chore: Adjust naming to filter envs. Fix tests.

Signed-off-by: Matthias Glastra <[email protected]>
in-toto · Sep 30, 2024 · b33029c · b33029c
1 parent c8c05e3
commit b33029c
Show file tree

Hide file tree

Showing 4 changed files with 91 additions and 24 deletions.
diff --git a/attestation/environment/environment.go b/attestation/environment/environment.go
@@ -37,7 +37,7 @@ const (
 var (
 	_                                  attestation.Attestor = &Attestor{}
 	_                                  EnvironmentAttestor  = &Attestor{}
-	defaultBlockSensitiveVarsEnabled                        = false
+	defaultFilterSensitiveVarsEnabled                       = false
 	defaultDisableSensitiveVarsDefault                      = false
 )
 
@@ -53,16 +53,16 @@ type EnvironmentAttestor interface {
 func init() {
 	attestation.RegisterAttestation(Name, Type, RunType, func() attestation.Attestor { return New() },
 		registry.BoolConfigOption(
-			"block-sensitive-vars",
-			"Switch from obfuscate to blocking variables which removes them from the output completely.",
-			defaultBlockSensitiveVarsEnabled,
-			func(a attestation.Attestor, blockSensitiveVarsEnabled bool) (attestation.Attestor, error) {
+			"filter-sensitive-vars",
+			"Switch from obfuscate to filtering variables which removes them from the output completely.",
+			defaultFilterSensitiveVarsEnabled,
+			func(a attestation.Attestor, filterSensitiveVarsEnabled bool) (attestation.Attestor, error) {
 				envAttestor, ok := a.(*Attestor)
 				if !ok {
 					return a, fmt.Errorf("unexpected attestor type: %T is not a environment attestor", a)
 				}
 
-				WithBlockVarsEnabled(blockSensitiveVarsEnabled)(envAttestor)
+				WithFilterVarsEnabled(filterSensitiveVarsEnabled)(envAttestor)
 				return envAttestor, nil
 			},
 		),
@@ -105,17 +105,17 @@ type Attestor struct {
 
 	sensitiveVarsList           map[string]struct{}
 	addSensitiveVarsList        map[string]struct{}
-	blockVarsEnabled            bool
+	filterVarsEnabled           bool
 	disableSensitiveVarsDefault bool
 }
 
 type Option func(*Attestor)
 
-// WithBlockVarsEnabled will make the blocking (removing) of vars the acting behavior.
+// WithFilterVarsEnabled will make the filter (removing) of vars the acting behavior.
 // The default behavior is obfuscation of variables.
-func WithBlockVarsEnabled(blockVarsEnabled bool) Option {
+func WithFilterVarsEnabled(filterVarsEnabled bool) Option {
 	return func(a *Attestor) {
-		a.blockVarsEnabled = blockVarsEnabled
+		a.filterVarsEnabled = filterVarsEnabled
 	}
 }
 
@@ -137,7 +137,7 @@ func WithDisableDefaultSensitiveList(disableSensitiveVarsDefault bool) Option {
 
 func New(opts ...Option) *Attestor {
 	attestor := &Attestor{
-		sensitiveVarsList: DefaultSensitiveEnvList(),
+		sensitiveVarsList:    DefaultSensitiveEnvList(),
 		addSensitiveVarsList: map[string]struct{}{},
 	}
 
@@ -186,8 +186,8 @@ func (a *Attestor) Attest(ctx *attestation.AttestationContext) error {
 		finalSensitiveKeysList[k] = v
 	}
 
-	// Block or obfuscate
-	if a.blockVarsEnabled {
+	// Filter or obfuscate
+	if a.filterVarsEnabled {
 		FilterEnvironmentArray(os.Environ(), finalSensitiveKeysList, func(key, val, _ string) {
 			a.Variables[key] = val
 		})

diff --git a/attestation/environment/environment_test.go b/attestation/environment/environment_test.go
@@ -22,8 +22,10 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
-func TestEnvironment(t *testing.T) {
-	attestor := New()
+// TestFilterVarsEnvironment tests if enabling filter behavior works correctly.
+func TestFilterVarsEnvironment(t *testing.T) {
+
+	attestor := New(WithFilterVarsEnabled(true))
 	ctx, err := attestation.NewContext("test", []attestation.Attestor{attestor})
 	require.NoError(t, err)
 
@@ -32,14 +34,15 @@ func TestEnvironment(t *testing.T) {
 	require.NoError(t, attestor.Attest(ctx))
 	for _, env := range origVars {
 		origKey, _ := splitVariable(env)
-		if _, inBlockList := attestor.blockList[origKey]; inBlockList {
+		if _, inBlockList := attestor.sensitiveVarsList[origKey]; inBlockList {
 			require.NotContains(t, attestor.Variables, origKey)
 		} else {
 			require.Contains(t, attestor.Variables, origKey)
 		}
 	}
 }
 
