Local env store: deny access to certain env vars
Included: APP_API_TOKEN and DAPR_API_TOKEN Signed-off-by: ItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>
This commit is contained in:
ItalyPaleAle
parent
f0587ca748
commit
659d0d2136
|
|
@ -44,20 +44,27 @@ func (s *envSecretStore) Init(metadata secretstores.Metadata) error {
|
|||
|
||||
// GetSecret retrieves a secret from env var using provided key.
|
||||
func (s *envSecretStore) GetSecret(ctx context.Context, req secretstores.GetSecretRequest) (secretstores.GetSecretResponse, error) {
|
||||
var value string
|
||||
if s.isKeyAllowed(req.Name) {
|
||||
value = os.Getenv(req.Name)
|
||||
}
|
||||
return secretstores.GetSecretResponse{
|
||||
Data: map[string]string{
|
||||
req.Name: os.Getenv(req.Name),
|
||||
req.Name: value,
|
||||
},
|
||||
}, nil
|
||||
}
|
||||
|
||||
// BulkGetSecret retrieves all secrets in the store and returns a map of decrypted string/string values.
|
||||
// BulkGetSecret retrieves all secrets in the store and returns a map of string/string values.
|
||||
func (s *envSecretStore) BulkGetSecret(ctx context.Context, req secretstores.BulkGetSecretRequest) (secretstores.BulkGetSecretResponse, error) {
|
||||
r := map[string]map[string]string{}
|
||||
env := os.Environ()
|
||||
r := make(map[string]map[string]string, len(env))
|
||||
|
||||
for _, element := range os.Environ() {
|
||||
for _, element := range env {
|
||||
envVariable := strings.SplitN(element, "=", 2)
|
||||
r[envVariable[0]] = map[string]string{envVariable[0]: envVariable[1]}
|
||||
if s.isKeyAllowed(envVariable[0]) {
|
||||
r[envVariable[0]] = map[string]string{envVariable[0]: envVariable[1]}
|
||||
}
|
||||
}
|
||||
|
||||
return secretstores.BulkGetSecretResponse{
|
||||
|
|
@ -77,3 +84,12 @@ func (s *envSecretStore) GetComponentMetadata() map[string]string {
|
|||
metadata.GetMetadataInfoFromStructType(reflect.TypeOf(metadataStruct), &metadataInfo)
|
||||
return metadataInfo
|
||||
}
|
||||
|
||||
func (s *envSecretStore) isKeyAllowed(key string) bool {
|
||||
switch key {
|
||||
case "APP_API_TOKEN", "DAPR_API_TOKEN":
|
||||
return false
|
||||
default:
|
||||
return true
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -20,42 +20,70 @@ import (
|
|||
"testing"
|
||||
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
|
||||
"github.com/dapr/components-contrib/secretstores"
|
||||
"github.com/dapr/kit/logger"
|
||||
)
|
||||
|
||||
func TestInit(t *testing.T) {
|
||||
func TestEnvStore(t *testing.T) {
|
||||
secret := "secret1"
|
||||
key := "TEST_SECRET"
|
||||
|
||||
s := envSecretStore{logger: logger.NewLogger("test")}
|
||||
|
||||
os.Setenv(key, secret)
|
||||
assert.Equal(t, secret, os.Getenv(key))
|
||||
t.Setenv(key, secret)
|
||||
require.Equal(t, secret, os.Getenv(key))
|
||||
|
||||
t.Run("Test init", func(t *testing.T) {
|
||||
t.Run("Init", func(t *testing.T) {
|
||||
err := s.Init(secretstores.Metadata{})
|
||||
assert.Nil(t, err)
|
||||
require.NoError(t, err)
|
||||
})
|
||||
|
||||
t.Run("Test set and get", func(t *testing.T) {
|
||||
t.Run("Get", func(t *testing.T) {
|
||||
err := s.Init(secretstores.Metadata{})
|
||||
assert.Nil(t, err)
|
||||
require.NoError(t, err)
|
||||
resp, err := s.GetSecret(context.Background(), secretstores.GetSecretRequest{Name: key})
|
||||
assert.Nil(t, err)
|
||||
assert.NotNil(t, resp)
|
||||
require.NoError(t, err)
|
||||
require.NotNil(t, resp)
|
||||
assert.Equal(t, secret, resp.Data[key])
|
||||
})
|
||||
|
||||
t.Run("Test bulk get", func(t *testing.T) {
|
||||
t.Run("Bulk get", func(t *testing.T) {
|
||||
err := s.Init(secretstores.Metadata{})
|
||||
assert.Nil(t, err)
|
||||
require.NoError(t, err)
|
||||
resp, err := s.BulkGetSecret(context.Background(), secretstores.BulkGetSecretRequest{})
|
||||
assert.Nil(t, err)
|
||||
assert.NotNil(t, resp)
|
||||
require.NoError(t, err)
|
||||
require.NotNil(t, resp)
|
||||
assert.Equal(t, secret, resp.Data[key][key])
|
||||
})
|
||||
|
||||
t.Run("Disallowed keys", func(t *testing.T) {
|
||||
t.Setenv("APP_API_TOKEN", "ciao")
|
||||
t.Setenv("DAPR_API_TOKEN", "mondo")
|
||||
t.Setenv("FOO", "bar")
|
||||
|
||||
err := s.Init(secretstores.Metadata{})
|
||||
require.NoError(t, err)
|
||||
|
||||
t.Run("Get", func(t *testing.T) {
|
||||
resp, err := s.GetSecret(context.Background(), secretstores.GetSecretRequest{
|
||||
Name: "APP_API_TOKEN",
|
||||
})
|
||||
require.NoError(t, err)
|
||||
require.NotNil(t, resp.Data)
|
||||
assert.Empty(t, resp.Data["APP_API_TOKEN"])
|
||||
})
|
||||
|
||||
t.Run("Bulk get", func(t *testing.T) {
|
||||
resp, err := s.BulkGetSecret(context.Background(), secretstores.BulkGetSecretRequest{})
|
||||
require.NoError(t, err)
|
||||
require.NotNil(t, resp.Data)
|
||||
assert.Empty(t, resp.Data["APP_API_TOKEN"])
|
||||
assert.Empty(t, resp.Data["DAPR_API_TOKEN"])
|
||||
assert.Equal(t, "bar", resp.Data["FOO"]["FOO"])
|
||||
})
|
||||
})
|
||||
}
|
||||
|
||||
func TestGetFeatures(t *testing.T) {
|
||||
|
|
|
|||
Loading…
Reference in New Issue