ssh: Add logic to set accepted environment variables in SSH session (#13559)

Add logic to set environment variables that match the SSH rule's `acceptEnv` settings in the SSH session's environment. Updates https://github.com/tailscale/corp/issues/22775 Signed-off-by: Mario Minardi <mario@tailscale.com>
2025-08-14 06:57:31 +00:00 · 2024-09-30 21:47:45 -06:00
parent dd6b808acf
commit 8f44ba1cd6
6 changed files with 294 additions and 55 deletions
--- a/ssh/tailssh/accept_env_test.go
+++ b/ssh/tailssh/accept_env_test.go
@@ -108,6 +108,7 @@ func TestFilterEnv(t *testing.T) {
 		acceptEnv        []string
 		environ          []string
 		expectedFiltered []string
+		wantErrMessage   string
 	}{
 		{
 			name:             "simple direct matches",
@@ -127,11 +128,26 @@ func TestFilterEnv(t *testing.T) {
 			environ:          []string{"FOO=BAR", "FOO2=BAZ", "FOO_3=123", "FOOOO4-2=AbCdEfG", "FO1-kmndGamc79567=ABC", "FO57=BAR2"},
 			expectedFiltered: []string{"FOO=BAR", "FOOOO4-2=AbCdEfG", "FO1-kmndGamc79567=ABC"},
 		},
+		{
+			name:             "environ format invalid",
+			acceptEnv:        []string{"FO?", "FOOO*", "FO*5?7"},
+			environ:          []string{"FOOBAR"},
+			expectedFiltered: nil,
+			wantErrMessage:   `invalid environment variable: "FOOBAR". Variables must be in "KEY=VALUE" format`,
+		},
 	}

 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			filtered := filterEnv(tc.acceptEnv, tc.environ)
+			filtered, err := filterEnv(tc.acceptEnv, tc.environ)
+			if err == nil && tc.wantErrMessage != "" {
+				t.Errorf("wanted error with message %q but error was nil", tc.wantErrMessage)
+			}
+
+			if err != nil && err.Error() != tc.wantErrMessage {
+				t.Errorf("err = %v; want %v", err, tc.wantErrMessage)
+			}
+
 			if diff := cmp.Diff(tc.expectedFiltered, filtered); diff != "" {
 				t.Errorf("unexpected filter result (-got,+want): \n%s", diff)
 			}