22638728708

Committed 03 Mar 2026 07:14PM UTC coverage: 71.904% (+0.2%) from 71.693%

Build # 22638728708

Build Type

push

github

Committed by

web-flow

Commit Message

feat(ux): auto-decode secrets on load from cluster secrets list and validate base64 data before sealing (#363)

Run Details

35 of 50 new or added lines in 2 files covered. (70.0%)

540 of 751 relevant lines covered (71.9%)

0.81 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

80.0

/pkg/handler/dencode.go

package handler

import (
        "bytes"
        "io"
        "log"
        "net/http"

        "github.com/bitnami-labs/sealed-secrets/pkg/multidocyaml"
        "github.com/gin-gonic/gin"
        v1 "k8s.io/api/core/v1"
        "k8s.io/apimachinery/pkg/runtime"
        "k8s.io/client-go/kubernetes/scheme"
)

func (h *Handler) Dencode(c *gin.Context) {
        outputContentType, outputFormat, done := NegotiateFormat(c)
        if done {
                return
        }

        body, err := io.ReadAll(c.Request.Body)
        if err != nil {
                log.Printf("Error in %s: %s\n", Sanitize(c.Request.URL.Path), Sanitize(err.Error()))
                c.JSON(http.StatusUnprocessableEntity, gin.H{"error": err.Error()})
                return
        }

        if err := validateBase64Data(body); err != nil {
                c.JSON(http.StatusUnprocessableEntity, gin.H{"error": err.Error()})
                return
        }

        secret, err := readSecret(scheme.Codecs.UniversalDecoder(), bytes.NewReader(body))
        if err != nil {
                log.Printf("Error in %s: %s\n", Sanitize(c.Request.URL.Path), Sanitize(err.Error()))
                c.JSON(http.StatusUnprocessableEntity, gin.H{"error": err.Error()})
                return
        }

        encode, err := encodeSecret(h.dencode(secret), outputFormat)
        if err != nil {
                log.Printf("Error in %s: %v\n", Sanitize(c.Request.URL.Path), err)
                c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
                return
        }
        c.Data(http.StatusOK, outputContentType, encode)
}

func (h *Handler) dencode(secret *v1.Secret) *v1.Secret {
        if len(secret.StringData) > 0 {
                if secret.Data == nil {
                        secret.Data = map[string][]byte{}
                }
                for key, value := range secret.StringData {
                        secret.Data[key] = []byte(value)
                }
                secret.StringData = nil
                return secret
        }

        if len(secret.Data) > 0 {
                if secret.StringData == nil {
                        secret.StringData = map[string]string{}
                }
                for key, value := range secret.Data {
                        secret.StringData[key] = string(value)
                }
                secret.Data = nil
        }
        return secret
}

func readSecret(codec runtime.Decoder, r io.Reader) (*v1.Secret, error) {
        data, err := io.ReadAll(r)
        if err != nil {
                return nil, err
        }

        if err := multidocyaml.EnsureNotMultiDoc(data); err != nil {
                return nil, err
        }

        var ret v1.Secret
        if err = runtime.DecodeInto(codec, data, &ret); err != nil {
                return nil, err
        }

        return &ret, nil
}

1	package handler
2
3	import (
4	"bytes"
5	"io"
6	"log"
7	"net/http"
8
9	"github.com/bitnami-labs/sealed-secrets/pkg/multidocyaml"
10	"github.com/gin-gonic/gin"
11	v1 "k8s.io/api/core/v1"
12	"k8s.io/apimachinery/pkg/runtime"
13	"k8s.io/client-go/kubernetes/scheme"
14	)
15
16	func (h Handler) Dencode(c gin.Context) {	1✔
17	outputContentType, outputFormat, done := NegotiateFormat(c)	1✔
18	if done {	2✔
19	return	1✔
20	}	1✔
21
22	body, err := io.ReadAll(c.Request.Body)	1✔
23	if err != nil {	1✔
NEW 24	log.Printf("Error in %s: %s\n", Sanitize(c.Request.URL.Path), Sanitize(err.Error()))	×
NEW 25	c.JSON(http.StatusUnprocessableEntity, gin.H{"error": err.Error()})	×
NEW 26	return	×
NEW 27	}	×
28
29	if err := validateBase64Data(body); err != nil {	2✔
30	c.JSON(http.StatusUnprocessableEntity, gin.H{"error": err.Error()})	1✔
31	return	1✔
32	}	1✔
33
34	secret, err := readSecret(scheme.Codecs.UniversalDecoder(), bytes.NewReader(body))	1✔
35	if err != nil {	2✔
36	log.Printf("Error in %s: %s\n", Sanitize(c.Request.URL.Path), Sanitize(err.Error()))	1✔
37	c.JSON(http.StatusUnprocessableEntity, gin.H{"error": err.Error()})	1✔
38	return	1✔
39	}	1✔
40
41	encode, err := encodeSecret(h.dencode(secret), outputFormat)	1✔
42	if err != nil {	1✔
43	log.Printf("Error in %s: %v\n", Sanitize(c.Request.URL.Path), err)	×
44	c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})	×
45	return	×
46	}	×
47	c.Data(http.StatusOK, outputContentType, encode)	1✔
48	}
49
50	func (h Handler) dencode(secret v1.Secret) *v1.Secret {	1✔
51	if len(secret.StringData) > 0 {	2✔
52	if secret.Data == nil {	2✔
53	secret.Data = map[string][]byte{}	1✔
54	}	1✔
55	for key, value := range secret.StringData {	2✔
56	secret.Data[key] = []byte(value)	1✔
57	}	1✔
58	secret.StringData = nil	1✔
59	return secret	1✔
60	}
61
62	if len(secret.Data) > 0 {	2✔
63	if secret.StringData == nil {	2✔
64	secret.StringData = map[string]string{}	1✔
65	}	1✔
66	for key, value := range secret.Data {	2✔
67	secret.StringData[key] = string(value)	1✔
68	}	1✔
69	secret.Data = nil	1✔
70	}
71	return secret	1✔
72	}
73
74	func readSecret(codec runtime.Decoder, r io.Reader) (*v1.Secret, error) {	1✔
75	data, err := io.ReadAll(r)	1✔
76	if err != nil {	1✔
77	return nil, err	×
78	}	×
79
80	if err := multidocyaml.EnsureNotMultiDoc(data); err != nil {	1✔
81	return nil, err	×
82	}	×
83
84	var ret v1.Secret	1✔
85	if err = runtime.DecodeInto(codec, data, &ret); err != nil {	2✔
86	return nil, err	1✔
87	}	1✔
88
89	return &ret, nil	1✔
90	}

bakito / sealed-secrets-web / 22638728708

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous