cli: pass selected env vars to genpolicy

edgelesssys · Nov 26, 2024 · 331f314 · 331f314
1 parent 36596b8
commit 331f314
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 1 deletion.
diff --git a/cli/genpolicy/genpolicy.go b/cli/genpolicy/genpolicy.go
@@ -60,7 +60,7 @@ func (r *Runner) Run(ctx context.Context, yamlPath string, logger *slog.Logger)
 		"--yaml-file=" + yamlPath,
 	}
 	genpolicy := exec.CommandContext(ctx, r.genpolicy.Path(), args...)
-	genpolicy.Env = append(genpolicy.Env, "RUST_LOG=info", "RUST_BACKTRACE=1")
+	genpolicy.Env = env()
 
 	logFilter := newLogTranslator(logger)
 	defer logFilter.stop()
@@ -74,6 +74,20 @@ func (r *Runner) Run(ctx context.Context, yamlPath string, logger *slog.Logger)
 	return nil
 }
 
+func env() []string {
+	env := []string{"RUST_LOG=info", "RUST_BACKTRACE=1"}
+
+	// These env vars control registry credential lookup with
+	// https://github.com/keirlawson/docker_credential/blob/d6b60a829ecdd83fc61f831a7c4a599736461aac/src/lib.rs.
+	for _, key := range []string{"HOME", "DOCKER_CONFIG", "REGISTRY_AUTH_FILE", "XDG_RUNTIME_DIR"} {
+		if val, ok := os.LookupEnv(key); ok {
+			env = append(env, fmt.Sprintf("%s=%s", key, val))
+		}
+	}
+
+	return env
+}
+
 // Teardown cleans up temporary files and should be called after the last Run.
 func (r *Runner) Teardown() error {
 	if r.genpolicy != nil {

diff --git a/cli/genpolicy/genpolicy_test.go b/cli/genpolicy/genpolicy_test.go
@@ -39,6 +39,8 @@ while [ $# -gt 0 ]; do
   esac
   shift
 done
+
+echo -e "HOME=${HOME}\nXDG_RUNTIME_DIR=${XDG_RUNTIME_DIR}\nDOCKER_CONFIG=${DOCKER_CONFIG}\nREGISTRY_AUTH_FILE=${REGISTRY_AUTH_FILE}" >env_path
 `
 
 func TestRunner(t *testing.T) {
@@ -47,6 +49,11 @@ func TestRunner(t *testing.T) {
 	ctx := context.Background()
 	logger := slog.Default()
 
+	t.Setenv("HOME", "/invalid/home")
+	t.Setenv("XDG_RUNTIME_DIR", "/invalid/xdg")
+	t.Setenv("DOCKER_CONFIG", "/invalid/docker")
+	t.Setenv("REGISTRY_AUTH_FILE", "/invalid/registry")
+
 	d := t.TempDir()
 	genpolicyBin := []byte(fmt.Sprintf(scriptTemplate, d))
 
@@ -57,6 +64,7 @@ func TestRunner(t *testing.T) {
 	cachePath := filepath.Join(d, "cache", "cache.json")
 	expectedYAMLPath := filepath.Join(d, "test.yml")
 	yamlPathFile := filepath.Join(d, "yaml_path")
+	envFile := filepath.Join(d, "env_path")
 
 	r, err := New(expectedRulesPath, expectedSettingsPath, cachePath, genpolicyBin)
 	require.NoError(err)
@@ -75,5 +83,17 @@ func TestRunner(t *testing.T) {
 	require.NoError(err)
 	assert.YAMLEq(expectedYAMLPath, string(yamlPath))
 
+	env, err := os.ReadFile(envFile)
+	require.NoError(err)
+	assert.YAMLEq(expectedYAMLPath, string(yamlPath))
+	for _, expected := range []string{
+		"HOME=/invalid/home",
+		"XDG_RUNTIME_DIR=/invalid/xdg",
+		"DOCKER_CONFIG=/invalid/docker",
+		"REGISTRY_AUTH_FILE=/invalid/registry",
+	} {
+		assert.Contains(string(env), expected)
+	}
+
 	require.NoError(r.Teardown())
 }