From 6117c412fcd5802739e51840de62c18d0e4311d3 Mon Sep 17 00:00:00 2001
From: Lucy Ekatarina <lucy@dragnof.pro>
Date: Tue, 7 Feb 2023 02:38:02 +0000
Subject: [PATCH] allow referencing secrets by name in manifests

Signed-off-by: Lucy Ekatarina <lucy@dragnof.pro>
---
 api/graph/manifest.go |  2 +-
 buildsrht/manifest.py | 19 +++++++++++++++----
 worker/database.go    | 28 +++++++++++++++++++++++++++-
 worker/go.mod         |  1 +
 worker/go.sum         |  1 +
 worker/tasks.go       |  2 +-
 6 files changed, 46 insertions(+), 7 deletions(-)

diff --git a/api/graph/manifest.go b/api/graph/manifest.go
index 707adea..9016808 100644
--- a/api/graph/manifest.go
+++ b/api/graph/manifest.go
@@ -51,7 +51,7 @@ func LoadManifest(in string) (*Manifest, error) {
 
 	for _, sec := range manifest.Secrets {
 		_, err := uuid.Parse(sec)
-		if err != nil {
+		if err != nil && (len(sec) <= 3 || len(sec) >= 512) {
 			return nil, err
 		}
 	}
diff --git a/buildsrht/manifest.py b/buildsrht/manifest.py
index 6d18080..4cd29c3 100644
--- a/buildsrht/manifest.py
+++ b/buildsrht/manifest.py
@@ -82,10 +82,21 @@ class Manifest:
             if not isinstance(env, dict):
                 raise Exception("Expected environment to be a dictionary")
         if secrets:
-            if not isinstance(secrets, list) or not all([isinstance(s, str) for s in secrets]):
-                raise Exception("Expected secrets to be a UUID array")
-            # Will throw exception on invalid UUIDs as well
-            secrets = list(map(uuid.UUID, secrets))
+            if not isinstance(secrets, list) or not all(
+                [isinstance(s, str) for s in secrets]
+            ):
+                raise Exception("Expected secrets to be a UUID/String array")
+
+            def uuid_or_string(s):
+                try:
+                    uuid.UUID(s)
+                except ValueError:
+                    if len(s) >= 3 and len(s) <= 512:
+                        s
+                    else:
+                        raise Exception("Secret names must be between 3 and 512 chars")
+
+            secrets = list(map(uuid_or_string, secrets))
         if shell is not None and not isinstance(shell, bool):
             raise Exception("Expected shell to be a boolean")
         if artifacts is not None and (
diff --git a/worker/database.go b/worker/database.go
index 113984e..78d2522 100644
--- a/worker/database.go
+++ b/worker/database.go
@@ -3,6 +3,8 @@ package main
 import (
 	"database/sql"
 	"time"
+
+	"github.com/google/uuid"
 )
 
 type Job struct {
@@ -82,7 +84,15 @@ func GetJob(db *sql.DB, id int) (*Job, error) {
 	return &job, nil
 }
 
-func GetSecret(db *sql.DB, uuid string) (*Secret, error) {
+func GetSecret(db *sql.DB, sec string, ownerId int) (*Secret, error) {
+	_, err := uuid.Parse(sec)
+	if err != nil {
+		return GetSecretByName(db, sec, ownerId)
+	}
+	return GetSecretById(db, sec)
+}
+
+func GetSecretById(db *sql.DB, uuid string) (*Secret, error) {
 	row := db.QueryRow(`
 		SELECT
 			"id", "user_id", "created", "updated", "uuid",
@@ -94,7 +104,23 @@ func GetSecret(db *sql.DB, uuid string) (*Secret, error) {
 		&secret.Id, &secret.UserId, &secret.Created, &secret.Updated,
 		&secret.Uuid, &secret.Name, &secret.SecretType, &secret.Secret,
 		&secret.Path, &secret.Mode); err != nil {
+		return nil, err
+	}
+	return &secret, nil
+}
 
+func GetSecretByName(db *sql.DB, uuid string, ownerId int) (*Secret, error) {
+	row := db.QueryRow(`
+		SELECT
+			"id", "user_id", "created", "updated", "uuid",
+			"name", "secret_type", "secret", "path", "mode"
+		FROM "secret" WHERE "name" = $1 AND "user_id" = $2;
+	`, uuid, ownerId)
+	var secret Secret
+	if err := row.Scan(
+		&secret.Id, &secret.UserId, &secret.Created, &secret.Updated,
+		&secret.Uuid, &secret.Name, &secret.SecretType, &secret.Secret,
+		&secret.Path, &secret.Mode); err != nil {
 		return nil, err
 	}
 	return &secret, nil
diff --git a/worker/go.mod b/worker/go.mod
index 79155d4..1b6bbe1 100644
--- a/worker/go.mod
+++ b/worker/go.mod
@@ -5,6 +5,7 @@ require (
 	github.com/go-redis/redis/v8 v8.2.3
 	github.com/gocelery/gocelery v0.0.0-20201111034804-825d89059344
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510
+	github.com/google/uuid v1.0.0
 	github.com/kr/pty v1.1.3
 	github.com/lib/pq v1.8.0
 	github.com/martinlindhe/base36 v1.1.0
diff --git a/worker/go.sum b/worker/go.sum
index a369f2f..95f57f2 100644
--- a/worker/go.sum
+++ b/worker/go.sum
@@ -212,6 +212,7 @@ github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hf
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
+github.com/google/uuid v1.0.0 h1:b4Gk+7WdP/d3HZH8EJsZpvV7EtDOgaZLtnaNGIu1adA=
 github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
diff --git a/worker/tasks.go b/worker/tasks.go
index 2897ac2..8737918 100644
--- a/worker/tasks.go
+++ b/worker/tasks.go
@@ -262,7 +262,7 @@ func (ctx *JobContext) SendSecrets() error {
 	sshKeys := 0
 	for _, uuid := range ctx.Manifest.Secrets {
 		ctx.Log.Printf("Resolving secret %s\n", uuid)
-		secret, err := GetSecret(ctx.Db, uuid)
+		secret, err := GetSecret(ctx.Db, uuid, ctx.Job.OwnerId)
 		if err != nil {
 			return errors.Wrap(err, "GetSecret")
 		}
-- 
2.38.5