WIP stab to refactor environment.

attestation/context.go

@@ -117,6 +117,7 @@ type AttestationContext struct {
 	materials           map[string]cryptoutil.DigestSet
 	stepName            string
 	mutex               sync.RWMutex
+	environmentCapturer *environment.Capture
 }
 
 type Product struct {
@@ -229,6 +230,8 @@ func (ctx *AttestationContext) DirHashGlob() []glob.Glob {
 	return ctx.dirHashGlobCompiled
 }
 
+
+
 func (ctx *AttestationContext) CompletedAttestors() []CompletedAttestor {
 	ctx.mutex.RLock()
 	out := make([]CompletedAttestor, len(ctx.completedAttestors))

attestation/environment/environment.go

@@ -22,6 +22,7 @@ import (
 	"strings"
 
 	"github.com/in-toto/go-witness/attestation"
+	envCapture "github.com/in-toto/go-witness/environment"
 	"github.com/in-toto/go-witness/registry"
 	"github.com/invopop/jsonschema"
 )
@@ -62,7 +63,7 @@ func init() {
 					return a, fmt.Errorf("unexpected attestor type: %T is not a environment attestor", a)
 				}
 
-				WithFilterVarsEnabled()(envAttestor)
+				envCapture.WithFilterVarsEnabled()(envAttestor.capture)
 				return envAttestor, nil
 			},
 		),
@@ -76,7 +77,7 @@ func init() {
 					return a, fmt.Errorf("unexpected attestor type: %T is not a environment attestor", a)
 				}
 
-				WithDisableDefaultSensitiveList()(envAttestor)
+				envCapture.WithDisableDefaultSensitiveList()(envAttestor.capture)
 				return envAttestor, nil
 			},
 		),
@@ -90,7 +91,7 @@ func init() {
 					return a, fmt.Errorf("unexpected attestor type: %T is not a environment attestor", a)
 				}
 
-				WithAdditionalKeys(additionalKeys)(envAttestor)
+				envCapture.WithAdditionalKeys(additionalKeys)(envAttestor.capture)
 				return envAttestor, nil
 			},
 		),
@@ -104,7 +105,7 @@ func init() {
 					return a, fmt.Errorf("unexpected attestor type: %T is not a environment attestor", a)
 				}
 
-				WithExcludeKeys(excludeKeys)(envAttestor)
+				envCapture.WithExcludeKeys(excludeKeys)(envAttestor.capture)
 				return envAttestor, nil
 			},
 		),
@@ -117,12 +118,8 @@ type Attestor struct {
 	Username  string            `json:"username"`
 	Variables map[string]string `json:"variables,omitempty"`
 
-	osEnviron                   func() []string
-	sensitiveVarsList           map[string]struct{}
-	addSensitiveVarsList        map[string]struct{}
-	excludeSensitiveVarsList    map[string]struct{}
-	filterVarsEnabled           bool
-	disableSensitiveVarsDefault bool
+	capture   *envCapture.Capture
+	osEnviron func() []string
 }
 
 type Option func(*Attestor)
@@ -169,9 +166,10 @@ func WithCustomEnv(osEnviron func() []string) Option {
 
 func New(opts ...Option) *Attestor {
 	attestor := &Attestor{
-		sensitiveVarsList:        DefaultSensitiveEnvList(),
+		sensitiveVarsList:        envCapture.DefaultSensitiveEnvList(),
 		addSensitiveVarsList:     map[string]struct{}{},
 		excludeSensitiveVarsList: map[string]struct{}{},
+		capture:                  *envCapture.New(),
 	}
 
 	attestor.osEnviron = os.Environ
@@ -211,26 +209,7 @@ func (a *Attestor) Attest(ctx *attestation.AttestationContext) error {
 		a.Username = user.Username
 	}
 
