mirror of https://github.com/coder/coder.git
fix(support): sanitize agent env (#12554)
This commit is contained in:
parent
597694fbdd
commit
47cb584052
|
@ -95,6 +95,9 @@ func (b WorkspaceBuildBuilder) WithAgent(mutations ...func([]*sdkproto.Agent) []
|
|||
Auth: &sdkproto.Agent_Token{
|
||||
Token: b.agentToken,
|
||||
},
|
||||
Env: map[string]string{
|
||||
"SECRET_TOKEN": "supersecret",
|
||||
},
|
||||
}}
|
||||
for _, m := range mutations {
|
||||
agents = m(agents)
|
||||
|
|
|
@ -191,6 +191,11 @@ func WorkspaceInfo(ctx context.Context, client *codersdk.Client, log slog.Logger
|
|||
log.Error(ctx, "fetch workspace", slog.Error(err), slog.F("workspace_id", workspaceID))
|
||||
return w
|
||||
}
|
||||
for _, res := range ws.LatestBuild.Resources {
|
||||
for _, agt := range res.Agents {
|
||||
sanitizeEnv(agt.EnvironmentVariables)
|
||||
}
|
||||
}
|
||||
w.Workspace = ws
|
||||
|
||||
eg.Go(func() error {
|
||||
|
@ -346,3 +351,13 @@ func Run(ctx context.Context, d *Deps) (*Bundle, error) {
|
|||
|
||||
return &b, nil
|
||||
}
|
||||
|
||||
// sanitizeEnv modifies kvs in place and replaces the values all non-empty keys
|
||||
// with the string ***REDACTED***
|
||||
func sanitizeEnv(kvs map[string]string) {
|
||||
for k, v := range kvs {
|
||||
if v != "" {
|
||||
kvs[k] = "***REDACTED***"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -57,6 +57,7 @@ func TestRun(t *testing.T) {
|
|||
require.NotEmpty(t, bun.Network.TailnetDebug)
|
||||
require.NotNil(t, bun.Network.NetcheckLocal)
|
||||
require.NotNil(t, bun.Workspace.Workspace)
|
||||
assertSanitizedWorkspace(t, bun.Workspace.Workspace)
|
||||
require.NotEmpty(t, bun.Workspace.BuildLogs)
|
||||
require.NotNil(t, bun.Workspace.Agent)
|
||||
require.NotEmpty(t, bun.Workspace.AgentStartupLogs)
|
||||
|
@ -92,6 +93,7 @@ func TestRun(t *testing.T) {
|
|||
require.NotEmpty(t, bun.Network.CoordinatorDebug)
|
||||
require.NotEmpty(t, bun.Network.TailnetDebug)
|
||||
require.NotNil(t, bun.Workspace)
|
||||
assertSanitizedWorkspace(t, bun.Workspace.Workspace)
|
||||
require.NotEmpty(t, bun.Logs)
|
||||
})
|
||||
|
||||
|
@ -140,6 +142,17 @@ func assertSanitizedDeploymentConfig(t *testing.T, dc *codersdk.DeploymentConfig
|
|||
}
|
||||
}
|
||||
|
||||
func assertSanitizedWorkspace(t *testing.T, ws codersdk.Workspace) {
|
||||
t.Helper()
|
||||
for _, res := range ws.LatestBuild.Resources {
|
||||
for _, agt := range res.Agents {
|
||||
for k, v := range agt.EnvironmentVariables {
|
||||
assert.Equal(t, "***REDACTED***", v, "environment variable %q not sanitized", k)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func setupWorkspaceAndAgent(ctx context.Context, t *testing.T, client *codersdk.Client, db database.Store, user codersdk.CreateFirstUserResponse) (codersdk.Workspace, codersdk.WorkspaceAgent) {
|
||||
// This is a valid zip file
|
||||
zipBytes := make([]byte, 22)
|
||||
|
|
Loading…
Reference in New Issue