Dagger secrets

go.mod

@@ -3,7 +3,7 @@ module github.com/vito/bass
 go 1.20
 
 require (
-	dagger.io/dagger v0.5.0
+	dagger.io/dagger v0.5.2
 	github.com/adrg/xdg v0.4.0
 	github.com/agext/levenshtein v1.2.3
 	github.com/ajstarks/svgo v0.0.0-20210406150507-75cfd577ce75

go.sum

@@ -38,6 +38,10 @@ dagger.io/dagger v0.4.6 h1:1GpHJuGrDcLCCIprLpwTXBpKg8Te/RVIDo1qpzkL/QE=
 dagger.io/dagger v0.4.6/go.mod h1:1nbGnLdIfoBV2ahbQjheI//SNGz+b5q1jqf0A+pJ+Oc=
 dagger.io/dagger v0.5.0 h1:7hQnA/pFMpEkuaU2ScNWoZznTa6DbIqHnwBJwL5bBQY=
 dagger.io/dagger v0.5.0/go.mod h1:1nbGnLdIfoBV2ahbQjheI//SNGz+b5q1jqf0A+pJ+Oc=
+dagger.io/dagger v0.5.1 h1:xu+jG2+ya1nhjUDInn8pG2s/4RJkUUis1bywFTZyvtA=
+dagger.io/dagger v0.5.1/go.mod h1:1nbGnLdIfoBV2ahbQjheI//SNGz+b5q1jqf0A+pJ+Oc=
+dagger.io/dagger v0.5.2 h1:xNMUnLWqcsb5UrvqOgJx4MJVfe7xDb50kBMXdC63Cjs=
+dagger.io/dagger v0.5.2/go.mod h1:1nbGnLdIfoBV2ahbQjheI//SNGz+b5q1jqf0A+pJ+Oc=
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
 filippo.io/edwards25519 v1.0.0-rc.1 h1:m0VOOB23frXZvAOK44usCgLWvtsxIoMCTBGJZlpmGfU=
 filippo.io/edwards25519 v1.0.0-rc.1/go.mod h1:N1IkdkCkiLB6tki+MYJoSx2JTY9NUlxZE7eHn5EwJns=

nix/vendorSha256.txt

@@ -1 +1 @@
-sha256-Lz+p15IuSEW4kwXrnQ1oxSMVu06JGmbHnZl1KQoIdbY=
+sha256-uyMYDdIGXj+rjzY27JTuskSb8+BhBGx2rvPU2N3Yi8M=

pkg/runtimes/buildkit.go

@@ -759,6 +759,12 @@ func (b *buildkitBuilder) llb(ctx context.Context, thunk bass.Thunk, extraOpts .
 		runOpt = append(runOpt, llb.AddEnv("_BASS_DEBUG", "1"))
 	}
 
+	for _, env := range cmd.SecretEnv {
+		id := env.Secret.Name
+		b.secrets[id] = env.Secret.Reveal()
+		runOpt = append(runOpt, llb.AddSecret(env.Name, llb.SecretID(id), llb.SecretAsEnv(true)))
+	}
+
 	if thunk.Insecure {
 		needsInsecure = true
 

pkg/runtimes/command.go

@@ -25,8 +25,9 @@ type Command struct {
 
 	// these don't need to be marshaled, since they're part of the container
 	// setup and not passed to the shim
-	Mounts   []CommandMount `json:"-"`
-	Services []bass.Thunk   `json:"-"`
+	Mounts    []CommandMount     `json:"-"`
+	Services  []bass.Thunk       `json:"-"`
+	SecretEnv []CommandSecretEnv `json:"-"`
 
 	mounted map[string]bool
 	starter Starter
@@ -43,6 +44,11 @@ type CommandHost struct {
 	Target net.IP
 }
 
+type CommandSecretEnv struct {
+	Name   string
+	Secret bass.Secret
+}
+
 type Starter interface {
 	// Start starts the thunk and waits for its ports to be ready.
 	Start(context.Context, bass.Thunk) (StartResult, error)
@@ -101,6 +107,15 @@ func NewCommand(ctx context.Context, starter Starter, thunk bass.Thunk) (Command
 				return nil
 			}
 
+			var secret bass.Secret
+			if v.Decode(&secret) == nil {
+				cmd.SecretEnv = append(cmd.SecretEnv, CommandSecretEnv{
+					Name:   name.JSONKey(),
+					Secret: secret,
+				})
+				return nil
+			}
+
 			val, err := cmd.resolveStr(ctx, v)
 			if err != nil {
 				return fmt.Errorf("resolve env %s: %w", name, err)

pkg/runtimes/dagger.go

@@ -279,6 +279,14 @@ func (runtime *Dagger) container(ctx context.Context, thunk bass.Thunk) (*dagger
 		ctr = ctr.WithEnvVariable(name, val)
 	}
 
