chore: New environment variable obfuscation functionality

attestation/commandrun/commandrun.go

@@ -21,7 +21,6 @@ import (
 	"os/exec"
 
 	"github.com/in-toto/go-witness/attestation"
-	"github.com/in-toto/go-witness/attestation/environment"
 	"github.com/in-toto/go-witness/cryptoutil"
 	"github.com/invopop/jsonschema"
 )
@@ -80,16 +79,8 @@ func WithSilent(silent bool) Option {
 	}
 }
 
-func WithEnvironmentBlockList(blockList map[string]struct{}) Option {
-	return func(cr *CommandRun) {
-		cr.environmentBlockList = blockList
-	}
-}
-
 func New(opts ...Option) *CommandRun {
-	cr := &CommandRun{
-		environmentBlockList: environment.DefaultBlockList(),
-	}
+	cr := &CommandRun{}
 
 	for _, opt := range opts {
 		opt(cr)
@@ -118,10 +109,9 @@ type CommandRun struct {
 	ExitCode  int           `json:"exitcode"`
 	Processes []ProcessInfo `json:"processes,omitempty"`
 
-	silent               bool
-	materials            map[string]cryptoutil.DigestSet
-	enableTracing        bool
-	environmentBlockList map[string]struct{}
+	silent        bool
+	materials     map[string]cryptoutil.DigestSet
+	enableTracing bool
 }
 
 func (a *CommandRun) Schema() *jsonschema.Schema {

attestation/commandrun/tracing_linux.go

@@ -26,8 +26,8 @@ import (
 	"strings"
 
 	"github.com/in-toto/go-witness/attestation"
-	"github.com/in-toto/go-witness/attestation/environment"
 	"github.com/in-toto/go-witness/cryptoutil"
+	"github.com/in-toto/go-witness/environment"
 	"github.com/in-toto/go-witness/log"
 	"golang.org/x/sys/unix"
 )
@@ -37,12 +37,12 @@ const (
 )
 
 type ptraceContext struct {
-	parentPid            int
-	mainProgram          string
-	processes            map[int]*ProcessInfo
-	exitCode             int
-	hash                 []cryptoutil.DigestValue
-	environmentBlockList map[string]struct{}
+	parentPid           int
+	mainProgram         string
+	processes           map[int]*ProcessInfo
+	exitCode            int
+	hash                []cryptoutil.DigestValue
+	environmentCapturer *environment.Capture
 }
 
 func enableTracing(c *exec.Cmd) {
@@ -53,11 +53,11 @@ func enableTracing(c *exec.Cmd) {
 
 func (r *CommandRun) trace(c *exec.Cmd, actx *attestation.AttestationContext) ([]ProcessInfo, error) {
 	pctx := &ptraceContext{
-		parentPid:            c.Process.Pid,
-		mainProgram:          c.Path,
-		processes:            make(map[int]*ProcessInfo),
-		hash:                 actx.Hashes(),
-		environmentBlockList: r.environmentBlockList,
+		parentPid:           c.Process.Pid,
+		mainProgram:         c.Path,
+		processes:           make(map[int]*ProcessInfo),
+		hash:                actx.Hashes(),
+		environmentCapturer: actx.EnvironmentCapturer(),
 	}
 
 	if err := pctx.runTrace(); err != nil {
@@ -200,12 +200,14 @@ func (p *ptraceContext) handleSyscall(pid int, regs unix.PtraceRegs) error {
 		environ, err := os.ReadFile(envinLocation)
 		if err == nil {
 			allVars := strings.Split(string(environ), "\x00")
-			filteredEnviron := make([]string, 0)
-			environment.FilterEnvironmentArray(allVars, p.environmentBlockList, func(_, _, varStr string) {
-				filteredEnviron = append(filteredEnviron, varStr)
-			})
 
