From 8d508712c988393f3c279b1c544d5349212fd2e2 Mon Sep 17 00:00:00 2001 From: Mario Minardi Date: Sun, 22 Sep 2024 20:15:26 -0600 Subject: [PATCH] tailcfg: add AcceptEnv field to SSHRule (#13523) Add an `AcceptEnv` field to `SSHRule`. This will contain the collection of environment variable names / patterns that are specified in the `acceptEnv` block for the SSH rule within the policy file. This will be used in the tailscale client to filter out unacceptable environment variables. Updates: https://github.com/tailscale/corp/issues/22775 Signed-off-by: Mario Minardi --- tailcfg/tailcfg.go | 7 +++++++ tailcfg/tailcfg_clone.go | 2 ++ tailcfg/tailcfg_view.go | 2 ++ 3 files changed, 11 insertions(+) diff --git a/tailcfg/tailcfg.go b/tailcfg/tailcfg.go index 0d4fae3d5..1a8576f20 100644 --- a/tailcfg/tailcfg.go +++ b/tailcfg/tailcfg.go @@ -2451,6 +2451,13 @@ type SSHRule struct { // Action is the outcome to task. // A nil or invalid action means to deny. Action *SSHAction `json:"action"` + + // AcceptEnv is a slice of environment variable names that are allowlisted + // for the SSH rule in the policy file. + // + // AcceptEnv values may contain * and ? wildcard characters which match against + // an arbitrary number of characters or a single character respectively. + AcceptEnv []string `json:"acceptEnv,omitempty"` } // SSHPrincipal is either a particular node or a user on any node. diff --git a/tailcfg/tailcfg_clone.go b/tailcfg/tailcfg_clone.go index a98efe4d1..61564f3f8 100644 --- a/tailcfg/tailcfg_clone.go +++ b/tailcfg/tailcfg_clone.go @@ -505,6 +505,7 @@ func (src *SSHRule) Clone() *SSHRule { } dst.SSHUsers = maps.Clone(src.SSHUsers) dst.Action = src.Action.Clone() + dst.AcceptEnv = append(src.AcceptEnv[:0:0], src.AcceptEnv...) return dst } @@ -514,6 +515,7 @@ func (src *SSHRule) Clone() *SSHRule { Principals []*SSHPrincipal SSHUsers map[string]string Action *SSHAction + AcceptEnv []string }{}) // Clone makes a deep copy of SSHAction. diff --git a/tailcfg/tailcfg_view.go b/tailcfg/tailcfg_view.go index 3bc57ec29..a3e19b0dc 100644 --- a/tailcfg/tailcfg_view.go +++ b/tailcfg/tailcfg_view.go @@ -1126,6 +1126,7 @@ func (v SSHRuleView) Principals() views.SliceView[*SSHPrincipal, SSHPrincipalVie func (v SSHRuleView) SSHUsers() views.Map[string, string] { return views.MapOf(v.ж.SSHUsers) } func (v SSHRuleView) Action() SSHActionView { return v.ж.Action.View() } +func (v SSHRuleView) AcceptEnv() views.Slice[string] { return views.SliceOf(v.ж.AcceptEnv) } // A compilation failure here means this code must be regenerated, with the command at the top of this file. var _SSHRuleViewNeedsRegeneration = SSHRule(struct { @@ -1133,6 +1134,7 @@ func (v SSHRuleView) Action() SSHActionView { return v.ж.Action.V Principals []*SSHPrincipal SSHUsers map[string]string Action *SSHAction + AcceptEnv []string }{}) // View returns a readonly view of SSHAction.