From bf1d6b1815412068386f101872fe318766ddeda9 Mon Sep 17 00:00:00 2001 From: Yevhen Ivantsov Date: Mon, 5 Dec 2022 19:32:33 +1100 Subject: [PATCH] Make unsetting sensitive vars optional --- README.md | 6 ++++++ entrypoint.py | 3 ++- tests/test_image.py | 32 ++++++++++++++++++++++++++++++++ 3 files changed, 40 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 12b25fe..4bc8ab1 100644 --- a/README.md +++ b/README.md @@ -319,6 +319,12 @@ management technology, and is beyond the scope of this documentation. Define whether to set home directory permissions on startup. Set to `false` to disable this behaviour. +* `ATL_UNSET_SENSITIVE_ENV_VARS` (default: true) + + Define whether to unset environment variables containing keywords 'PASS', 'SECRET' or 'TOKEN'. + The unset function is executed in the entrypoint. Set to `false` if you want to allow passing + sensitive environment variables to Confluence container. + ## Advanced Configuration As mentioned at the top of this section, the settings from the environment are diff --git a/entrypoint.py b/entrypoint.py index 58236b0..e9d1132 100755 --- a/entrypoint.py +++ b/entrypoint.py @@ -8,6 +8,7 @@ RUN_GROUP = env['run_group'] CONFLUENCE_INSTALL_DIR = env['confluence_install_dir'] CONFLUENCE_HOME = env['confluence_home'] UPDATE_CFG = str2bool_or(env.get('atl_force_cfg_update'), False) +UNSET_SENSITIVE_VARS = str2bool_or(env.get('atl_unset_sensitive_env_vars'), True) gen_cfg('server.xml.j2', f'{CONFLUENCE_INSTALL_DIR}/conf/server.xml') gen_cfg('seraph-config.xml.j2', @@ -18,4 +19,4 @@ gen_cfg('confluence.cfg.xml.j2', f'{CONFLUENCE_HOME}/confluence.cfg.xml', user=RUN_USER, group=RUN_GROUP, overwrite=UPDATE_CFG) exec_app([f'{CONFLUENCE_INSTALL_DIR}/bin/start-confluence.sh', '-fg'], CONFLUENCE_HOME, - name='Confluence', env_cleanup=True) + name='Confluence', env_cleanup=UNSET_SENSITIVE_VARS) diff --git a/tests/test_image.py b/tests/test_image.py index 6b3e032..524b9df 100644 --- a/tests/test_image.py +++ b/tests/test_image.py @@ -1,6 +1,8 @@ import pytest import signal import testinfra +from iterators import TimeoutIterator +import re from helpers import get_app_home, get_app_install_dir, get_bootstrap_proc, get_procs, \ parse_properties, parse_xml, run_image, \ @@ -575,3 +577,33 @@ def test_confluence_db_pool_property(docker_cli, image, version, db_property): for property, expected_value in expected.items(): assert xml.findall(f'.//property[@name="{property}"]')[0].text == expected_value + +def test_unset_secure_vars(docker_cli, image, run_user): + environment = { + 'MY_TOKEN': 'tokenvalue', + } + container = docker_cli.containers.run(image, detach=True, user=run_user, environment=environment, + ports={PORT: PORT}) + wait_for_state(STATUS_URL, expected_state='FIRST_RUN') + var_unset_log_line = 'Unsetting environment var MY_TOKEN' + wait_for_log(container, var_unset_log_line) + + +def test_skip_unset_secure_vars(docker_cli, image, run_user): + environment = { + 'MY_TOKEN': 'tokenvalue', + 'ATL_UNSET_SENSITIVE_ENV_VARS': 'false', + } + container = docker_cli.containers.run(image, detach=True, user=run_user, environment=environment, + ports={PORT: PORT}) + wait_for_state(STATUS_URL, expected_state='FIRST_RUN') + var_unset_log_line = 'Unsetting environment var MY_TOKEN' + rpat = re.compile(var_unset_log_line) + logs = container.logs(stream=True, follow=True) + li = TimeoutIterator(logs, timeout=1) + for line in li: + if line == li.get_sentinel(): + return + line = line.decode('UTF-8') + if rpat.search(line): + raise EOFError(f"Found unexpected log line '{var_unset_log_line}'")