diff --git a/cli/support_test.go b/cli/support_test.go index 4589cf78c5727..cad0457d2ab3d 100644 --- a/cli/support_test.go +++ b/cli/support_test.go @@ -2,6 +2,7 @@ package cli_test import ( "archive/zip" + "bytes" "encoding/json" "io" "os" @@ -12,6 +13,7 @@ import ( "tailscale.com/ipn/ipnstate" + "github.com/google/uuid" "github.com/stretchr/testify/require" "github.com/coder/coder/v2/agent" @@ -23,6 +25,7 @@ import ( "github.com/coder/coder/v2/coderd/database/dbtime" "github.com/coder/coder/v2/codersdk" "github.com/coder/coder/v2/codersdk/agentsdk" + "github.com/coder/coder/v2/provisionersdk/proto" "github.com/coder/coder/v2/tailnet" "github.com/coder/coder/v2/testutil" ) @@ -38,10 +41,15 @@ func TestSupportBundle(t *testing.T) { ctx := testutil.Context(t, testutil.WaitShort) client, db := coderdtest.NewWithDatabase(t, nil) owner := coderdtest.CreateFirstUser(t, client) + randSecretValue := uuid.NewString() r := dbfake.WorkspaceBuild(t, db, database.Workspace{ OrganizationID: owner.OrganizationID, OwnerID: owner.UserID, - }).WithAgent().Do() + }).WithAgent(func(agents []*proto.Agent) []*proto.Agent { + // This should not show up in the bundle output + agents[0].Env["SECRET_VALUE"] = randSecretValue + return agents + }).Do() ws, err := client.Workspace(ctx, r.Workspace.ID) require.NoError(t, err) tempDir := t.TempDir() @@ -81,7 +89,7 @@ func TestSupportBundle(t *testing.T) { clitest.SetupConfig(t, client, root) err = inv.Run() require.NoError(t, err) - assertBundleContents(t, path) + assertBundleContents(t, path, randSecretValue) }) t.Run("NoWorkspace", func(t *testing.T) { @@ -126,12 +134,13 @@ func TestSupportBundle(t *testing.T) { }) } -func assertBundleContents(t *testing.T, path string) { +func assertBundleContents(t *testing.T, path string, badValues ...string) { t.Helper() r, err := zip.OpenReader(path) require.NoError(t, err, "open zip file") defer r.Close() for _, f := range r.File { + assertDoesNotContain(t, f, badValues...) switch f.Name { case "deployment/buildinfo.json": var v codersdk.BuildInfoResponse @@ -244,3 +253,13 @@ func readBytesFromZip(t *testing.T, f *zip.File) []byte { require.NoError(t, err, "read bytes from zip") return bs } + +func assertDoesNotContain(t *testing.T, f *zip.File, vals ...string) { + t.Helper() + bs := readBytesFromZip(t, f) + for _, val := range vals { + if bytes.Contains(bs, []byte(val)) { + t.Fatalf("file %q should not contain value %q", f.Name, val) + } + } +} diff --git a/coderd/database/dbfake/dbfake.go b/coderd/database/dbfake/dbfake.go index 5115ef96d9007..6cb2d94429eb1 100644 --- a/coderd/database/dbfake/dbfake.go +++ b/coderd/database/dbfake/dbfake.go @@ -95,9 +95,7 @@ func (b WorkspaceBuildBuilder) WithAgent(mutations ...func([]*sdkproto.Agent) [] Auth: &sdkproto.Agent_Token{ Token: b.agentToken, }, - Env: map[string]string{ - "SECRET_TOKEN": "supersecret", - }, + Env: map[string]string{}, }} for _, m := range mutations { agents = m(agents) diff --git a/support/support.go b/support/support.go index 9df859f699e28..1cf493a292129 100644 --- a/support/support.go +++ b/support/support.go @@ -407,6 +407,7 @@ func connectedAgentInfo(ctx context.Context, client *codersdk.Client, log slog.L if err := json.NewDecoder(bytes.NewReader(manifestRes)).Decode(&a.Manifest); err != nil { return xerrors.Errorf("decode agent manifest: %w", err) } + sanitizeEnv(a.Manifest.EnvironmentVariables) return nil }) diff --git a/support/support_test.go b/support/support_test.go index 4321ebd6d1b9d..58d5c9731af7d 100644 --- a/support/support_test.go +++ b/support/support_test.go @@ -73,9 +73,11 @@ func TestRun(t *testing.T) { assertNotNilNotEmpty(t, bun.Workspace.TemplateFileBase64, "workspace template file should be present") require.NotNil(t, bun.Workspace.Parameters, "workspace parameters should be present") assertNotNilNotEmpty(t, bun.Agent.Agent, "agent should be present") - assertSanitizedAgent(t, *bun.Agent.Agent) + assertSanitizedEnv(t, bun.Agent.Agent.EnvironmentVariables) assertNotNilNotEmpty(t, bun.Agent.ListeningPorts, "agent listening ports should be present") assertNotNilNotEmpty(t, bun.Agent.Logs, "agent logs should be present") + assertNotNilNotEmpty(t, bun.Agent.Manifest, "agent manifest should be present") + assertSanitizedEnv(t, bun.Agent.Manifest.EnvironmentVariables) assertNotNilNotEmpty(t, bun.Agent.AgentMagicsockHTML, "agent magicsock should be present") assertNotNilNotEmpty(t, bun.Agent.ClientMagicsockHTML, "client magicsock should be present") assertNotNilNotEmpty(t, bun.Agent.PeerDiagnostics, "agent peer diagnostics should be present") @@ -164,15 +166,15 @@ func assertSanitizedWorkspace(t *testing.T, ws codersdk.Workspace) { t.Helper() for _, res := range ws.LatestBuild.Resources { for _, agt := range res.Agents { - assertSanitizedAgent(t, agt) + assertSanitizedEnv(t, agt.EnvironmentVariables) } } } -func assertSanitizedAgent(t *testing.T, agt codersdk.WorkspaceAgent) { +func assertSanitizedEnv(t *testing.T, env map[string]string) { t.Helper() - for k, v := range agt.EnvironmentVariables { - assert.Equal(t, "***REDACTED***", v, "agent %q environment variable %q not sanitized", agt.Name, k) + for k, v := range env { + assert.Equal(t, "***REDACTED***", v, "environment variable %q not sanitized", k) } }