-	// Prepare sensitive keys list.
-	var finalSensitiveKeysList map[string]struct{}
-	if a.disableSensitiveVarsDefault {
-		a.sensitiveVarsList = map[string]struct{}{}
-	}
-	finalSensitiveKeysList = a.sensitiveVarsList
-	for k, v := range a.addSensitiveVarsList {
-		finalSensitiveKeysList[k] = v
-	}
-
-	// Filter or obfuscate
-	if a.filterVarsEnabled {
-		FilterEnvironmentArray(a.osEnviron(), finalSensitiveKeysList, a.excludeSensitiveVarsList, func(key, val, _ string) {
-			a.Variables[key] = val
-		})
-	} else {
-		ObfuscateEnvironmentArray(a.osEnviron(), finalSensitiveKeysList, a.excludeSensitiveVarsList, func(key, val, _ string) {
-			a.Variables[key] = val
-		})
-	}
+	a.Variables = a.capture.Capture(ctx, a.osEnviron())
 
 	return nil
 }

environment/environment.go

@@ -0,0 +1,117 @@
+// Copyright 2024 The Witness Contributors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package environment
+
+import (
+	"strings"
+
+	"github.com/in-toto/go-witness/attestation"
+)
+
+type Capture struct {
+	sensitiveVarsList           map[string]struct{}
+	addSensitiveVarsList        map[string]struct{}
+	excludeSensitiveVarsList    map[string]struct{}
+	filterVarsEnabled           bool
+	disableSensitiveVarsDefault bool
+}
+
+type Option func(*Capture)
+
+// WithFilterVarsEnabled will make the filter (removing) of vars the acting behavior.
+// The default behavior is obfuscation of variables.
+func WithFilterVarsEnabled() Option {
+	return func(c *Capture) {
+		c.filterVarsEnabled = true
+	}
+}
+
+// WithAdditionalKeys add additional keys to final list that is checked for sensitive variables.
+func WithAdditionalKeys(additionalKeys []string) Option {
+	return func(c *Capture) {
+		for _, value := range additionalKeys {
+			c.addSensitiveVarsList[value] = struct{}{}
+		}
+	}
+}
+
+// WithExcludeKeys add additional keys to final list that is checked for sensitive variables.
+func WithExcludeKeys(excludeKeys []string) Option {
+	return func(c *Capture) {
+		for _, value := range excludeKeys {
+			c.excludeSensitiveVarsList[value] = struct{}{}
+		}
+	}
+}
+
+// WithDisableDefaultSensitiveList will disable the default list and only use the additional keys.
+func WithDisableDefaultSensitiveList() Option {
+	return func(c *Capture) {
+		c.disableSensitiveVarsDefault = true
+	}
+}
+
+func New(opts ...Option) *Capture {
+	capture := &Capture{
+		sensitiveVarsList:        DefaultSensitiveEnvList(),
+		addSensitiveVarsList:     map[string]struct{}{},
+		excludeSensitiveVarsList: map[string]struct{}{},
+	}
+
+	for _, opt := range opts {
+		opt(capture)
+	}
+
+	return capture
+}
+
+func (c *Capture) Capture(ctx *attestation.AttestationContext, env []string) (map[string]string) {
+	variables := make(map[string]string)
+
+	// Prepare sensitive keys list.
+	var finalSensitiveKeysList map[string]struct{}
+	if c.disableSensitiveVarsDefault {
+		c.sensitiveVarsList = map[string]struct{}{}
+	}
+	finalSensitiveKeysList = c.sensitiveVarsList
+	for k, v := range c.addSensitiveVarsList {
+		finalSensitiveKeysList[k] = v
+	}
+
+	// Filter or obfuscate
+	if c.filterVarsEnabled {
+		FilterEnvironmentArray(env, finalSensitiveKeysList, c.excludeSensitiveVarsList, func(key, val, _ string) {
+			variables[key] = val
+		})
+	} else {
+		ObfuscateEnvironmentArray(env, finalSensitiveKeysList, c.excludeSensitiveVarsList, func(key, val, _ string) {
+			variables[key] = val
+		})
+	}
+
+	return variables
+}
+
+// splitVariable splits a string representing an environment variable in the format of
+// "KEY=VAL" and returns the key and val separately.
+func splitVariable(v string) (key, val string) {
+	parts := strings.SplitN(v, "=", 2)
+	key = parts[0]
+	if len(parts) > 1 {
+		val = parts[1]
+	}
+
+	return
+}

environment/environment_test.go

@@ -0,0 +1,2 @@
+package environment
+

attestation/environment/filter.go → environment/filter.go

@@ -1,4 +1,4 @@
-// Copyright 2021 The Witness Contributors
+// Copyright 2024 The Witness Contributors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.