-			procInfo.Environ = strings.Join(filteredEnviron, " ")
+			env := make([]string, 0)
+			var capturedEnv map[string]string = p.environmentCapturer.Capture(allVars)
+			for k, v := range capturedEnv {
+				env = append(env, fmt.Sprintf("%s=%s", k, v))
+			}
+
+			procInfo.Environ = strings.Join(env, " ")
 		}
 
 		cmdline, err := os.ReadFile(cmdlineLocation)

attestation/context.go

@@ -24,6 +24,7 @@ import (
 
 	"github.com/gobwas/glob"
 	"github.com/in-toto/go-witness/cryptoutil"
+	"github.com/in-toto/go-witness/environment"
 	"github.com/in-toto/go-witness/log"
 )
 
@@ -117,6 +118,7 @@ type AttestationContext struct {
 	materials           map[string]cryptoutil.DigestSet
 	stepName            string
 	mutex               sync.RWMutex
+	environmentCapturer *environment.Capture
 }
 
 type Product struct {

attestation/context_env.go

@@ -0,0 +1,52 @@
+// Copyright 2024 The Witness Contributors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package attestation
+
+import (
+	env "github.com/in-toto/go-witness/environment"
+)
+
+func (ctx *AttestationContext) EnvironmentCapturer() *env.Capture {
+	return ctx.environmentCapturer
+}
+
+// WithEnvFilterVarsEnabled will make the filter (removing) of vars the acting behavior.
+// The default behavior is obfuscation of variables.
+func WithEnvFilterVarsEnabled() AttestationContextOption {
+	return func(a *AttestationContext) {
+		env.WithFilterVarsEnabled()(a.environmentCapturer)
+	}
+}
+
+// WithEnvAdditionalKeys add additional keys to final list that is checked for sensitive variables.
+func WithEnvAdditionalKeys(additionalKeys []string) AttestationContextOption {
+	return func(a *AttestationContext) {
+		env.WithAdditionalKeys(additionalKeys)(a.environmentCapturer)
+	}
+}
+
+// WithEnvExcludeKeys add additional keys to final list that is checked for sensitive variables.
+func WithEnvExcludeKeys(excludeKeys []string) AttestationContextOption {
+	return func(a *AttestationContext) {
+		env.WithExcludeKeys(excludeKeys)(a.environmentCapturer)
+	}
+}
+
+// WithEnvDisableDefaultSensitiveList will disable the default list and only use the additional keys.
+func WithEnvDisableDefaultSensitiveList() AttestationContextOption {
+	return func(a *AttestationContext) {
+		env.WithDisableDefaultSensitiveList()(a.environmentCapturer)
+	}
+}

attestation/environment/environment.go

@@ -18,7 +18,6 @@ import (
 	"os"
 	"os/user"
 	"runtime"
-	"strings"
 
 	"github.com/in-toto/go-witness/attestation"
 	"github.com/invopop/jsonschema"
@@ -35,6 +34,8 @@ const (
 var (
 	_ attestation.Attestor = &Attestor{}
 	_ EnvironmentAttestor  = &Attestor{}
+	// defaultFilterSensitiveVarsEnabled                       = false
+	// defaultDisableSensitiveVarsDefault                      = false
 )
 
 type EnvironmentAttestor interface {
@@ -47,9 +48,65 @@ type EnvironmentAttestor interface {
 }
 
