Make unsetting sensitive vars optional

This commit is contained in:
Yevhen Ivantsov 2022-12-05 19:32:33 +11:00
parent ffcfea9af8
commit bf1d6b1815
3 changed files with 40 additions and 1 deletions

View File

@ -319,6 +319,12 @@ management technology, and is beyond the scope of this documentation.
Define whether to set home directory permissions on startup. Set to `false` to disable
this behaviour.
* `ATL_UNSET_SENSITIVE_ENV_VARS` (default: true)
Define whether to unset environment variables containing keywords 'PASS', 'SECRET' or 'TOKEN'.
The unset function is executed in the entrypoint. Set to `false` if you want to allow passing
sensitive environment variables to Confluence container.
## Advanced Configuration
As mentioned at the top of this section, the settings from the environment are

View File

@ -8,6 +8,7 @@ RUN_GROUP = env['run_group']
CONFLUENCE_INSTALL_DIR = env['confluence_install_dir']
CONFLUENCE_HOME = env['confluence_home']
UPDATE_CFG = str2bool_or(env.get('atl_force_cfg_update'), False)
UNSET_SENSITIVE_VARS = str2bool_or(env.get('atl_unset_sensitive_env_vars'), True)
gen_cfg('server.xml.j2', f'{CONFLUENCE_INSTALL_DIR}/conf/server.xml')
gen_cfg('seraph-config.xml.j2',
@ -18,4 +19,4 @@ gen_cfg('confluence.cfg.xml.j2', f'{CONFLUENCE_HOME}/confluence.cfg.xml',
user=RUN_USER, group=RUN_GROUP, overwrite=UPDATE_CFG)
exec_app([f'{CONFLUENCE_INSTALL_DIR}/bin/start-confluence.sh', '-fg'], CONFLUENCE_HOME,
name='Confluence', env_cleanup=True)
name='Confluence', env_cleanup=UNSET_SENSITIVE_VARS)

View File

@ -1,6 +1,8 @@
import pytest
import signal
import testinfra
from iterators import TimeoutIterator
import re
from helpers import get_app_home, get_app_install_dir, get_bootstrap_proc, get_procs, \
parse_properties, parse_xml, run_image, \
@ -575,3 +577,33 @@ def test_confluence_db_pool_property(docker_cli, image, version, db_property):
for property, expected_value in expected.items():
assert xml.findall(f'.//property[@name="{property}"]')[0].text == expected_value
def test_unset_secure_vars(docker_cli, image, run_user):
environment = {
'MY_TOKEN': 'tokenvalue',
}
container = docker_cli.containers.run(image, detach=True, user=run_user, environment=environment,
ports={PORT: PORT})
wait_for_state(STATUS_URL, expected_state='FIRST_RUN')
var_unset_log_line = 'Unsetting environment var MY_TOKEN'
wait_for_log(container, var_unset_log_line)
def test_skip_unset_secure_vars(docker_cli, image, run_user):
environment = {
'MY_TOKEN': 'tokenvalue',
'ATL_UNSET_SENSITIVE_ENV_VARS': 'false',
}
container = docker_cli.containers.run(image, detach=True, user=run_user, environment=environment,
ports={PORT: PORT})
wait_for_state(STATUS_URL, expected_state='FIRST_RUN')
var_unset_log_line = 'Unsetting environment var MY_TOKEN'
rpat = re.compile(var_unset_log_line)
logs = container.logs(stream=True, follow=True)
li = TimeoutIterator(logs, timeout=1)
for line in li:
if line == li.get_sentinel():
return
line = line.decode('UTF-8')
if rpat.search(line):
raise EOFError(f"Found unexpected log line '{var_unset_log_line}'")