf("[step: %s]", stepName))
+		if isSecret {
+			output.WriteString(fmt.Sprintf(secretPrefix, stepName))
+		} else {
+			output.WriteString(fmt.Sprintf(stepPrefix, stepName))
+		}
 	}
 
 	return output.String()

action/pipeline/exec_test.go

@@ -3,12 +3,9 @@
 package pipeline
 
 import (
-	"io"
 	"reflect"
 	"testing"
 
-	"github.com/sirupsen/logrus"
-
 	"github.com/go-vela/server/compiler/types/pipeline"
 )
 
@@ -91,6 +88,55 @@ func TestCollectMissingSecrets(t *testing.T) {
 			},
 			want: map[string]string{"[stage: stage1][step: step1]": "STAGE_SECRET"},
 		},
+		{
+			name: "secret plugin - supplied",
+			pipeline: &pipeline.Build{
+				Steps: []*pipeline.Container{
+					{
+						Name: "step1",
+					},
+				},
+				Secrets: []*pipeline.Secret{
+					{
+						Origin: &pipeline.Container{
+							Name: "secret from elsewhere",
+							Secrets: pipeline.StepSecretSlice{
+								{
+									Source: "source",
+									Target: "SECRET_FOR_SECRET",
+								},
+							},
+						},
+					},
+				},
+			},
+			envVars: map[string]string{"SECRET_FOR_SECRET": "value"},
+			want:    map[string]string{},
+		},
+		{
+			name: "secret plugin - missing",
+			pipeline: &pipeline.Build{
+				Steps: []*pipeline.Container{
+					{
+						Name: "step1",
+					},
+				},
+				Secrets: []*pipeline.Secret{
+					{
+						Origin: &pipeline.Container{
+							Name: "secret from elsewhere",
+							Secrets: pipeline.StepSecretSlice{
+								{
+									Source: "source",
+									Target: "SECRET_FOR_SECRET",
+								},
+							},
+						},
+					},
+				},
+			},
+			want: map[string]string{"[secret: secret from elsewhere]": "SECRET_FOR_SECRET"},
+		},
 		{
 			name: "provided step secret but value empty",
 			pipeline: &pipeline.Build{
@@ -133,6 +179,53 @@ func TestCollectMissingSecrets(t *testing.T) {
 	}
 }
 
+func TestFormatStepIdentifier(t *testing.T) {
+	tests := []struct {
+		name      string
+		stageName string
+		stepName  string
+		isSecret  bool
+		want      string
+	}{
+		{
+			name:      "basic format",
+			stageName: "build",
+			stepName:  "test",
+			isSecret:  false,
+			want:      "[stage: build][step: test]",
+		},
+		{
+			name:      "empty stage name",
+			stageName: "",
+			stepName:  "test",
+			isSecret:  false,
+			want:      "[step: test]",
+		},
+		{
+			name:      "secret format",
+			stageName: "",
+			stepName:  "test",
+			isSecret:  true,
+			want:      "[secret: test]",
+		},
+		{
+			name:      "empty stage and step name",
+			stageName: "",
+			stepName:  "",
+			isSecret:  false,
+			want:      "",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := formatStepIdentifier(tt.stageName, tt.stepName, tt.isSecret); got != tt.want {
+				t.Errorf("formatStepIdentifier() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
 func TestSkipSteps(t *testing.T) {
 	tests := []struct {
 		name          string
@@ -267,44 +360,3 @@ func TestSkipSteps(t *testing.T) {
 		})
 	}
 }
-
-func TestFormatStepIdentifier(t *testing.T) {
-	tests := []struct {
-		name      string
-		stageName string
-		stepName  string
-		want      string
-	}{
-		{
-			name:      "basic format",
-			stageName: "build",
-			stepName:  "test",
-			want:      "[stage: build][step: test]",
-		},
-		{
-			name:      "empty stage name",
-			stageName: "",
-			stepName:  "test",
-			want:      "[step: test]",
-		},
-		{
-			name:      "empty stage and step name",
-			stageName: "",
-			stepName:  "",
-			want:      "",
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			if got := formatStepIdentifier(tt.stageName, tt.stepName); got != tt.want {
-				t.Errorf("formatStepIdentifier() = %v, want %v", got, tt.want)
-			}
-		})
-	}
-}
-
-func init() {
-	// discard logs for tests
-	logrus.SetOutput(io.Discard)
-}