Simplify environment templating #45

New Issue

Open

opened 2020-05-15 18:40:07 +02:00 by veenj · 0 comments

veenj commented 2020-05-15 18:40:07 +02:00 (Migrated from gitlab.com)

Copy Link

At the moment using templates inside environment variables is verbose as every existing environment variable needs to be named before they can be used:

programs:
  - name: echo
    path: echo
    env:
      ENVVAR:
      ACTUAL_ENVVAR: "{{ ENVVAR }}-suffix"

An easier approach would allow users to reference any environment variable of cinit during templating, without passing the entire environment to the forked child:

programs:
  - name: echo
    path: echo
    env:
      ACTUAL_ENVVAR: "{{ ENVVAR }}-suffix"

Child echo is not given ENVVAR.

Compatibility

This is a breaking change as the second example will render to a different string than currently suggested by the documentation. To keep the change backward compatible a new CLI flag could be added to make the desired behaviour optional.

Security Considerations

This feature makes it easier to leak environment variable's data into a child which should not have access to it. A careless user might hand more data to the child than desirable. Thus care must be taken when referencing any variable from cinit's environment.

Implementation

Inside cinit::analyse::process_builder::copy_from_config maintain a separate dictionary context next to result. Initialise it with the environment from cinit and sanitise it with cinit::analyse::process_builder::sanitise_env. Then pass it as context to every templating operation and add the final text to the context as well.

At the moment using templates inside environment variables is verbose as every existing environment variable needs to be named before they can be used: ```yaml programs: - name: echo path: echo env: ENVVAR: ACTUAL_ENVVAR: "{{ ENVVAR }}-suffix" ``` An easier approach would allow users to reference any environment variable of cinit during templating, without passing the entire environment to the forked child: ```yaml programs: - name: echo path: echo env: ACTUAL_ENVVAR: "{{ ENVVAR }}-suffix" ``` Child `echo` is not given `ENVVAR`. ## Compatibility This is a breaking change as the second example will render to a different string than currently suggested by the documentation. To keep the change backward compatible a new CLI flag could be added to make the desired behaviour optional. ## Security Considerations This feature makes it easier to leak environment variable's data into a child which should not have access to it. A careless user might hand more data to the child than desirable. Thus care must be taken when referencing any variable from cinit's environment. ## Implementation Inside `cinit::analyse::process_builder::copy_from_config` maintain a separate dictionary `context` next to `result`. Initialise it with the environment from cinit and sanitise it with `cinit::analyse::process_builder::sanitise_env`. Then pass it as context to every templating operation and add the final text to the `context` as well.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

stable

issue-50

1.6.3

1.6.2

1.6.1

1.6.0

1.5.2

1.5.1

1.5.0

1.4.2

1.4.1

1.4.0

1.3.9

1.3.8

1.3.7

1.3.6

1.3.5

1.3.4

1.3.3

1.3.2

1.3.1

1.3.0

1.2.6

1.2.5

1.2.4

1.2.3

1.2.2

1.2.1

1.2.0

1.1.2

1.1.1

1.0.1

1.0.0

0.1.0

Labels

Clear labels   

Bug

  

Feature

  

QA

  

Testing

No Label

Bug

Feature

QA

Testing

Milestone

Clear milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

No Assignees

1 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: veenj/cinit#45

No description provided.