allow user to mark variables as sensitive for packer push

2017-06-05 15:27:34 -07:00 · 2017-06-05 15:27:34 -07:00 · fdca364f4b
commit fdca364f4b
parent e2a58b8e04
7 changed files with 43 additions and 13 deletions
--- a/command/meta.go
+++ b/command/meta.go
@ -33,6 +33,7 @@ type Meta struct {
 	// These are set by command-line flags
 	flagBuildExcept []string
 	flagBuildOnly   []string
+	flagPrivVars    []string
 	flagVars        map[string]string
 }

@ -119,6 +120,8 @@ func (m *Meta) FlagSet(n string, fs FlagSetFlags) *flag.FlagSet {
 	if fs&FlagSetVars != 0 {
 		f.Var((*kvflag.Flag)(&m.flagVars), "var", "")
 		f.Var((*kvflag.FlagJSON)(&m.flagVars), "var-file", "")
+		// designate any of the above variables that are private
+		f.Var((*sliceflag.StringFlag)(&m.flagPrivVars), "private", "")
 	}

 	// Create an io.Writer that writes to our Ui properly for errors.
--- a/command/push.go
+++ b/command/push.go
@ -12,6 +12,7 @@ import (
 	"github.com/hashicorp/atlas-go/archive"
 	"github.com/hashicorp/atlas-go/v1"
 	"github.com/hashicorp/packer/helper/flag-kv"
+	"github.com/hashicorp/packer/helper/flag-slice"
 	"github.com/hashicorp/packer/template"
 )

@ -190,6 +191,12 @@ func (c *PushCommand) Run(args []string) int {
 	}

 	// Collect the variables from CLI args and any var files
+	if privs := flags.Lookup("private"); privs != nil {
+		pvf := privs.Value.(*sliceflag.StringFlag)
+		pvars := []string(*pvf)
+		uploadOpts.PrivVars = pvars
+	}
+
 	uploadOpts.Vars = make(map[string]string)
 	if vs := flags.Lookup("var"); vs != nil {
 		f := vs.Value.(*kvflag.Flag)
@ -334,12 +341,19 @@ func (c *PushCommand) upload(
 	}

 	// Build the BuildVars struct
-
 	buildVars := atlas.BuildVars{}
 	for k, v := range opts.Vars {
+		isSensitive := false
+		for _, sensitiveVar := range opts.PrivVars {
+			if string(sensitiveVar) == string(k) {
+				isSensitive = true
+				break
+			}
+		}
 		buildVars = append(buildVars, atlas.BuildVar{
-			Key:   k,
-			Value: v,
+			Key:       k,
+			Value:     v,
+			Sensitive: isSensitive,
 		})
 	}

@ -372,6 +386,7 @@ type uploadOpts struct {
 	Builds   map[string]*uploadBuildInfo
 	Metadata map[string]interface{}
 	Vars     map[string]string
+	PrivVars []string
 }

 type uploadBuildInfo struct {
--- a/command/push_test.go
+++ b/command/push_test.go
@ -208,6 +208,7 @@ func TestPush_vars(t *testing.T) {
 		"-var", "one=two",
 		"-var-file", filepath.Join(testFixture("push-vars"), "vars.json"),
 		"-var", "overridden=yes",
+		"-private", "super,secret",
 		filepath.Join(testFixture("push-vars"), "template.json"),
 	}
 	if code := c.Run(args); code != 0 {
@ -224,10 +225,17 @@ func TestPush_vars(t *testing.T) {
 		"null":       "",
 		"one":        "two",
 		"overridden": "yes",
+		"super":      "this should be secret",
+		"secret":     "this one too",
 	}
 	if !reflect.DeepEqual(actualOpts.Vars, expected) {
 		t.Fatalf("bad vars: got %#v\n expected %#v\n", actualOpts.Vars, expected)
 	}
+
+	expected_priv := []string{"super", "secret"}
+	if !reflect.DeepEqual(actualOpts.PrivVars, expected_priv) {
+		t.Fatalf("bad vars: got %#v\n expected %#v\n", actualOpts.PrivVars, expected_priv)
+	}
 }

 func testArchive(t *testing.T, r io.Reader) []string {
--- a/command/test-fixtures/push-vars/vars.json
+++ b/command/test-fixtures/push-vars/vars.json
@ -1,5 +1,7 @@
 {
  "null": null,
  "bar": "baz",
-  "overridden": "no"
+  "overridden": "no",
+  "super": "this should be secret",
+  "secret": "this one too"
 }
--- a/vendor/github.com/hashicorp/atlas-go/v1/build_config.go
+++ b/vendor/github.com/hashicorp/atlas-go/v1/build_config.go
@ -15,8 +15,9 @@ type bcWrapper struct {

 // Atlas expects a list of key/value vars
 type BuildVar struct {
-	Key   string `json:"key"`
-	Value string `json:"value"`
+	Key       string `json:"key"`
+	Value     string `json:"value"`
+	Sensitive bool   `json:"sensitive"`
 }
 type BuildVars []BuildVar

--- a/vendor/github.com/hashicorp/go-checkpoint/README.md
+++ b/vendor/github.com/hashicorp/go-checkpoint/README.md
@ -1,7 +1,7 @@
 # Go Checkpoint Client

 [Checkpoint](http://checkpoint.hashicorp.com) is an internal service at
-Hashicorp that we use to check version information, broadcoast security
+Hashicorp that we use to check version information, broadcast security
 bulletins, etc.

 We understand that software making remote calls over the internet
@ -10,7 +10,7 @@ disabled in all of our software that includes it. You can view the source
 of this client to see that we're not sending any private information.

 Each Hashicorp application has it's specific configuration option
-to disable chekpoint calls, but the `CHECKPOINT_DISABLE` makes
+to disable checkpoint calls, but the `CHECKPOINT_DISABLE` makes
 the underlying checkpoint component itself disabled. For example
 in the case of packer:
 ```
--- a/vendor/vendor.json
+++ b/vendor/vendor.json
@ -461,11 +461,11 @@
 			"revisionTime": "2016-11-07T20:49:10Z"
 		},
 		{
-			"checksumSHA1": "lrfddRS4/LDKnF0sAbyZ59eUSjo=",
+			"checksumSHA1": "IR7S+SOsSUnPnLxgRrfemXfCqNM=",
 			"comment": "20141209094003-92-g95fa852",
 			"path": "github.com/hashicorp/atlas-go/v1",
-			"revision": "1792bd8de119ba49b17fd8d3c3c1f488ec613e62",
-			"revisionTime": "2016-11-07T20:49:10Z"
+			"revision": "047827faf4f20cc74f1a420fdf679d59162a09c7",
+			"revisionTime": "2017-06-05T23:14:32Z"
 		},
 		{
 			"checksumSHA1": "cdOCt0Yb+hdErz8NAQqayxPmRsY=",
@ -473,9 +473,10 @@
 			"revision": "7554cd9344cec97297fa6649b055a8c98c2a1e55"
 		},
 		{
-			"checksumSHA1": "nd3S1qkFv7zZxA9be0bw4nT0pe0=",
+			"checksumSHA1": "SF8aIBEMV6/MXLFTgErdONaX8f0=",
 			"path": "github.com/hashicorp/go-checkpoint",
-			"revision": "e4b2dc34c0f698ee04750bf2035d8b9384233e1b"
+			"revision": "f8cfd20c53506d1eb3a55c2c43b84d009fab39bd",
+			"revisionTime": "2016-08-16T19:50:56Z"
 		},
 		{
 			"checksumSHA1": "fSe5y1UgTDeYlnFfUcDA1zzcw+U=",