+// TestEnvironmentObfuscate tests if obfuscate normal behavior works correctly.
 func TestEnvironmentObfuscate(t *testing.T) {
 	attestor := New()
 	ctx, err := attestation.NewContext("test", []attestation.Attestor{attestor})
@@ -71,3 +74,68 @@ func TestEnvironmentObfuscate(t *testing.T) {
 		}
 	}
 }
+
+// TestEnvironmentObfuscateAdditional tests if the default obfuscate with additional keys works correctly.
+func TestEnvironmentObfuscateAdditional(t *testing.T) {
+	attestor := New(WithAdditionalKeys([]string{"MYNAME"}))
+	ctx, err := attestation.NewContext("test", []attestation.Attestor{attestor})
+	require.NoError(t, err)
+
+	obfuscateEnvs := map[string]struct{}{"API_TOKEN": {}, "MYNAME": {}}
+	secretVarValue := "secret var"
+	publicVarValue := "public var"
+	for k := range obfuscateEnvs {
+		t.Setenv(k, secretVarValue)
+	}
+
+	notObfuscateEnvs := map[string]struct{}{"VAR_FOO": {}, "VAR_BAR": {}}
+	for k := range notObfuscateEnvs {
+		t.Setenv(k, publicVarValue)
+	}
+
+	origVars := os.Environ()
+	require.NoError(t, attestor.Attest(ctx))
+	for _, env := range origVars {
+		origKey, _ := splitVariable(env)
+		if _, inObfuscateList := obfuscateEnvs[origKey]; inObfuscateList {
+			require.NotEqual(t, attestor.Variables[origKey], secretVarValue)
+			require.Equal(t, attestor.Variables[origKey], "******")
+		}
+
+		if _, inNotObfuscateList := notObfuscateEnvs[origKey]; inNotObfuscateList {
+			require.Equal(t, attestor.Variables[origKey], publicVarValue)
+		}
+	}
+}
+
+// TestEnvironmentFilterAdditional tests if enabling filter and adding additional keys works correctly.
+func TestEnvironmentFilterAdditional(t *testing.T) {
+	attestor := New(WithFilterVarsEnabled(true), WithAdditionalKeys([]string{"MYNAME"}))
+	ctx, err := attestation.NewContext("test", []attestation.Attestor{attestor})
+	require.NoError(t, err)
+
+	filterEnvs := map[string]struct{}{"API_TOKEN": {}, "MYNAME": {}}
+	secretVarValue := "secret var"
+	publicVarValue := "public var"
+	for k := range filterEnvs {
+		t.Setenv(k, secretVarValue)
+	}
+
+	notFilterEnvs := map[string]struct{}{"VAR_FOO": {}, "VAR_BAR": {}}
+	for k := range notFilterEnvs {
+		t.Setenv(k, publicVarValue)
+	}
+
+	origVars := os.Environ()
+	require.NoError(t, attestor.Attest(ctx))
+	for _, env := range origVars {
+		origKey, _ := splitVariable(env)
+		if _, inFilterList := filterEnvs[origKey]; inFilterList {
+			require.NotContains(t, attestor.Variables, origKey)
+		}
+
+		if _, inNotObfuscateList := notFilterEnvs[origKey]; inNotObfuscateList {
+			require.Equal(t, attestor.Variables[origKey], publicVarValue)
+		}
+	}
+}
diff --git a/attestation/environment/blocklist.go → attestation/environment/filter.go b/attestation/environment/blocklist.go → attestation/environment/filter.go
@@ -111,7 +111,7 @@ func DefaultBlockList() map[string]struct{} {
 // blockList is the list of elements to filter from variables, and for each element of variables that does not appear in the blockList onAllowed will be called.
 func FilterEnvironmentArray(variables []string, blockList map[string]struct{}, onAllowed func(key, val, orig string)) {
 	filterGlobList := []glob.Glob{}
-	
+
 	for k := range blockList {
 		if strings.Contains(k, "*") {
 			filterGlobCompiled, err := glob.Compile(k)
@@ -131,15 +131,14 @@ func FilterEnvironmentArray(variables []string, blockList map[string]struct{}, o
 			filterOut = true
 		}
 
-
 		for _, glob := range filterGlobList {
 			if glob.Match(key) {
 				filterOut = true
 				break
 			}
 		}
 
-		if ! filterOut {
+		if !filterOut {
 			onAllowed(key, val, v)
 		}
 	}

diff --git a/attestation/environment/sensitive_env_vars.go b/attestation/environment/sensitive_env_vars.go
@@ -21,11 +21,11 @@ func DefaultSensitiveEnvList() map[string]struct{} {
 	return map[string]struct{}{
 
 		// Glob pattern list
-		"*_TOKEN":                        {},
-		"SECRET_*":                       {},
-		"*_API_KEY":                      {},
-		"*_PASSWORD":                     {},
-		"*_JWT":                          {},
+		"*_TOKEN":    {},
+		"SECRET_*":   {},
+		"*_API_KEY":  {},
+		"*_PASSWORD": {},
+		"*_JWT":      {},
 
 		// Explicit list
 		"AWS_ACCESS_KEY_ID":              {},