From 984edc99022d6f853d84a753f42c40218344fccc Mon Sep 17 00:00:00 2001
From: Helio Machado <0x2b3bfa0+git@googlemail.com>
Date: Mon, 12 Sep 2022 22:16:26 +0000
Subject: [PATCH 1/2] Mark sensitive environment variables for runners

---
 iterative/resource_runner.go                               | 4 ++++
 iterative/testdata/script_template_cloud_aws.golden        | 1 +
 iterative/testdata/script_template_cloud_azure.golden      | 1 +
 iterative/testdata/script_template_cloud_gcp.golden        | 1 +
 iterative/testdata/script_template_cloud_kubernetes.golden | 1 +
 5 files changed, 8 insertions(+)

diff --git a/iterative/resource_runner.go b/iterative/resource_runner.go
index 8eb0ebe9..391423a9 100644
--- a/iterative/resource_runner.go
+++ b/iterative/resource_runner.go
@@ -327,19 +327,23 @@ sudo tee /usr/bin/cml.sh << 'EOF'
 export AWS_SECRET_ACCESS_KEY={{escape .AWS_SECRET_ACCESS_KEY}}
 export AWS_ACCESS_KEY_ID={{escape .AWS_ACCESS_KEY_ID}}
 export AWS_SESSION_TOKEN={{escape .AWS_SESSION_TOKEN}}
+export CML_RUNNER_SENSITIVE_ENV=AWS_SECRET_ACCESS_KEY:AWS_ACCESS_KEY_ID:AWS_SESSION_TOKEN
 {{- end}}
 {{- if eq .cloud "azure"}}
 export AZURE_CLIENT_ID={{escape .AZURE_CLIENT_ID}}
 export AZURE_CLIENT_SECRET={{escape .AZURE_CLIENT_SECRET}}
 export AZURE_SUBSCRIPTION_ID={{escape .AZURE_SUBSCRIPTION_ID}}
 export AZURE_TENANT_ID={{escape .AZURE_TENANT_ID}}
+export CML_RUNNER_SENSITIVE_ENV=AZURE_CLIENT_ID:AZURE_CLIENT_SECRET:AZURE_SUBSCRIPTION_ID:AZURE_TENANT_ID
 {{- end}}
 {{- if eq .cloud "gcp"}}
 export GOOGLE_APPLICATION_CREDENTIALS_DATA={{escape .GOOGLE_APPLICATION_CREDENTIALS_DATA}}
 export CML_GCP_ACCESS_TOKEN={{escape .CML_GCP_ACCESS_TOKEN}}
+export CML_RUNNER_SENSITIVE_ENV=GOOGLE_APPLICATION_CREDENTIALS_DATA:CML_GCP_ACCESS_TOKEN
 {{- end}}
 {{- if eq .cloud "kubernetes"}}
 export KUBERNETES_CONFIGURATION={{escape .KUBERNETES_CONFIGURATION}}
+export CML_RUNNER_SENSITIVE_ENV=KUBERNETES_CONFIGURATION
 {{- end}}
 {{- end}}
 
diff --git a/iterative/testdata/script_template_cloud_aws.golden b/iterative/testdata/script_template_cloud_aws.golden
index 783034e0..7b379f94 100644
--- a/iterative/testdata/script_template_cloud_aws.golden
+++ b/iterative/testdata/script_template_cloud_aws.golden
@@ -51,6 +51,7 @@ sudo tee /usr/bin/cml.sh << 'EOF'
 export AWS_SECRET_ACCESS_KEY='0 value with "quotes" and spaces'
 export AWS_ACCESS_KEY_ID='1 value with "quotes" and spaces'
 export AWS_SESSION_TOKEN='2 value with "quotes" and spaces'
+export CML_RUNNER_SENSITIVE_ENV=AWS_SECRET_ACCESS_KEY:AWS_ACCESS_KEY_ID:AWS_SESSION_TOKEN
 
 while lsof /var/lib/dpkg/lock; do sleep 1; done
 
diff --git a/iterative/testdata/script_template_cloud_azure.golden b/iterative/testdata/script_template_cloud_azure.golden
index 0cbee5e7..461f7efb 100644
--- a/iterative/testdata/script_template_cloud_azure.golden
+++ b/iterative/testdata/script_template_cloud_azure.golden
@@ -52,6 +52,7 @@ export AZURE_CLIENT_ID='3 value with "quotes" and spaces'
 export AZURE_CLIENT_SECRET='4 value with "quotes" and spaces'
 export AZURE_SUBSCRIPTION_ID='5 value with "quotes" and spaces'
 export AZURE_TENANT_ID='6 value with "quotes" and spaces'
+export CML_RUNNER_SENSITIVE_ENV=AZURE_CLIENT_ID:AZURE_CLIENT_SECRET:AZURE_SUBSCRIPTION_ID:AZURE_TENANT_ID
 
