Skip to content

Commit

Permalink
validate actions secret names (integrations#714)
Browse files Browse the repository at this point in the history
* validate actions secret names

* remove duplicate case
  • Loading branch information
bendrucker authored Mar 12, 2021
1 parent ef304a4 commit 59b457f
Show file tree
Hide file tree
Showing 4 changed files with 78 additions and 6 deletions.
7 changes: 4 additions & 3 deletions github/resource_github_actions_organization_secret.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,9 +20,10 @@ func resourceGithubActionsOrganizationSecret() *schema.Resource {

Schema: map[string]*schema.Schema{
"secret_name": {
Type: schema.TypeString,
Required: true,
ForceNew: true,
Type: schema.TypeString,
Required: true,
ForceNew: true,
ValidateFunc: validateSecretNameFunc,
},
"plaintext_value": {
Type: schema.TypeString,
Expand Down
7 changes: 4 additions & 3 deletions github/resource_github_actions_secret.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,9 +25,10 @@ func resourceGithubActionsSecret() *schema.Resource {
Required: true,
},
"secret_name": {
Type: schema.TypeString,
Required: true,
ForceNew: true,
Type: schema.TypeString,
Required: true,
ForceNew: true,
ValidateFunc: validateSecretNameFunc,
},
"plaintext_value": {
Type: schema.TypeString,
Expand Down
21 changes: 21 additions & 0 deletions github/util.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import (
"context"
"errors"
"fmt"
"regexp"
"strconv"
"strings"

Expand Down Expand Up @@ -143,3 +144,23 @@ func getTeamID(teamIDString string, meta interface{}) (int64, error) {
return team.GetID(), nil
}
}

// https://docs.github.com/en/actions/reference/encrypted-secrets#naming-your-secrets
var secretNameRegexp = regexp.MustCompile("^[a-zA-Z_][a-zA-Z0-9_]*$")

func validateSecretNameFunc(v interface{}, keyName string) (we []string, errs []error) {
name, ok := v.(string)
if !ok {
return nil, []error{fmt.Errorf("expected type of %s to be string", keyName)}
}

if !secretNameRegexp.MatchString(name) {
errs = append(errs, errors.New("Secret names can only contain alphanumeric characters or underscores and must not start with a number"))
}

if strings.HasPrefix(strings.ToUpper(name), "GITHUB_") {
errs = append(errs, errors.New("Secret names must not start with the GITHUB_ prefix"))
}

return we, errs
}
49 changes: 49 additions & 0 deletions github/util_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -106,3 +106,52 @@ func flipUsernameCase(username string) string {
}
return string(oc)
}

func TestAccGithubUtilValidateSecretName(t *testing.T) {
cases := []struct {
Name string
Error bool
}{
{
Name: "valid",
},
{
Name: "v",
},
{
Name: "_valid_underscore_",
},
{
Name: "valid_digit_1",
},
{
Name: "invalid-dashed",
Error: true,
},
{
Name: "1_invalid_leading_digit",
Error: true,
},
{
Name: "GITHUB_PREFIX",
Error: true,
},
{
Name: "github_prefix",
Error: true,
},
}

for _, tc := range cases {
var name interface{} = tc.Name
_, errors := validateSecretNameFunc(name, "")

if tc.Error != (len(errors) != 0) {
if tc.Error {
t.Fatalf("expected error, got none (%s)", tc.Name)
} else {
t.Fatalf("unexpected error(s): %s (%s)", errors, tc.Name)
}
}
}
}

0 comments on commit 59b457f

Please sign in to comment.