Add (non-revealing) logging to Docker secret initialization

dmolesUC · dmolesUC · commit 0e0606e763b5 · 2022-05-25T12:07:22.000-07:00
diff --git a/lib/docker.rb b/lib/docker.rb
@@ -1,13 +1,27 @@
+require 'berkeley_library/logging'
+
 module Docker
   class Secret
     class << self
+      include BerkeleyLibrary::Logging
+
       def setup_environment!(fileglob = '/run/secrets/*')
-        Dir[fileglob].each do |filepath|
-          secret = File.read(filepath)
-          secret_name = File.basename(filepath)
-          ENV[secret_name] = secret unless secret.empty?
+        Dir[fileglob].each(&method(:set_env_from))
+      end
+
+      private
+
+      # rubocop:disable Naming/AccessorMethodName
+      def set_env_from(filepath)
+        secret = File.read(filepath)
+        secret_name = File.basename(filepath)
+        return logger.warn("Can't set ENV[#{secret_name}]; #{filepath} is empty") if secret.empty?
+
+        logger.info("Setting ENV[#{secret_name}] from #{filepath}").tap do
+          ENV[secret_name] = secret
         end
       end
+      # rubocop:enable Naming/AccessorMethodName
     end
   end
 
diff --git a/spec/lib/docker_spec.rb b/spec/lib/docker_spec.rb
@@ -23,17 +23,23 @@ module Docker
     end
 
     describe :setup_environment! do
+      attr_reader :secret_names
+      attr_reader :secret_paths
       attr_reader :expected_secrets
 
       before do
         prefix = Time.now.to_i.to_s
         random = Random.new
+        @secret_names = []
+        @secret_paths = {}
         @expected_secrets = {}
         (0..8).each do |i|
-          secret_name = "secret_#{prefix}_#{i}"
-          secret = Base64.strict_encode64(random.bytes(128))
-          expected_secrets[secret_name] = secret
-          tmpdir_path.join(secret_name).binwrite(secret)
+          secret_names << (secret_name = "secret_#{prefix}_#{i}")
+          secret_paths[secret_name] = (secret_path = tmpdir_path.join(secret_name))
+          Base64.strict_encode64(random.bytes(128)).tap do |secret|
+            expected_secrets[secret_name] = secret
+            secret_path.binwrite(secret)
+          end
         end
       end
 
@@ -42,12 +48,18 @@ module Docker
       end
 
       it 'injects secrets into the environment' do
-        fileglob = "#{tmpdir_path}/*"
-        Docker::Secret.setup_environment!(fileglob)
+        Docker::Secret.setup_environment!("#{tmpdir_path}/*")
         expected_secrets.each do |secret_name, secret_value|
           expect(ENV[secret_name]).to eq(secret_value)
         end
       end
+
+      it 'skips empty secrets' do
+        n = secret_names.first
+        secret_paths[n].binwrite('')
+        Docker::Secret.setup_environment!("#{tmpdir_path}/*")
+        expect(ENV[n]).to be_nil
+      end
     end
   end
 end