 while lsof /var/lib/dpkg/lock; do sleep 1; done
 
diff --git a/iterative/testdata/script_template_cloud_gcp.golden b/iterative/testdata/script_template_cloud_gcp.golden
index 487dcd51..00961510 100644
--- a/iterative/testdata/script_template_cloud_gcp.golden
+++ b/iterative/testdata/script_template_cloud_gcp.golden
@@ -50,6 +50,7 @@ sudo tee /usr/bin/cml.sh << 'EOF'
 #!/bin/sh
 export GOOGLE_APPLICATION_CREDENTIALS_DATA=''
 export CML_GCP_ACCESS_TOKEN=''
+export CML_RUNNER_SENSITIVE_ENV=GOOGLE_APPLICATION_CREDENTIALS_DATA:CML_GCP_ACCESS_TOKEN
 
 while lsof /var/lib/dpkg/lock; do sleep 1; done
 
diff --git a/iterative/testdata/script_template_cloud_kubernetes.golden b/iterative/testdata/script_template_cloud_kubernetes.golden
index 1c672bfd..6e9de590 100644
--- a/iterative/testdata/script_template_cloud_kubernetes.golden
+++ b/iterative/testdata/script_template_cloud_kubernetes.golden
@@ -1,6 +1,7 @@
 #!/bin/sh
 sudo systemctl is-enabled cml.service && return 0
 export KUBERNETES_CONFIGURATION='8 value with "quotes" and spaces'
+export CML_RUNNER_SENSITIVE_ENV=KUBERNETES_CONFIGURATION
 
 while lsof /var/lib/dpkg/lock; do sleep 1; done
 

From f0a91110083bda7f1e471e7eaf91e4d9ec1b261b Mon Sep 17 00:00:00 2001
From: Helio Machado <0x2b3bfa0+git@googlemail.com>
Date: Mon, 10 Oct 2022 05:51:13 +0200
Subject: [PATCH 2/2] Apply suggestions from code review

---
 iterative/resource_runner.go                              | 8 ++++----
 iterative/testdata/script_template_cloud_aws.golden       | 2 +-
 iterative/testdata/script_template_cloud_azure.golden     | 2 +-
 iterative/testdata/script_template_cloud_gcp.golden       | 2 +-
 .../testdata/script_template_cloud_kubernetes.golden      | 2 +-
 5 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/iterative/resource_runner.go b/iterative/resource_runner.go
index 391423a9..6b27bf7f 100644
--- a/iterative/resource_runner.go
+++ b/iterative/resource_runner.go
@@ -327,23 +327,23 @@ sudo tee /usr/bin/cml.sh << 'EOF'
 export AWS_SECRET_ACCESS_KEY={{escape .AWS_SECRET_ACCESS_KEY}}
 export AWS_ACCESS_KEY_ID={{escape .AWS_ACCESS_KEY_ID}}
 export AWS_SESSION_TOKEN={{escape .AWS_SESSION_TOKEN}}
-export CML_RUNNER_SENSITIVE_ENV=AWS_SECRET_ACCESS_KEY:AWS_ACCESS_KEY_ID:AWS_SESSION_TOKEN
+export _CML_RUNNER_SENSITIVE_ENV=AWS_SECRET_ACCESS_KEY:AWS_ACCESS_KEY_ID:AWS_SESSION_TOKEN
 {{- end}}
 {{- if eq .cloud "azure"}}
 export AZURE_CLIENT_ID={{escape .AZURE_CLIENT_ID}}
 export AZURE_CLIENT_SECRET={{escape .AZURE_CLIENT_SECRET}}
 export AZURE_SUBSCRIPTION_ID={{escape .AZURE_SUBSCRIPTION_ID}}
 export AZURE_TENANT_ID={{escape .AZURE_TENANT_ID}}
-export CML_RUNNER_SENSITIVE_ENV=AZURE_CLIENT_ID:AZURE_CLIENT_SECRET:AZURE_SUBSCRIPTION_ID:AZURE_TENANT_ID
+export _CML_RUNNER_SENSITIVE_ENV=AZURE_CLIENT_ID:AZURE_CLIENT_SECRET:AZURE_SUBSCRIPTION_ID:AZURE_TENANT_ID
 {{- end}}
 {{- if eq .cloud "gcp"}}
 export GOOGLE_APPLICATION_CREDENTIALS_DATA={{escape .GOOGLE_APPLICATION_CREDENTIALS_DATA}}
 export CML_GCP_ACCESS_TOKEN={{escape .CML_GCP_ACCESS_TOKEN}}
-export CML_RUNNER_SENSITIVE_ENV=GOOGLE_APPLICATION_CREDENTIALS_DATA:CML_GCP_ACCESS_TOKEN
+export _CML_RUNNER_SENSITIVE_ENV=GOOGLE_APPLICATION_CREDENTIALS_DATA:CML_GCP_ACCESS_TOKEN
 {{- end}}
 {{- if eq .cloud "kubernetes"}}
 export KUBERNETES_CONFIGURATION={{escape .KUBERNETES_CONFIGURATION}}
-export CML_RUNNER_SENSITIVE_ENV=KUBERNETES_CONFIGURATION
+export _CML_RUNNER_SENSITIVE_ENV=KUBERNETES_CONFIGURATION
 {{- end}}
 {{- end}}
 
