mirror of
https://bitbucket.org/atlassian-docker/docker-atlassian-confluence-server.git
synced 2024-08-30 18:22:16 +00:00
Merged in CLIP-1824-whitelist-sensitive-env-vars (pull request #140)
CLIP-1824: Add tests and README notes for a new env var * Add tests * Update submodule checkout command * Add readme * Remove debug host * Revert git submodule command change * Revert git submodule command change * Update submodule revision Approved-by: Minh Tran
This commit is contained in:
parent
59e81a7697
commit
e21958b4dc
@ -338,6 +338,12 @@ management technology, and is beyond the scope of this documentation.
|
|||||||
The unset function is executed in the entrypoint. Set to `false` if you want to allow passing
|
The unset function is executed in the entrypoint. Set to `false` if you want to allow passing
|
||||||
sensitive environment variables to Confluence container.
|
sensitive environment variables to Confluence container.
|
||||||
|
|
||||||
|
* `ATL_WHITELIST_SENSITIVE_ENV_VARS`
|
||||||
|
|
||||||
|
**WARNING:** When using this property, the values to sensitive environment variables will be available in clear text on the host OS. As such, this data may be exposed to users or processes running on the host OS.
|
||||||
|
|
||||||
|
Define a comma separated list of environment variables containing keywords 'PASS', 'SECRET' or 'TOKEN' to be ignored by the unset function which is executed in the entrypoint. The function uses `^` regex. For example, if you set `ATL_WHITELIST_SENSITIVE_ENV_VARS="PATH_TO_SECRET_FILE"`, all variables starting with `PATH_TO_SECRET_FILE` will be whitelisted.
|
||||||
|
|
||||||
## Advanced Configuration
|
## Advanced Configuration
|
||||||
|
|
||||||
As mentioned at the top of this section, the settings from the environment are
|
As mentioned at the top of this section, the settings from the environment are
|
||||||
|
@ -1 +1 @@
|
|||||||
Subproject commit 52cd98f0136e31e69b2e75a35f81e315d646cf82
|
Subproject commit 7e242207638140041da240a086ed464cf00b9e8c
|
@ -607,3 +607,48 @@ def test_skip_unset_secure_vars(docker_cli, image, run_user):
|
|||||||
line = line.decode('UTF-8')
|
line = line.decode('UTF-8')
|
||||||
if rpat.search(line):
|
if rpat.search(line):
|
||||||
raise EOFError(f"Found unexpected log line '{var_unset_log_line}'")
|
raise EOFError(f"Found unexpected log line '{var_unset_log_line}'")
|
||||||
|
|
||||||
|
def test_skip_default_whitelisted_secure_vars(docker_cli, image, run_user):
|
||||||
|
environment = {
|
||||||
|
'AWS_WEB_IDENTITY_TOKEN_FILE': '/path/to/file',
|
||||||
|
'com_atlassian_db_config_password_ciphers_algorithm_javax_crypto_foor_bar': '/path/to/file'
|
||||||
|
}
|
||||||
|
container = docker_cli.containers.run(image, detach=True, user=run_user, environment=environment,
|
||||||
|
ports={PORT: PORT})
|
||||||
|
wait_for_state(STATUS_URL, expected_state='FIRST_RUN')
|
||||||
|
rpat = re.compile(r'Unsetting environment var (AWS_WEB_IDENTITY_TOKEN_FILE|com_atlassian_db_config_password_ciphers_algorithm_javax_crypto_foor_bar)')
|
||||||
|
logs = container.logs(stream=True, follow=True)
|
||||||
|
li = TimeoutIterator(logs, timeout=1)
|
||||||
|
for line in li:
|
||||||
|
if line == li.get_sentinel():
|
||||||
|
return
|
||||||
|
line = line.decode('UTF-8')
|
||||||
|
if rpat.search(line):
|
||||||
|
print(line)
|
||||||
|
raise EOFError(f"Found unexpected log line")
|
||||||
|
|
||||||
|
def test_skip_custom_whitelisted_secure_vars(docker_cli, image, run_user):
|
||||||
|
environment = {
|
||||||
|
'MY_TOKEN': 'tokenvalue',
|
||||||
|
'SECRET': 'secretvalue',
|
||||||
|
'MY_PASS': 'passvalue',
|
||||||
|
'ATL_WHITELIST_SENSITIVE_ENV_VARS': 'MY_TOKEN, MY_PASS',
|
||||||
|
}
|
||||||
|
container = docker_cli.containers.run(image, detach=True, user=run_user, environment=environment, ports={PORT: PORT})
|
||||||
|
wait_for_state(STATUS_URL, expected_state='FIRST_RUN')
|
||||||
|
|
||||||
|
# ensure SECRET env var is unset
|
||||||
|
var_unset_log_line_secret = 'Unsetting environment var SECRET'
|
||||||
|
wait_for_log(container, var_unset_log_line_secret)
|
||||||
|
|
||||||
|
# ensure MY_TOKEN and MY_PASS are not unset as they are in the whitelist
|
||||||
|
rpat = re.compile(r'Unsetting environment var (MY_TOKEN|MY_PASS)')
|
||||||
|
logs = container.logs(stream=True, follow=True)
|
||||||
|
li = TimeoutIterator(logs, timeout=1)
|
||||||
|
for line in li:
|
||||||
|
if line == li.get_sentinel():
|
||||||
|
return
|
||||||
|
line = line.decode('UTF-8')
|
||||||
|
if rpat.search(line):
|
||||||
|
print(line)
|
||||||
|
raise EOFError(f"Found unexpected log line")
|
||||||
|
Loading…
Reference in New Issue
Block a user