mask senstive info in shell execution
When you use verbose level greater than vvv, it will print out the debugging final shell scripts rendered, which possiblly contains the secure vars. In such a case, upcmd will automatically mask the senstive variable with SECURE_SENSITIVE_INFO_MASKED
Demo
source
Main task yaml file
tasks:
- name: task
task:
- func: shell
dvars:
- name: enc_key
value: my_enc_key
flags:
- secret
- name: value_encrypted
value: '{{ "ENV_AAA" | encryptAES .enc_key }}'
flags:
- vvvv
- taskScope
- name: ENV_AAA
value: '{{.value_encrypted}}'
flags:
- secure
do: |-
echo "hello, this is a secrt value: {{.secure_ENV_AAA}}"
Main log file
loading [Config]: ./tests/functests/upconfig.yml
Main config:
Version -> 1.0.0
RefDir -> ./tests/functests
WorkDir -> cwd
AbsWorkDir -> /up_project/up
TaskFile -> c0203
Verbose -> vvv
ModuleName -> self
ShellType -> /bin/sh
MaxCallLayers -> 8
Timeout -> 3600000
MaxModuelCallLayers -> 256
EntryTask -> task
ModRepoUsernameRef ->
ModRepoPasswordRef ->
work dir: /up_project/up
-exec task: task
loading [Task]: ./tests/functests/c0203
module: [self], instance id: [dev], exec profile: []
profile - envVars:
(*core.Cache)({
})
Task1: [task ==> task: ]
-Step1:
dvar> value_encrypted:
"YxtDQCTpW8TuKntLgEkueoOy44Jt00B112bIq2z0e/8="
-
YxtDQCTpW8TuKntLgEkueoOy44Jt00B112bIq2z0e/8=
self: final context exec vars:
(*core.Cache)({
"ENV_AAA": "YxtDQCTpW8TuKntLgEkueoOy44Jt00B112bIq2z0e/8=",
"up_runtime_task_layer_number": 0,
"value_encrypted": "YxtDQCTpW8TuKntLgEkueoOy44Jt00B112bIq2z0e/8="
})
cmd( 1):
echo "hello, this is a secrt value: {{.secure_ENV_AAA}}"
-
hello, this is a secrt value: ENV_AAA
-
.. ok
. ok
Logs with different verbose level
Raw logs with different verbose level