jenkins/sap-jenkins-library
1
0
Fork 0
mirror of https://github.com/SAP/jenkins-library.git synced 2024-12-12 10:55:20 +02:00
Code Issues Releases Activity
4725ce2dc8
sap-jenkins-library/cmd/writePipelineEnv.go
Egor Balakin 3eb4f165b2
feat(commonPipelineEnvironment): encrypt CPE (#4504) 
* encrypt CPE - init

* fix

* disable encrypt on Jenkins

* get PIPER_pipelineEnv_SECRET from vault

* reuse artifactPrepareVersionOptions

* encrypt only with orchestrator.GitHubActions

* Workaround: orchestrators expect json

* add encryptedCPE flag

* remove JSON workaround

* throw error if stepConfigPassword is empty

* fix log messages

---------

Co-authored-by: Egor Balakin <egor.balakin@sap.com>
2023-09-11 12:58:57 +04:00

135 lines
3.3 KiB
Go
Raw Blame History

package cmd
import (
"bytes"
"crypto/aes"
"crypto/cipher"
"crypto/sha256"
b64 "encoding/base64"
"encoding/json"
"fmt"
"github.com/SAP/jenkins-library/pkg/config"
"io"
"os"
"path/filepath"
"github.com/SAP/jenkins-library/pkg/log"
"github.com/SAP/jenkins-library/pkg/piperenv"
"github.com/spf13/cobra"
)
// WritePipelineEnv Serializes the commonPipelineEnvironment JSON to disk
func WritePipelineEnv() *cobra.Command {
var stepConfig artifactPrepareVersionOptions
var encryptedCPE bool
metadata := artifactPrepareVersionMetadata()
writePipelineEnv := &cobra.Command{
Use: "writePipelineEnv",
Short: "Serializes the commonPipelineEnvironment JSON to disk",
PreRun: func(cmd *cobra.Command, args []string) {
path, _ := os.Getwd()
fatalHook := &log.FatalHook{CorrelationID: GeneralConfig.CorrelationID, Path: path}
log.RegisterHook(fatalHook)
err := PrepareConfig(cmd, &metadata, "", &stepConfig, config.OpenPiperFile)
if err != nil {
log.SetErrorCategory(log.ErrorConfiguration)
return
}
log.RegisterSecret(stepConfig.Password)
log.RegisterSecret(stepConfig.Username)
},
Run: func(cmd *cobra.Command, args []string) {
err := runWritePipelineEnv(stepConfig.Password, encryptedCPE)
if err != nil {
log.Entry().Fatalf("error when writing common Pipeline environment: %v", err)
}
},
}
writePipelineEnv.Flags().BoolVar(&encryptedCPE, "encryptedCPE", false, "Bool to use encryption in CPE")
return writePipelineEnv
}
func runWritePipelineEnv(stepConfigPassword string, encryptedCPE bool) error {
var err error
pipelineEnv, ok := os.LookupEnv("PIPER_pipelineEnv")
inBytes := []byte(pipelineEnv)
if !ok {
var err error
inBytes, err = io.ReadAll(os.Stdin)
if err != nil {
return err
}
}
if len(inBytes) == 0 {
return nil
}
// try to decrypt
if encryptedCPE {
log.Entry().Debug("trying to decrypt CPE")
if stepConfigPassword == "" {
return fmt.Errorf("empty stepConfigPassword")
}
inBytes, err = decrypt([]byte(stepConfigPassword), inBytes)
if err != nil {
log.Entry().Fatal(err)
}
}
commonPipelineEnv := piperenv.CPEMap{}
decoder := json.NewDecoder(bytes.NewReader(inBytes))
decoder.UseNumber()
err = decoder.Decode(&commonPipelineEnv)
if err != nil {
return err
}
rootPath := filepath.Join(GeneralConfig.EnvRootPath, "commonPipelineEnvironment")
err = commonPipelineEnv.WriteToDisk(rootPath)
if err != nil {
return err
}
writtenBytes, err := json.MarshalIndent(commonPipelineEnv, "", "\t")
if err != nil {
return err
}
_, err = os.Stdout.Write(writtenBytes)
if err != nil {
return err
}
return nil
}
func decrypt(secret, base64CipherText []byte) ([]byte, error) {
// decode from base64
cipherText, err := b64.StdEncoding.DecodeString(string(base64CipherText))
if err != nil {
return nil, fmt.Errorf("failed to decode from base64: %v", err)
}
// use SHA256 as key
key := sha256.Sum256(secret)
block, err := aes.NewCipher(key[:])
if err != nil {
return nil, fmt.Errorf("failed to create new cipher: %v", err)
}
if len(cipherText) < aes.BlockSize {
return nil, fmt.Errorf("invalid ciphertext block size")
}
iv := cipherText[:aes.BlockSize]
cipherText = cipherText[aes.BlockSize:]
stream := cipher.NewCFBDecrypter(block, iv)
stream.XORKeyStream(cipherText, cipherText)
return cipherText, nil
}
Reference in New Issue View Git Blame Copy Permalink