client: add NOMAD_LICENSE to default env deny list

By default we should not expose the NOMAD_LICENSE environment variable to tasks. Also refactor where the DefaultEnvDenyList lives so we don't have to maintain 2 copies of it. Since client/config is the most obvious location, keep a reference there to its unfortunate home buried deep in command/agent/host. Since the agent uses this list as well for the /agent/host endpoint the list must be accessible from both command/agent and client.
2021-09-21 12:58:51 -07:00 · 2021-09-21 12:58:51 -07:00 · 4ad0c258b9
parent 7d2ca0088e
commit 4ad0c258b9
4 changed files with 21 additions and 18 deletions
--- a/.changelog/11215.txt
+++ b/.changelog/11215.txt
@ -0,0 +1,3 @@
+```release-note:bug
+client: Added `NOMAD_LICENSE` to default environment variable deny list.
+```
--- a/client/config/config.go
+++ b/client/config/config.go
@ -9,6 +9,7 @@ import (
 	"time"

 	"github.com/hashicorp/nomad/client/lib/cgutil"
+	"github.com/hashicorp/nomad/command/agent/host"

 	log "github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/nomad/client/state"
@ -23,14 +24,7 @@ import (
 var (
 	// DefaultEnvDenylist is the default set of environment variables that are
 	// filtered when passing the environment variables of the host to a task.
-	// duplicated in command/agent/host, update that if this changes.
-	DefaultEnvDenylist = strings.Join([]string{
-		"CONSUL_TOKEN",
-		"CONSUL_HTTP_TOKEN",
-		"VAULT_TOKEN",
-		"AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN",
-		"GOOGLE_APPLICATION_CREDENTIALS",
-	}, ",")
+	DefaultEnvDenylist = strings.Join(host.DefaultEnvDenyList, ",")

 	// DefaultUserDenylist is the default set of users that tasks are not
 	// allowed to run as when using a driver in "user.checked_drivers"
--- a/command/agent/host/host.go
+++ b/command/agent/host/host.go
@ -87,20 +87,25 @@ func environment() map[string]string {
 	return env
 }

+// DefaultEnvDenyList is the default set of environment variables that are
+// filtered when passing the environment variables of the host to the task.
+//
+// Update https://www.nomadproject.io/docs/configuration/client#env-denylist
+// whenever this is changed.
+var DefaultEnvDenyList = []string{
+	"CONSUL_TOKEN",
+	"CONSUL_HTTP_TOKEN",
+	"VAULT_TOKEN",
+	"NOMAD_LICENSE",
+	"AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN",
+	"GOOGLE_APPLICATION_CREDENTIALS",
+}
+
 // makeEnvRedactSet creates a set of well known environment variables that should be
 // redacted in the output
 func makeEnvRedactSet() map[string]struct{} {
-	// Duplicated from config.DefaultEnvBlacklist in order to avoid an import cycle
-	configDefault := []string{
-		"CONSUL_TOKEN",
-		"CONSUL_HTTP_TOKEN",
-		"VAULT_TOKEN",
-		"AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN",
-		"GOOGLE_APPLICATION_CREDENTIALS",
-	}
-
 	set := make(map[string]struct{})
-	for _, e := range configDefault {
+	for _, e := range DefaultEnvDenyList {
 		set[e] = struct{}{}
 	}

--- a/website/content/docs/configuration/client.mdx
+++ b/website/content/docs/configuration/client.mdx
@ -235,6 +235,7 @@ see the [drivers documentation](/docs/drivers).
  CONSUL_TOKEN
  CONSUL_HTTP_TOKEN
  VAULT_TOKEN
+  NOMAD_LICENSE
  AWS_ACCESS_KEY_ID
  AWS_SECRET_ACCESS_KEY
  AWS_SESSION_TOKEN