Merged in CLIP-1824-whitelist-sensitive-env-vars (pull request #140)

CLIP-1824: Add tests and README notes for a new env var

* Add tests

* Update submodule checkout command

* Add readme

* Remove debug host

* Revert git submodule command change

* Revert git submodule command change

* Update submodule revision


Approved-by: Minh Tran

README.md

@@ -338,6 +338,12 @@ management technology, and is beyond the scope of this documentation.
    The unset function is executed in the entrypoint. Set to `false` if you want to allow passing
    sensitive environment variables to Confluence container.
 
+*  `ATL_WHITELIST_SENSITIVE_ENV_VARS`
+
+   **WARNING:** When using this property, the values to sensitive environment variables will be available in clear text on the host OS. As such, this data may be exposed to users or processes running on the host OS.
+
+   Define a comma separated list of environment variables containing keywords 'PASS', 'SECRET' or 'TOKEN' to be ignored by the unset function which is executed in the entrypoint. The function uses `^` regex. For example, if you set `ATL_WHITELIST_SENSITIVE_ENV_VARS="PATH_TO_SECRET_FILE"`, all variables starting with `PATH_TO_SECRET_FILE` will be whitelisted.
+
 ## Advanced Configuration
 
 As mentioned at the top of this section, the settings from the environment are

shared-components

@@ -1 +1 @@
-Subproject commit 52cd98f0136e31e69b2e75a35f81e315d646cf82
+Subproject commit 7e242207638140041da240a086ed464cf00b9e8c

tests/test_image.py

@@ -607,3 +607,48 @@ def test_skip_unset_secure_vars(docker_cli, image, run_user):
         line = line.decode('UTF-8')
         if rpat.search(line):
             raise EOFError(f"Found unexpected log line '{var_unset_log_line}'")
+
+def test_skip_default_whitelisted_secure_vars(docker_cli, image, run_user):
+    environment = {
+        'AWS_WEB_IDENTITY_TOKEN_FILE': '/path/to/file',
+        'com_atlassian_db_config_password_ciphers_algorithm_javax_crypto_foor_bar': '/path/to/file'
+    }
+    container = docker_cli.containers.run(image, detach=True, user=run_user, environment=environment,
+                                          ports={PORT: PORT})
+    wait_for_state(STATUS_URL, expected_state='FIRST_RUN')
+    rpat = re.compile(r'Unsetting environment var (AWS_WEB_IDENTITY_TOKEN_FILE|com_atlassian_db_config_password_ciphers_algorithm_javax_crypto_foor_bar)')
+    logs = container.logs(stream=True, follow=True)
+    li = TimeoutIterator(logs, timeout=1)
+    for line in li:
+        if line == li.get_sentinel():
+            return
+        line = line.decode('UTF-8')
+        if rpat.search(line):
+            print(line)
+            raise EOFError(f"Found unexpected log line")
+
+def test_skip_custom_whitelisted_secure_vars(docker_cli, image, run_user):
+    environment = {
+        'MY_TOKEN': 'tokenvalue',
+        'SECRET': 'secretvalue',
+        'MY_PASS': 'passvalue',
+        'ATL_WHITELIST_SENSITIVE_ENV_VARS': 'MY_TOKEN, MY_PASS',
+    }
+    container = docker_cli.containers.run(image, detach=True, user=run_user, environment=environment, ports={PORT: PORT})
+    wait_for_state(STATUS_URL, expected_state='FIRST_RUN')
+
+    # ensure SECRET env var is unset
+    var_unset_log_line_secret = 'Unsetting environment var SECRET'
+    wait_for_log(container, var_unset_log_line_secret)
+
+    # ensure MY_TOKEN and MY_PASS are not unset as they are in the whitelist
+    rpat = re.compile(r'Unsetting environment var (MY_TOKEN|MY_PASS)')
+    logs = container.logs(stream=True, follow=True)
+    li = TimeoutIterator(logs, timeout=1)
+    for line in li:
+        if line == li.get_sentinel():
+            return
+        line = line.decode('UTF-8')
+        if rpat.search(line):
+            print(line)
+            raise EOFError(f"Found unexpected log line")