feat(operators): Filter openid secrets and block get all in _secret.

2025-02-11 14:20:07 +08:00 · 2021-03-02 18:11:31 +02:00 · 2021-03-02 18:11:31 +02:00 · bd7a7720f5
commit bd7a7720f5
parent 8abfc8161b
2 changed files with 80 additions and 11 deletions
--- a/packages/operators/src/node/secret.js
+++ b/packages/operators/src/node/secret.js
@ -16,11 +16,21 @@

 import getFromObject from '../getFromObject';

-function _secret({ env, location, params, secrets }) {
+function _secret({ env, location, params, secrets = {} }) {
+  if (params === true || params.all) {
+    throw new Error(
+      `Operator Error: Getting all secrets is not allowed. Received: ${JSON.stringify(
+        params
+      )} at ${location}.`
+    );
+  }
+  // Filter out OpenID Connect and JSON web token secrets
+  // eslint-disable-next-line no-unused-vars
+  const { OPENID_CLIENT_ID, OPENID_CLIENT_SECRET, OPENID_DOMAIN, JWT_SECRET, ...rest } = secrets;
  return getFromObject({
    env,
    location,
-    object: secrets,
+    object: { ...rest },
    operator: '_secret',
    params,
  });
--- a/packages/operators/test/node/secret.test.js
+++ b/packages/operators/test/node/secret.test.js
@ -19,16 +19,14 @@ import getFromObject from '../../src/getFromObject';

 jest.mock('../../src/getFromObject');

-const input = {
-  arrayIndices: [0],
-  env: 'env',
-  location: 'location',
-  params: 'params',
-  secrets: { secrets: true },
-};
-
 test('secret calls getFromObject', () => {
-  secret(input);
+  secret({
+    arrayIndices: [0],
+    env: 'env',
+    location: 'location',
+    params: 'params',
+    secrets: { secrets: true },
+  });
  expect(getFromObject.mock.calls).toEqual([
    [
      {
@ -43,3 +41,64 @@ test('secret calls getFromObject', () => {
    ],
  ]);
 });
+
+test('secret default value', () => {
+  secret({
+    arrayIndices: [0],
+    env: 'env',
+    location: 'location',
+    params: 'params',
+  });
+  expect(getFromObject.mock.calls).toEqual([
+    [
+      {
+        env: 'env',
+        location: 'location',
+        object: {},
+        operator: '_secret',
+        params: 'params',
+      },
+    ],
+  ]);
+});
+
+test('secret get all is not allowed', () => {
+  expect(() => secret({ params: true })).toThrowErrorMatchingInlineSnapshot(
+    `"Operator Error: Getting all secrets is not allowed. Received: true at undefined."`
+  );
+  expect(() => secret({ params: { all: true } })).toThrowErrorMatchingInlineSnapshot(
+    `"Operator Error: Getting all secrets is not allowed. Received: {\\"all\\":true} at undefined."`
+  );
+  expect(() => secret({ params: { all: 'yes' } })).toThrowErrorMatchingInlineSnapshot(
+    `"Operator Error: Getting all secrets is not allowed. Received: {\\"all\\":\\"yes\\"} at undefined."`
+  );
+});
+
+test('secret OpenID Connect and JSON web token secrets are filtered out', () => {
+  secret({
+    arrayIndices: [0],
+    env: 'env',
+    location: 'location',
+    params: 'params',
+    secrets: {
+      OPENID_CLIENT_ID: 'OPENID_CLIENT_ID',
+      OPENID_CLIENT_SECRET: 'OPENID_CLIENT_SECRET',
+      OPENID_DOMAIN: 'OPENID_DOMAIN',
+      JWT_SECRET: 'JWT_SECRET',
+      OTHER: 'OTHER',
+    },
+  });
+  expect(getFromObject.mock.calls).toEqual([
+    [
+      {
+        env: 'env',
+        location: 'location',
+        object: {
+          OTHER: 'OTHER',
+        },
+        operator: '_secret',
+        params: 'params',
+      },
+    ],
+  ]);
+});