From 3edcddb4de398f177ff891f4dd42891b23ae2280 Mon Sep 17 00:00:00 2001
From: Barry Gordon <brrygrdn@github.com>
Date: Mon, 1 Nov 2021 11:25:02 +0000
Subject: [PATCH] Mask credentials on retrieval

---
 __tests__/api_client.test.ts | 50 ++++++++++++++++++++++++++++++++++++
 src/api-client.ts            | 11 ++++++++
 2 files changed, 61 insertions(+)

diff --git a/__tests__/api_client.test.ts b/__tests__/api_client.test.ts
index 66b0d93..5179114 100644
--- a/__tests__/api_client.test.ts
+++ b/__tests__/api_client.test.ts
@@ -1,3 +1,4 @@
+import * as core from '@actions/core'
 import {ApiClient} from '../src/api-client'
 
 describe('ApiClient', () => {
@@ -37,4 +38,53 @@ describe('ApiClient', () => {
     expect(jobDetails['allowed-updates'].length).toBe(1)
     expect(jobDetails['package-manager']).toBe('npm_and_yarn')
   })
+
+  test('get job credentials', async () => {
+    const apiResponse = {
+      data: {
+        attributes: {
+          credentials: [
+            {
+              type: 'no-creds',
+              host: 'example.com',
+              username: 'foo',
+              password: null,
+              token: null
+            },
+            {
+              type: 'password',
+              host: 'example.com',
+              username: 'bar',
+              password: 'bar-password',
+              token: null
+            },
+            {
+              type: 'token',
+              host: 'example.com',
+              username: 'baz',
+              password: null,
+              token: 'baz-token'
+            },
+            {
+              type: 'both',
+              host: 'example.com',
+              username: 'qux',
+              password: 'qux-password',
+              token: 'qux-token'
+            }
+          ]
+        }
+      }
+    }
+    mockAxios.get.mockResolvedValue({status: 200, data: apiResponse})
+    jest.spyOn(core, 'setSecret').mockImplementation(jest.fn())
+
+    const jobCredentials = await api.getCredentials()
+    expect(jobCredentials.length).toBe(4)
+
+    expect(core.setSecret).toHaveBeenCalledWith('bar-password')
+    expect(core.setSecret).toHaveBeenCalledWith('baz-token')
+    expect(core.setSecret).toHaveBeenCalledWith('qux-password')
+    expect(core.setSecret).toHaveBeenCalledWith('qux-token')
+  })
 })
diff --git a/src/api-client.ts b/src/api-client.ts
index 34e4cdd..5a65e33 100644
--- a/src/api-client.ts
+++ b/src/api-client.ts
@@ -1,3 +1,4 @@
+import * as core from '@actions/core'
 import {AxiosInstance} from 'axios'
 import {JobParameters} from './inputs'
 
@@ -58,6 +59,16 @@ export class ApiClient {
       throw new Error(`Unexpected status code: ${res.status}`)
     }
 
+    // Mask any secrets we've just retrieved from Actions logs
+    for (const credential of res.data.data.attributes.credentials) {
+      if (credential.password) {
+        core.setSecret(credential.password)
+      }
+      if (credential.token) {
+        core.setSecret(credential.token)
+      }
+    }
+
     return res.data.data.attributes.credentials
   }