mirror of
https://bitbucket.org/atlassian-docker/docker-atlassian-confluence-server.git
synced 2024-08-30 18:22:16 +00:00
Make unsetting sensitive vars optional
This commit is contained in:
parent
ffcfea9af8
commit
bf1d6b1815
@ -319,6 +319,12 @@ management technology, and is beyond the scope of this documentation.
|
||||
Define whether to set home directory permissions on startup. Set to `false` to disable
|
||||
this behaviour.
|
||||
|
||||
* `ATL_UNSET_SENSITIVE_ENV_VARS` (default: true)
|
||||
|
||||
Define whether to unset environment variables containing keywords 'PASS', 'SECRET' or 'TOKEN'.
|
||||
The unset function is executed in the entrypoint. Set to `false` if you want to allow passing
|
||||
sensitive environment variables to Confluence container.
|
||||
|
||||
## Advanced Configuration
|
||||
|
||||
As mentioned at the top of this section, the settings from the environment are
|
||||
|
@ -8,6 +8,7 @@ RUN_GROUP = env['run_group']
|
||||
CONFLUENCE_INSTALL_DIR = env['confluence_install_dir']
|
||||
CONFLUENCE_HOME = env['confluence_home']
|
||||
UPDATE_CFG = str2bool_or(env.get('atl_force_cfg_update'), False)
|
||||
UNSET_SENSITIVE_VARS = str2bool_or(env.get('atl_unset_sensitive_env_vars'), True)
|
||||
|
||||
gen_cfg('server.xml.j2', f'{CONFLUENCE_INSTALL_DIR}/conf/server.xml')
|
||||
gen_cfg('seraph-config.xml.j2',
|
||||
@ -18,4 +19,4 @@ gen_cfg('confluence.cfg.xml.j2', f'{CONFLUENCE_HOME}/confluence.cfg.xml',
|
||||
user=RUN_USER, group=RUN_GROUP, overwrite=UPDATE_CFG)
|
||||
|
||||
exec_app([f'{CONFLUENCE_INSTALL_DIR}/bin/start-confluence.sh', '-fg'], CONFLUENCE_HOME,
|
||||
name='Confluence', env_cleanup=True)
|
||||
name='Confluence', env_cleanup=UNSET_SENSITIVE_VARS)
|
||||
|
@ -1,6 +1,8 @@
|
||||
import pytest
|
||||
import signal
|
||||
import testinfra
|
||||
from iterators import TimeoutIterator
|
||||
import re
|
||||
|
||||
from helpers import get_app_home, get_app_install_dir, get_bootstrap_proc, get_procs, \
|
||||
parse_properties, parse_xml, run_image, \
|
||||
@ -575,3 +577,33 @@ def test_confluence_db_pool_property(docker_cli, image, version, db_property):
|
||||
for property, expected_value in expected.items():
|
||||
assert xml.findall(f'.//property[@name="{property}"]')[0].text == expected_value
|
||||
|
||||
|
||||
def test_unset_secure_vars(docker_cli, image, run_user):
|
||||
environment = {
|
||||
'MY_TOKEN': 'tokenvalue',
|
||||
}
|
||||
container = docker_cli.containers.run(image, detach=True, user=run_user, environment=environment,
|
||||
ports={PORT: PORT})
|
||||
wait_for_state(STATUS_URL, expected_state='FIRST_RUN')
|
||||
var_unset_log_line = 'Unsetting environment var MY_TOKEN'
|
||||
wait_for_log(container, var_unset_log_line)
|
||||
|
||||
|
||||
def test_skip_unset_secure_vars(docker_cli, image, run_user):
|
||||
environment = {
|
||||
'MY_TOKEN': 'tokenvalue',
|
||||
'ATL_UNSET_SENSITIVE_ENV_VARS': 'false',
|
||||
}
|
||||
container = docker_cli.containers.run(image, detach=True, user=run_user, environment=environment,
|
||||
ports={PORT: PORT})
|
||||
wait_for_state(STATUS_URL, expected_state='FIRST_RUN')
|
||||
var_unset_log_line = 'Unsetting environment var MY_TOKEN'
|
||||
rpat = re.compile(var_unset_log_line)
|
||||
logs = container.logs(stream=True, follow=True)
|
||||
li = TimeoutIterator(logs, timeout=1)
|
||||
for line in li:
|
||||
if line == li.get_sentinel():
|
||||
return
|
||||
line = line.decode('UTF-8')
|
||||
if rpat.search(line):
|
||||
raise EOFError(f"Found unexpected log line '{var_unset_log_line}'")
|
||||
|
Loading…
Reference in New Issue
Block a user