Archives
/
pyentrypoint
mirror of https://github.com/cmehay/pyentrypoint
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

Add globing support for secret env

Browse Source
pull/4/head
Christophe Mehay 8 years ago
parent 5887581459
commit a663b98efb
8 changed files with 47 additions and 23 deletions
Show Stats Download Patch File Download Diff File

2
.pre-commit-config.yaml
Unescape Escape View File

@ -1,5 +1,5 @@
- repo: git://github.com/pre-commit/pre-commit-hooks
sha: 'v0.4.2'
sha: 'v0.6.0'
hooks:
- id: check-added-large-files
- id: check-docstring-first

1
README.md
Unescape Escape View File

@ -89,6 +89,7 @@ config_files:
# theses variables will passed to it anyway
secret_env:
- SSHKEY
- '*' # Support globbing, all environment will be wiped
# Links are handled here
# Port, name, protocol or env variable can be used to identify the links

1
entrypoint-config.yml
Unescape Escape View File

@ -31,6 +31,7 @@ config_files:
# exec command to keep them secret
secret_env:
- SSHKEY
- '*' # Support globbing, all environment will be wiped
# Links are handled here
# Port, name, protocol or env variable can be used to identify the links

30
pyentrypoint/command.py
Unescape Escape View File

@ -37,12 +37,12 @@ class Command(object):
def is_link_env(env, links):
for link in links:
patterns = [
'{}_NAME'.format(link),
'{}_PORT_*'.format(link),
'{}_ENV_*'.format(link),
'{}_NAME'.format(link.upper()),
'{}_PORT_*'.format(link.upper()),
'{}_ENV_*'.format(link.upper()),
]
for patt in patterns:
if fnmatch(link, patt):
if fnmatch(env, patt):
return True
return False
@ -51,6 +51,20 @@ class Command(object):
self.env = {env: val for env, val in os.environ.items()
if not is_link_env(env, all_link_names)}
def _clean_secret_env(self):
to_del = []
for key in self.env:
for item in self.config.secret_env:
if fnmatch(key, item):
self.log.debug("Secret env '{item}' match '{key}'".format(
item=item,
key=key,
))
to_del.append(key)
for item in to_del:
del(self.env[item])
@property
def is_handled(self):
subcom = self.config.subcommands
@ -74,11 +88,13 @@ class Command(object):
if os.getuid() is 0:
os.setgid(self.config.group)
os.setuid(self.config.user)
self.log.debug('Set uid {uid} and gid {gid}'.format(
uid=self.config.user,
gid=self.config.group,
))
if self.config.clean_env:
self._clean_links_env()
for item in self.config.secret_env:
if item in os.environ:
del(self.env[item])
self._clean_secret_env()
subcom = self.config.subcommands
if not self.args or \
[p for p in subcom if fnmatch(self.args[0], p)]:

2
setup.py
Unescape Escape View File

@ -5,7 +5,7 @@ from setuptools import setup
# Thanks Sam and Max
__version__ = '0.3.7'
__version__ = '0.3.8'
if __name__ == '__main__':
setup(

2
tests/configs/secret_env.yml
Unescape Escape View File

@ -0,0 +1,2 @@
secret_env:
- '*'

26
tests/main_test.py
Unescape Escape View File

@ -26,10 +26,10 @@ def test_main():
# ((Process instance), (file to check), (uid), (gid))
(
Process(target=ProxyMain(
args=['pyentrypoint', '-c', 'echo OK > /tmp/CMD6'],
args=['pyentrypoint', '-c', 'echo OK > /tmp/CMD__6'],
env={'ENTRYPOINT_CONFIG': 'configs/base.yml'}
).run),
'/tmp/CMD6',
'/tmp/CMD__6',
1000,
1000,
), (
@ -37,31 +37,31 @@ def test_main():
args=['pyentrypoint',
'bash',
'-c',
'echo ${SECRET}OK > /tmp/CMD7'],
'echo ${SECRET}OK > /tmp/CMD__7'],
env={'ENTRYPOINT_CONFIG': 'configs/base.yml'}
).run),
'/tmp/CMD7',
'/tmp/CMD__7',
1000,
1000,
), (
Process(target=ProxyMain(
args=['pyentrypoint', 'bash', '-c', 'echo OK > /tmp/CMD8'],
args=['pyentrypoint', 'bash', '-c', 'echo OK > /tmp/CMD__8'],
env={'ENTRYPOINT_CONFIG': 'configs/usernames.yml'}
).run),
'/tmp/CMD8',
'/tmp/CMD__8',
33,
33,
), (
Process(target=ProxyMain(
args=['pyentrypoint', 'bash', '-c', 'echo OK > /tmp/CMD9'],
args=['pyentrypoint', 'bash', '-c', 'echo OK > /tmp/CMD__9'],
env={'ENTRYPOINT_CONFIG': 'configs/unhandled.yml'}
).run),
'/tmp/CMD9',
'/tmp/CMD__9',
0,
0,
), (
Process(target=ProxyMain(
args=['pyentrypoint', 'bash', '-c', 'echo OK > /tmp/CMD10'],
args=['pyentrypoint', 'bash', '-c', 'echo OK > /tmp/CMD__10'],
env={'ENTRYPOINT_CONFIG': 'configs/unhandled_force.yml',
'ENTRYPOINT_FORCE': 'true'}
).run),
@ -70,18 +70,18 @@ def test_main():
0,
), (
Process(target=ProxyMain(
args=['pyentrypoint', 'bash', '-c', 'echo OK > /tmp/CMD11'],
args=['pyentrypoint', 'bash', '-c', 'echo OK > /tmp/CMD__11'],
env={'ENTRYPOINT_CONFIG': '/dontexist'}
).run),
'/tmp/CMD11',
'/tmp/CMD__11',
0,
0,
), (
Process(target=ProxyMain(
args=['pyentrypoint', 'bash', '-c', 'echo OK > /tmp/CMD12'],
args=['pyentrypoint', 'bash', '-c', 'echo OK > /tmp/CMD__12'],
env={'ENTRYPOINT_CONFIG': 'configs/base_with_errors.yml'}
).run),
'/tmp/CMD12',
'/tmp/CMD__12',
1000,
1000,
)

6
tests/pyentrypoint_test.py
Unescape Escape View File

@ -193,12 +193,16 @@ def test_command():
conf='/dontexist',
args=['bash', '-c', 'echo OK > /tmp/CMD5']).launch),
'/tmp/CMD5', 0, 0),
(Process(target=Entrypoint(
conf='configs/secret_env.yml',
args=['bash', '-c', 'echo ${SECRET}OK > /tmp/CMD6']).launch),
'/tmp/CMD6', 0, 0),
]
for proc, test, uid, gid in run:
proc.start()
proc.join()
with open(test) as f:
with open(test, 'r') as f:
assert f.readline().startswith('OK')
assert os.stat(test).st_uid == uid
assert os.stat(test).st_gid == gid

Write Preview
Loading…
Cancel
Save