From da61a58fc81f84c99c08a07025512c06b23ba12f Mon Sep 17 00:00:00 2001
From: Matthias Glastra <matglas.git@gmail.com>
Date: Mon, 30 Sep 2024 10:27:15 +0200
Subject: [PATCH] chore: Adjust naming to filter envs. Fix tests.

Signed-off-by: Matthias Glastra <matglas.git@gmail.com>
---
 attestation/environment/environment.go        | 26 +++----
 attestation/environment/environment_test.go   | 74 ++++++++++++++++++-
 .../environment/{blocklist.go => filter.go}   |  0
 3 files changed, 84 insertions(+), 16 deletions(-)
 rename attestation/environment/{blocklist.go => filter.go} (100%)

diff --git a/attestation/environment/environment.go b/attestation/environment/environment.go
index be1d5a30..793c48c4 100644
--- a/attestation/environment/environment.go
+++ b/attestation/environment/environment.go
@@ -37,7 +37,7 @@ const (
 var (
 	_                                  attestation.Attestor = &Attestor{}
 	_                                  EnvironmentAttestor  = &Attestor{}
-	defaultBlockSensitiveVarsEnabled                        = false
+	defaultFilterSensitiveVarsEnabled                        = false
 	defaultDisableSensitiveVarsDefault                      = false
 )
 
@@ -53,16 +53,16 @@ type EnvironmentAttestor interface {
 func init() {
 	attestation.RegisterAttestation(Name, Type, RunType, func() attestation.Attestor { return New() },
 		registry.BoolConfigOption(
-			"block-sensitive-vars",
-			"Switch from obfuscate to blocking variables which removes them from the output completely.",
-			defaultBlockSensitiveVarsEnabled,
-			func(a attestation.Attestor, blockSensitiveVarsEnabled bool) (attestation.Attestor, error) {
+			"filter-sensitive-vars",
+			"Switch from obfuscate to filtering variables which removes them from the output completely.",
+			defaultFilterSensitiveVarsEnabled,
+			func(a attestation.Attestor, filterSensitiveVarsEnabled bool) (attestation.Attestor, error) {
 				envAttestor, ok := a.(*Attestor)
 				if !ok {
 					return a, fmt.Errorf("unexpected attestor type: %T is not a environment attestor", a)
 				}
 
-				WithBlockVarsEnabled(blockSensitiveVarsEnabled)(envAttestor)
+				WithFilterVarsEnabled(filterSensitiveVarsEnabled)(envAttestor)
 				return envAttestor, nil
 			},
 		),
@@ -105,17 +105,17 @@ type Attestor struct {
 
 	sensitiveVarsList           map[string]struct{}
 	addSensitiveVarsList        map[string]struct{}
-	blockVarsEnabled            bool
+	filterVarsEnabled           bool
 	disableSensitiveVarsDefault bool
 }
 
 type Option func(*Attestor)
 
-// WithBlockVarsEnabled will make the blocking (removing) of vars the acting behavior.
+// WithFilterVarsEnabled will make the filter (removing) of vars the acting behavior.
 // The default behavior is obfuscation of variables.
-func WithBlockVarsEnabled(blockVarsEnabled bool) Option {
+func WithFilterVarsEnabled(filterVarsEnabled bool) Option {
 	return func(a *Attestor) {
-		a.blockVarsEnabled = blockVarsEnabled
+		a.filterVarsEnabled = filterVarsEnabled
 	}
 }
 
@@ -137,7 +137,7 @@ func WithDisableDefaultSensitiveList(disableSensitiveVarsDefault bool) Option {
 
 func New(opts ...Option) *Attestor {
 	attestor := &Attestor{
-		sensitiveVarsList: DefaultSensitiveEnvList(),
+		sensitiveVarsList:    DefaultSensitiveEnvList(),
 		addSensitiveVarsList: map[string]struct{}{},
 	}
 
@@ -186,8 +186,8 @@ func (a *Attestor) Attest(ctx *attestation.AttestationContext) error {
 		finalSensitiveKeysList[k] = v
 	}
 
-	// Block or obfuscate
-	if a.blockVarsEnabled {
+	// Filter or obfuscate
+	if a.filterVarsEnabled {
 		FilterEnvironmentArray(os.Environ(), finalSensitiveKeysList, func(key, val, _ string) {
 			a.Variables[key] = val
 		})
diff --git a/attestation/environment/environment_test.go b/attestation/environment/environment_test.go
index 692b8b5f..dd1f4336 100644
--- a/attestation/environment/environment_test.go
+++ b/attestation/environment/environment_test.go
@@ -22,8 +22,10 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
-func TestEnvironment(t *testing.T) {
-	attestor := New()
+// TestFilterVarsEnvironment tests if enabling filter behavior works correctly.
+func TestFilterVarsEnvironment(t *testing.T) {
+
+	attestor := New(WithFilterVarsEnabled(true))
 	ctx, err := attestation.NewContext("test", []attestation.Attestor{attestor})
 	require.NoError(t, err)
 
