From 104fe4c665291eef934b9fbd57d26c9fe71f5346 Mon Sep 17 00:00:00 2001 From: sebv Date: Thu, 11 Dec 2014 22:25:40 +0000 Subject: [PATCH 1/2] whitelisting jwt and enabling decryption of whitelisted addons --- lib/travis/model/job.rb | 10 +++------- spec/travis/model/job_spec.rb | 20 ++++++++++++++++++++ 2 files changed, 23 insertions(+), 7 deletions(-) diff --git a/lib/travis/model/job.rb b/lib/travis/model/job.rb index 1d86e278e..c5fe4f18f 100644 --- a/lib/travis/model/job.rb +++ b/lib/travis/model/job.rb @@ -23,6 +23,7 @@ class Job < Travis::Model mariadb postgresql ssh_known_hosts + jwt ).freeze class << self @@ -133,13 +134,8 @@ def decrypted_config normalize_config(self.config).deep_dup.tap do |config| config[:env] = process_env(config[:env]) { |env| decrypt_env(env) } if config[:env] config[:global_env] = process_env(config[:global_env]) { |env| decrypt_env(env) } if config[:global_env] - if config[:addons] - if addons_enabled? - config[:addons] = decrypt_addons(config[:addons]) - else - delete_addons(config) - end - end + delete_addons(config) if config[:addons] && !addons_enabled? + config[:addons] = decrypt_addons(config[:addons]) if config[:addons] end rescue => e logger.warn "[job id:#{id}] Config could not be decrypted due to #{e.message}" diff --git a/spec/travis/model/job_spec.rb b/spec/travis/model/job_spec.rb index 8a3b18d5d..73a721134 100644 --- a/spec/travis/model/job_spec.rb +++ b/spec/travis/model/job_spec.rb @@ -355,6 +355,26 @@ } } end + + it 'decrypts whitelisted addons', :only => true do + config = { rvm: '1.8.7', + addons: { + jwt: { + secret: job.repository.key.secure.encrypt('ABC=foobar') + } + } + } + job.config = config + + job.decrypted_config.should == { + rvm: '1.8.7', + addons: { + jwt: { + secret: 'ABC=foobar' + } + } + } + end end context 'when job has secure env enabled' do From ab6d479dbad256b89d007ade9aba05620d06f5a8 Mon Sep 17 00:00:00 2001 From: Gavin Mogan Date: Tue, 19 Jul 2016 16:11:30 -0700 Subject: [PATCH 2/2] Keep a list of ADDONS that are whitelisted and safe to decrypt --- lib/travis/model/job.rb | 18 ++++++++++++++++-- spec/travis/model/job_spec.rb | 9 ++++++++- 2 files changed, 24 insertions(+), 3 deletions(-) diff --git a/lib/travis/model/job.rb b/lib/travis/model/job.rb index c5fe4f18f..321bdbe1b 100644 --- a/lib/travis/model/job.rb +++ b/lib/travis/model/job.rb @@ -26,6 +26,10 @@ class Job < Travis::Model jwt ).freeze + ALWAYS_DECRYPT_ADDONS = %w( + jwt + ).freeze + class << self # what we return from the json api def queued(queue = nil) @@ -134,8 +138,18 @@ def decrypted_config normalize_config(self.config).deep_dup.tap do |config| config[:env] = process_env(config[:env]) { |env| decrypt_env(env) } if config[:env] config[:global_env] = process_env(config[:global_env]) { |env| decrypt_env(env) } if config[:global_env] - delete_addons(config) if config[:addons] && !addons_enabled? - config[:addons] = decrypt_addons(config[:addons]) if config[:addons] + if config[:addons] + if addons_enabled? + config[:addons] = decrypt_addons(config[:addons]) + else + delete_addons(config) + if config[:addons] + config[:addons] = config[:addons].merge( + decrypt_addons(config[:addons]).keep_if { |key, _| ALWAYS_DECRYPT_ADDONS.include? key.to_s } + ) + end + end + end end rescue => e logger.warn "[job id:#{id}] Config could not be decrypted due to #{e.message}" diff --git a/spec/travis/model/job_spec.rb b/spec/travis/model/job_spec.rb index 73a721134..f889fc86e 100644 --- a/spec/travis/model/job_spec.rb +++ b/spec/travis/model/job_spec.rb @@ -357,10 +357,14 @@ end it 'decrypts whitelisted addons', :only => true do + secret_str = job.repository.key.secure.encrypt('ABC=foobar') config = { rvm: '1.8.7', addons: { jwt: { - secret: job.repository.key.secure.encrypt('ABC=foobar') + secret: secret_str + }, + apt_packages: { + secret: secret_str } } } @@ -371,6 +375,9 @@ addons: { jwt: { secret: 'ABC=foobar' + }, + apt_packages: { + secret: { :secure => secret_str["secure"] } } } }