+	for _, env := range cmd.SecretEnv {
+		secret := runtime.client.SetSecret(
+			env.Secret.Name,
+			string(env.Secret.Reveal()),
+		)
+		ctr = ctr.WithSecretVariable(env.Name, secret)
+	}
+
 	return ctr.WithExec(cmd.Args, dagger.ContainerWithExecOpts{
 		Stdin:                    string(cmd.Stdin),
 		InsecureRootCapabilities: thunk.Insecure,
@@ -365,6 +373,9 @@ func (runtime *Dagger) mount(ctx context.Context, ctr *dagger.Container, target
 		} else {
 			return ctr.WithMountedFile(target, dir.File(fsp.FromSlash())), nil
 		}
+	case src.Secret != nil:
+		secret := runtime.client.SetSecret(src.Secret.Name, string(src.Secret.Reveal()))
+		return ctr.WithMountedSecret(target, secret), nil
 	default:
 		return nil, fmt.Errorf("mounting %T not implemented yet", src.ToValue())
 	}

pkg/runtimes/suite.go

@@ -39,8 +39,6 @@ var allJSONValues = []bass.Value{
 	bass.Bindings{"foo": bass.String("bar")}.Scope(),
 }
 
-const secret = "im always angry"
-
 type SuiteTest struct {
 	File     string
 	Result   bass.Value
@@ -239,15 +237,9 @@ func Suite(t *testing.T, config bass.RuntimeConfig) {
 			Result: bass.Bool(true),
 		},
 		{
-			File: "secrets.bass",
-			Result: bass.NewList(
-				bass.String(secret),
-				bass.String(secret),
-				bass.String(secret),
-				bass.String(secret),
-			),
+			File:   "secrets.bass",
+			Result: bass.Null{},
 			Bindings: bass.Bindings{
-				"*secret*": bass.String(secret),
 				"assert-export-does-not-contain-secret": bass.Func("assert-export-does-not-contain-secret", "[thunk]", func(ctx context.Context, thunk bass.Thunk) error {
 					pool, err := bass.RuntimePoolFromContext(ctx)
 					if err != nil {
@@ -265,10 +257,10 @@ func Suite(t *testing.T, config bass.RuntimeConfig) {
 						return err
 					}
 
-					return detectSecret(buf, secret)
+					return detectSecret(buf, "hunter2")
 				}),
 				"assert-does-not-contain-secret": bass.Func("assert-does-not-contain-secret", "[display]", func(display string) error {
-					return detectSecret(bytes.NewBufferString(display), secret)
+					return detectSecret(bytes.NewBufferString(display), "hunter2")
 				}),
 			},
 		},
@@ -436,8 +428,14 @@ unwrap:
 		}
 	}
 
-	if strings.Contains(buf.String(), needle) {
-		return fmt.Errorf("detected %q", needle)
+	out := buf.String()
+	loc := strings.Index(out, needle)
+	if loc != -1 {
+		before := loc - 10
+		if before < 0 {
+			before = 0
+		}
+		return fmt.Errorf("detected %q: ...%s", needle, out[before:loc+len(needle)])
 	}
 
 	return nil

pkg/runtimes/testdata/secrets.bass

@@ -1,35 +1,30 @@
 (def *memos* *dir*/bass.lock)
 
-(def bruce-banner
-  (mask *secret* :bruce-banner))
-
-(def arg-secret
-  (from (linux/alpine)
-    ($ sh -c "echo $0" $bruce-banner)))
+; these tests are tricky, since we have to prevent the assertions themselves
+; from leaking secrets. so we just test against their hash.
 
 (def stdin-secret
   (from (linux/alpine)
-    (.cat bruce-banner)))
+    (-> ($ sh -c "test $(cat | sha1sum | awk '{print $1}') = 633f9fe12bfc15c301898555bfca62d852a1ad36")
+        (with-stdin [(mask "stdin hunter2" :stdin-secret)]))))
 
 (def env-secret
   (from (linux/alpine)
-    (-> ($ sh -c "echo $SECRET")
-        (with-env {:SECRET bruce-banner}))))
+    (-> ($ sh -c "test $(echo -n $SECRET | sha1sum | awk '{print $1}') = 2ce29a2cf01ba01a109ce23a6d98d9fa59c6410c")
+        (with-env {:SECRET (mask "env hunter2" :env-secret)}))))
 
 (def file-secret
   (from (linux/alpine)
-    (-> ($ cat /tmp/secret)
-        (with-mount bruce-banner /tmp/secret))))
+    (-> ($ sh -c "test $(sha1sum /tmp/secret | awk '{print $1}') = 0a1980f57ebfb1b2cc022a6722a653be2f6eaaf2")
+        (with-mount (mask "mount hunter2" :mount-secret) /tmp/secret))))
 
-(def results
-  [(-> stdin-secret (read :json) next)
-   (-> env-secret (read :lines) next)
-   (-> arg-secret (read :lines) next)
-   (-> file-secret (read :lines) next)])
+(run stdin-secret)
+(run env-secret)
+(run file-secret)
 
 (assert-does-not-contain-secret (*display*))
 
 (map assert-export-does-not-contain-secret
-     [stdin-secret env-secret arg-secret file-secret])
+     [stdin-secret env-secret file-secret])
 
-results
+null