diff --git a/pkg/server/commits.go b/pkg/server/commits.go index 746af69fc..bf9b647e1 100644 --- a/pkg/server/commits.go +++ b/pkg/server/commits.go @@ -183,7 +183,7 @@ func RunBuild(c *gin.Context) { if repo.Params != nil && len(repo.Params) != 0 { raw = []byte(inject.InjectSafe(string(raw), repo.Params)) } - encrypted, _ := secure.Parse(repo, string(raw)) + encrypted, _ := secure.Parse(repo.Keys.Private, repo.Hash, string(raw)) if encrypted != nil && len(encrypted) != 0 { raw = []byte(inject.InjectSafe(string(raw), encrypted)) } diff --git a/pkg/server/hooks.go b/pkg/server/hooks.go index 5db9a7266..b2d1ab467 100644 --- a/pkg/server/hooks.go +++ b/pkg/server/hooks.go @@ -101,7 +101,7 @@ func PostHook(c *gin.Context) { if repo.Params != nil && len(repo.Params) != 0 { raw = []byte(inject.InjectSafe(string(raw), repo.Params)) } - encrypted, _ := secure.Parse(repo, string(raw)) + encrypted, _ := secure.Parse(repo.Keys.Private, repo.Hash, string(raw)) if encrypted != nil && len(encrypted) != 0 { raw = []byte(inject.InjectSafe(string(raw), encrypted)) } diff --git a/pkg/server/repos.go b/pkg/server/repos.go index e14fa1841..8e7809160 100644 --- a/pkg/server/repos.go +++ b/pkg/server/repos.go @@ -253,7 +253,8 @@ func Encrypt(c *gin.Context) { in := map[string]string{} json.NewDecoder(c.Request.Body).Decode(&in) - err := secure.EncryptMap(repo, in) + privKey := sshutil.UnMarshalPrivateKey([]byte(repo.Keys.Private)) + err := secure.EncryptMap(secure.ToHash(repo.Hash), &privKey.PublicKey, in) if err != nil { c.Fail(500, err) return diff --git a/pkg/yaml/secure/secure.go b/pkg/yaml/secure/secure.go index 4672e2f33..09e282644 100644 --- a/pkg/yaml/secure/secure.go +++ b/pkg/yaml/secure/secure.go @@ -1,33 +1,34 @@ package secure import ( + "crypto/rsa" "crypto/sha256" "hash" "github.com/drone/drone/Godeps/_workspace/src/gopkg.in/yaml.v2" - common "github.com/drone/drone/pkg/types" "github.com/drone/drone/pkg/utils/sshutil" ) // Parse parses and returns the secure section of the // yaml file as plaintext parameters. -func Parse(repo *common.Repo, raw string) (map[string]string, error) { +func Parse(privateKeyPEM, repoHash, raw string) (map[string]string, error) { params, err := parseSecure(raw) if err != nil { return nil, err } - err = DecryptMap(repo, params) + hasher := ToHash(repoHash) + privKey := sshutil.UnMarshalPrivateKey([]byte(privateKeyPEM)) + + err = DecryptMap(hasher, privKey, params) return params, err } // DecryptMap decrypts values of a map of named parameters // from base64 to decrypted strings. -func DecryptMap(repo *common.Repo, params map[string]string) error { +func DecryptMap(hasher hash.Hash, privKey *rsa.PrivateKey, params map[string]string) error { var err error - hasher := toHash(repo.Hash) - privKey := sshutil.UnMarshalPrivateKey([]byte(repo.Keys.Private)) for name, encrypted := range params { params[name], err = sshutil.Decrypt(hasher, privKey, encrypted) @@ -39,13 +40,11 @@ func DecryptMap(repo *common.Repo, params map[string]string) error { } // EncryptMap encrypts values of a map of named parameters -func EncryptMap(repo *common.Repo, params map[string]string) error { +func EncryptMap(hasher hash.Hash, pubKey *rsa.PublicKey, params map[string]string) error { var err error - hasher := toHash(repo.Hash) - privKey := sshutil.UnMarshalPrivateKey([]byte(repo.Keys.Private)) for name, value := range params { - params[name], err = sshutil.Encrypt(hasher, &privKey.PublicKey, value) + params[name], err = sshutil.Encrypt(hasher, pubKey, value) if err != nil { return err } @@ -64,8 +63,8 @@ func parseSecure(raw string) (map[string]string, error) { return data.Secure, err } -// toHash is helper function to generate Hash of given string -func toHash(key string) hash.Hash { +// ToHash is helper function to generate Hash of given string +func ToHash(key string) hash.Hash { hasher := sha256.New() hasher.Write([]byte(key)) hasher.Reset() diff --git a/pkg/yaml/secure/secure_test.go b/pkg/yaml/secure/secure_test.go index d86ec49b1..69a9e5467 100644 --- a/pkg/yaml/secure/secure_test.go +++ b/pkg/yaml/secure/secure_test.go @@ -5,7 +5,6 @@ import ( "github.com/drone/drone/Godeps/_workspace/src/github.com/franela/goblin" - common "github.com/drone/drone/pkg/types" "github.com/drone/drone/pkg/utils/sshutil" ) @@ -14,21 +13,18 @@ func Test_Secure(t *testing.T) { g := goblin.Goblin(t) g.Describe("Encrypt params", func() { privKey, _ := sshutil.GeneratePrivateKey() - keypair := common.Keypair{ - Private: string(sshutil.MarshalPrivateKey(privKey)), - Public: string(sshutil.MarshalPublicKey(&privKey.PublicKey)), - } - repo := common.Repo{ - Hash: "9T2tH3qZ8FSPr9uxrhzV4mn2VdVgA56xPVtYvCh0", - Keys: &keypair, - } - hashKey := toHash(repo.Hash) + publicKey := &privKey.PublicKey + + privateKeyPEM := string(sshutil.MarshalPrivateKey(privKey)) + + repoHash := "9T2tH3qZ8FSPr9uxrhzV4mn2VdVgA56xPVtYvCh0" + hashKey := ToHash(repoHash) text := "super_duper_secret" - encryptedValue, _ := sshutil.Encrypt(hashKey, &privKey.PublicKey, text) + encryptedValue, _ := sshutil.Encrypt(hashKey, publicKey, text) g.It("Should decrypt a yaml", func() { yaml := "secure: {\"foo\": \"" + encryptedValue + "\"}" - decrypted, err := Parse(&repo, yaml) + decrypted, err := Parse(privateKeyPEM, repoHash, yaml) g.Assert(err == nil).IsTrue() g.Assert(decrypted["foo"]).Equal(text) @@ -36,7 +32,7 @@ func Test_Secure(t *testing.T) { g.It("Should decrypt a yaml with no secure section", func() { yaml := `foo: bar` - decrypted, err := Parse(&repo, yaml) + decrypted, err := Parse(privateKeyPEM, repoHash, yaml) g.Assert(err == nil).IsTrue() g.Assert(len(decrypted)).Equal(0) }) @@ -45,10 +41,10 @@ func Test_Secure(t *testing.T) { params := map[string]string{ "foo": text, } - err := EncryptMap(&repo, params) + err := EncryptMap(hashKey, publicKey, params) g.Assert(err == nil).IsTrue() g.Assert(params["foo"] == "super_duper_secret").IsFalse() - err = DecryptMap(&repo, params) + err = DecryptMap(hashKey, privKey, params) g.Assert(err == nil).IsTrue() g.Assert(params["foo"] == "super_duper_secret").IsTrue() })