diff --git a/iterative/testdata/script_template_cloud_aws.golden b/iterative/testdata/script_template_cloud_aws.golden
index 7b379f94..f18019a7 100644
--- a/iterative/testdata/script_template_cloud_aws.golden
+++ b/iterative/testdata/script_template_cloud_aws.golden
@@ -51,7 +51,7 @@ sudo tee /usr/bin/cml.sh << 'EOF'
 export AWS_SECRET_ACCESS_KEY='0 value with "quotes" and spaces'
 export AWS_ACCESS_KEY_ID='1 value with "quotes" and spaces'
 export AWS_SESSION_TOKEN='2 value with "quotes" and spaces'
-export CML_RUNNER_SENSITIVE_ENV=AWS_SECRET_ACCESS_KEY:AWS_ACCESS_KEY_ID:AWS_SESSION_TOKEN
+export _CML_RUNNER_SENSITIVE_ENV=AWS_SECRET_ACCESS_KEY:AWS_ACCESS_KEY_ID:AWS_SESSION_TOKEN
 
 while lsof /var/lib/dpkg/lock; do sleep 1; done
 
diff --git a/iterative/testdata/script_template_cloud_azure.golden b/iterative/testdata/script_template_cloud_azure.golden
index 461f7efb..049d52de 100644
--- a/iterative/testdata/script_template_cloud_azure.golden
+++ b/iterative/testdata/script_template_cloud_azure.golden
@@ -52,7 +52,7 @@ export AZURE_CLIENT_ID='3 value with "quotes" and spaces'
 export AZURE_CLIENT_SECRET='4 value with "quotes" and spaces'
 export AZURE_SUBSCRIPTION_ID='5 value with "quotes" and spaces'
 export AZURE_TENANT_ID='6 value with "quotes" and spaces'
-export CML_RUNNER_SENSITIVE_ENV=AZURE_CLIENT_ID:AZURE_CLIENT_SECRET:AZURE_SUBSCRIPTION_ID:AZURE_TENANT_ID
+export _CML_RUNNER_SENSITIVE_ENV=AZURE_CLIENT_ID:AZURE_CLIENT_SECRET:AZURE_SUBSCRIPTION_ID:AZURE_TENANT_ID
 
 while lsof /var/lib/dpkg/lock; do sleep 1; done
 
diff --git a/iterative/testdata/script_template_cloud_gcp.golden b/iterative/testdata/script_template_cloud_gcp.golden
index 00961510..6f5b1395 100644
--- a/iterative/testdata/script_template_cloud_gcp.golden
+++ b/iterative/testdata/script_template_cloud_gcp.golden
@@ -50,7 +50,7 @@ sudo tee /usr/bin/cml.sh << 'EOF'
 #!/bin/sh
 export GOOGLE_APPLICATION_CREDENTIALS_DATA=''
 export CML_GCP_ACCESS_TOKEN=''
-export CML_RUNNER_SENSITIVE_ENV=GOOGLE_APPLICATION_CREDENTIALS_DATA:CML_GCP_ACCESS_TOKEN
+export _CML_RUNNER_SENSITIVE_ENV=GOOGLE_APPLICATION_CREDENTIALS_DATA:CML_GCP_ACCESS_TOKEN
 
 while lsof /var/lib/dpkg/lock; do sleep 1; done
 
diff --git a/iterative/testdata/script_template_cloud_kubernetes.golden b/iterative/testdata/script_template_cloud_kubernetes.golden
index 6e9de590..c298af6f 100644
--- a/iterative/testdata/script_template_cloud_kubernetes.golden
+++ b/iterative/testdata/script_template_cloud_kubernetes.golden
@@ -1,7 +1,7 @@
 #!/bin/sh
 sudo systemctl is-enabled cml.service && return 0
 export KUBERNETES_CONFIGURATION='8 value with "quotes" and spaces'
-export CML_RUNNER_SENSITIVE_ENV=KUBERNETES_CONFIGURATION
+export _CML_RUNNER_SENSITIVE_ENV=KUBERNETES_CONFIGURATION
 
 while lsof /var/lib/dpkg/lock; do sleep 1; done