@@ -32,7 +34,7 @@ func TestEnvironment(t *testing.T) {
 	require.NoError(t, attestor.Attest(ctx))
 	for _, env := range origVars {
 		origKey, _ := splitVariable(env)
-		if _, inBlockList := attestor.blockList[origKey]; inBlockList {
+		if _, inBlockList := attestor.sensitiveVarsList[origKey]; inBlockList {
 			require.NotContains(t, attestor.Variables, origKey)
 		} else {
 			require.Contains(t, attestor.Variables, origKey)
@@ -40,6 +42,7 @@ func TestEnvironment(t *testing.T) {
 	}
 }
 
+// TestEnvironmentObfuscate tests if obfuscate normal behavior works correctly.
 func TestEnvironmentObfuscate(t *testing.T) {
 	attestor := New()
 	ctx, err := attestation.NewContext("test", []attestation.Attestor{attestor})
@@ -71,3 +74,68 @@ func TestEnvironmentObfuscate(t *testing.T) {
 		}
 	}
 }
+
+// TestEnvironmentObfuscateAdditional tests if the default obfuscate with additional keys works correctly.
+func TestEnvironmentObfuscateAdditional(t *testing.T) {
+	attestor := New(WithAdditionalKeys([]string{"MYNAME"}))
+	ctx, err := attestation.NewContext("test", []attestation.Attestor{attestor})
+	require.NoError(t, err)
+
+	obfuscateEnvs := map[string]struct{}{"API_TOKEN": {}, "MYNAME": {}}
+	secretVarValue := "secret var"
+	publicVarValue := "public var"
+	for k := range obfuscateEnvs {
+		t.Setenv(k, secretVarValue)
+	}
+
+	notObfuscateEnvs := map[string]struct{}{"VAR_FOO": {}, "VAR_BAR": {}}
+	for k := range notObfuscateEnvs {
+		t.Setenv(k, publicVarValue)
+	}
+
+	origVars := os.Environ()
+	require.NoError(t, attestor.Attest(ctx))
+	for _, env := range origVars {
+		origKey, _ := splitVariable(env)
+		if _, inObfuscateList := obfuscateEnvs[origKey]; inObfuscateList {
+			require.NotEqual(t, attestor.Variables[origKey], secretVarValue)
+			require.Equal(t, attestor.Variables[origKey], "******")
+		}
+
+		if _, inNotObfuscateList := notObfuscateEnvs[origKey]; inNotObfuscateList {
+			require.Equal(t, attestor.Variables[origKey], publicVarValue)
+		}
+	}
+}
+
+// TestEnvironmentFilterAdditional tests if enabling filter and adding additional keys works correctly.
+func TestEnvironmentFilterAdditional(t *testing.T) {
+	attestor := New(WithFilterVarsEnabled(true), WithAdditionalKeys([]string{"MYNAME"}))
+	ctx, err := attestation.NewContext("test", []attestation.Attestor{attestor})
+	require.NoError(t, err)
+
+	filterEnvs := map[string]struct{}{"API_TOKEN": {}, "MYNAME": {}}
+	secretVarValue := "secret var"
+	publicVarValue := "public var"
+	for k := range filterEnvs {
+		t.Setenv(k, secretVarValue)
+	}
+
+	notFilterEnvs := map[string]struct{}{"VAR_FOO": {}, "VAR_BAR": {}}
+	for k := range notFilterEnvs {
+		t.Setenv(k, publicVarValue)
+	}
+
+	origVars := os.Environ()
+	require.NoError(t, attestor.Attest(ctx))
+	for _, env := range origVars {
+		origKey, _ := splitVariable(env)
+		if _, inFilterList := filterEnvs[origKey]; inFilterList {
+			require.NotContains(t, attestor.Variables, origKey)
+		}
+
+		if _, inNotObfuscateList := notFilterEnvs[origKey]; inNotObfuscateList {
+			require.Equal(t, attestor.Variables[origKey], publicVarValue)
+		}
+	}
+}
diff --git a/attestation/environment/blocklist.go b/attestation/environment/filter.go
similarity index 100%
rename from attestation/environment/blocklist.go
rename to attestation/environment/filter.go