github.com/argoproj/argo-cd/v3@v3.2.1/test/e2e/mask_secret_values_test.go (about) 1 package e2e 2 3 import ( 4 "regexp" 5 "testing" 6 7 "github.com/stretchr/testify/assert" 8 9 "github.com/argoproj/gitops-engine/pkg/health" 10 "github.com/argoproj/gitops-engine/pkg/sync/common" 11 12 . "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1" 13 . "github.com/argoproj/argo-cd/v3/test/e2e/fixture" 14 . "github.com/argoproj/argo-cd/v3/test/e2e/fixture/app" 15 ) 16 17 // Values of `.data` & `.stringData“ fields in Secret resources are masked in UI/CLI 18 // Optionally, values of `.metadata.annotations` can also be masked, if needed. 19 func TestMaskSecretValues(t *testing.T) { 20 sensitiveData := regexp.MustCompile(`SECRETVAL|NEWSECRETVAL|U0VDUkVUVkFM`) 21 22 Given(t). 23 Path("empty-dir"). 24 When(). 25 SetParamInSettingConfigMap("resource.sensitive.mask.annotations", "token"). // hide sensitive annotation 26 AddFile("secrets.yaml", `apiVersion: v1 27 kind: Secret 28 metadata: 29 name: secret 30 annotations: 31 token: SECRETVAL 32 app: test 33 stringData: 34 username: SECRETVAL 35 data: 36 password: U0VDUkVUVkFM 37 `). 38 CreateApp(). 39 Sync(). 40 Then(). 41 Expect(SyncStatusIs(SyncStatusCodeSynced)). 42 Expect(HealthIs(health.HealthStatusHealthy)). 43 // sensitive data should be masked in manifests output 44 And(func(app *Application) { 45 mnfs, _ := RunCli("app", "manifests", app.Name) 46 assert.False(t, sensitiveData.MatchString(mnfs)) 47 }). 48 When(). 49 PatchFile("secrets.yaml", `[{"op": "replace", "path": "/stringData/username", "value": "NEWSECRETVAL"}]`). 50 PatchFile("secrets.yaml", `[{"op": "add", "path": "/metadata/annotations", "value": {"token": "NEWSECRETVAL"}}]`). 51 Refresh(RefreshTypeHard). 52 Then(). 53 Expect(SyncStatusIs(SyncStatusCodeOutOfSync)). 54 // sensitive data should be masked in diff output 55 And(func(app *Application) { 56 diff, _ := RunCli("app", "diff", app.Name) 57 assert.False(t, sensitiveData.MatchString(diff)) 58 }) 59 } 60 61 // Secret values shouldn't be exposed in error messages and the diff view 62 // when invalid secret is synced. 63 func TestMaskValuesInInvalidSecret(t *testing.T) { 64 sensitiveData := regexp.MustCompile(`SECRETVAL|U0VDUkVUVkFM|12345`) 65 66 Given(t). 67 Path("empty-dir"). 68 When(). 69 // valid secret 70 AddFile("secrets.yaml", `apiVersion: v1 71 kind: Secret 72 metadata: 73 name: secret 74 annotations: 75 app: test 76 stringData: 77 username: SECRETVAL 78 data: 79 password: U0VDUkVUVkFM 80 `). 81 CreateApp(). 82 Sync(). 83 Then(). 84 Expect(SyncStatusIs(SyncStatusCodeSynced)). 85 Expect(HealthIs(health.HealthStatusHealthy)). 86 // secret data shouldn't be exposed in manifests output 87 And(func(app *Application) { 88 mnfs, _ := RunCli("app", "manifests", app.Name) 89 assert.False(t, sensitiveData.MatchString(mnfs)) 90 }). 91 When(). 92 // invalidate secret 93 PatchFile("secrets.yaml", `[{"op": "replace", "path": "/data/password", "value": 12345}]`). 94 Refresh(RefreshTypeHard). 95 IgnoreErrors(). 96 Sync(). 97 Then(). 98 Expect(SyncStatusIs(SyncStatusCodeOutOfSync)). 99 Expect(OperationPhaseIs(common.OperationFailed)). 100 // secret data shouldn't be exposed in manifests, diff & error output for invalid secret 101 And(func(app *Application) { 102 mnfs, _ := RunCli("app", "manifests", app.Name) 103 assert.False(t, sensitiveData.MatchString(mnfs)) 104 105 diff, _ := RunCli("app", "diff", app.Name) 106 assert.False(t, sensitiveData.MatchString(diff)) 107 108 msg := app.Status.OperationState.Message 109 assert.False(t, sensitiveData.MatchString(msg)) 110 }) 111 }