 func init() {
-	attestation.RegisterAttestation(Name, Type, RunType, func() attestation.Attestor {
-		return New()
-	})
+	attestation.RegisterAttestation(Name, Type, RunType, func() attestation.Attestor { return New() })
+
+	// registry.BoolConfigOption(
+	// 	"filter-sensitive-vars",
+	// 	"Switch from obfuscate to filtering variables which removes them from the output completely.",
+	// 	defaultFilterSensitiveVarsEnabled,
+	// 	func(a attestation.Attestor, filterSensitiveVarsEnabled bool) (attestation.Attestor, error) {
+	// 		envAttestor, ok := a.(*Attestor)
+	// 		if !ok {
+	// 			return a, fmt.Errorf("unexpected attestor type: %T is not a environment attestor", a)
+	// 		}
+
+	// 		envCapture.WithFilterVarsEnabled()(envAttestor.capture)
+	// 		return envAttestor, nil
+	// 	},
+	// ),
+	// registry.BoolConfigOption(
+	// 	"disable-default-sensitive-vars",
+	// 	"Disable the default list of sensitive vars and only use the items mentioned by --attestor-environment-sensitive-key.",
+	// 	defaultDisableSensitiveVarsDefault,
+	// 	func(a attestation.Attestor, disableSensitiveVarsDefault bool) (attestation.Attestor, error) {
+	// 		envAttestor, ok := a.(*Attestor)
+	// 		if !ok {
+	// 			return a, fmt.Errorf("unexpected attestor type: %T is not a environment attestor", a)
+	// 		}
+
+	// 		envCapture.WithDisableDefaultSensitiveList()(envAttestor.capture)
+	// 		return envAttestor, nil
+	// 	},
+	// ),
+	// registry.StringSliceConfigOption(
+	// 	"add-sensitive-key",
+	// 	"Add keys or globs (e.g. '*TEXT') to the list of sensitive environment keys.",
+	// 	[]string{},
+	// 	func(a attestation.Attestor, additionalKeys []string) (attestation.Attestor, error) {
+	// 		envAttestor, ok := a.(*Attestor)
+	// 		if !ok {
+	// 			return a, fmt.Errorf("unexpected attestor type: %T is not a environment attestor", a)
+	// 		}
+
+	// 		envCapture.WithAdditionalKeys(additionalKeys)(envAttestor.capture)
+	// 		return envAttestor, nil
+	// 	},
+	// ),
+	// registry.StringSliceConfigOption(
+	// 	"exclude-sensitive-key",
+	// 	"Exclude specific keys from the list of sensitive environment keys. Note: This does not support globs.",
+	// 	[]string{},
+	// 	func(a attestation.Attestor, excludeKeys []string) (attestation.Attestor, error) {
+	// 		envAttestor, ok := a.(*Attestor)
+	// 		if !ok {
+	// 			return a, fmt.Errorf("unexpected attestor type: %T is not a environment attestor", a)
+	// 		}
+
+	// 		envCapture.WithExcludeKeys(excludeKeys)(envAttestor.capture)
+	// 		return envAttestor, nil
+	// 	},
+	// ),
+
 }
 
 type Attestor struct {
@@ -58,21 +115,22 @@ type Attestor struct {
 	Username  string            `json:"username"`
 	Variables map[string]string `json:"variables,omitempty"`
 
-	blockList map[string]struct{}
+	osEnviron func() []string
 }
 
 type Option func(*Attestor)
 
-func WithBlockList(blockList map[string]struct{}) Option {
+// WithCustomEnv will override the default os.Environ() method. This could be used to mock.
+func WithCustomEnv(osEnviron func() []string) Option {
 	return func(a *Attestor) {
-		a.blockList = blockList
+		a.osEnviron = osEnviron
 	}
 }
 
 func New(opts ...Option) *Attestor {
-	attestor := &Attestor{
-		blockList: DefaultBlockList(),
-	}
+	attestor := &Attestor{}
+
+	attestor.osEnviron = os.Environ
 
 	for _, opt := range opts {
 		opt(attestor)
@@ -109,25 +167,11 @@ func (a *Attestor) Attest(ctx *attestation.AttestationContext) error {
 		a.Username = user.Username
 	}
 
-	FilterEnvironmentArray(os.Environ(), a.blockList, func(key, val, _ string) {
-		a.Variables[key] = val
-	})
+	a.Variables = ctx.EnvironmentCapturer().Capture(a.osEnviron())
 
 	return nil
 }
 
 func (a *Attestor) Data() *Attestor {
 	return a
 }
-
-// splitVariable splits a string representing an environment variable in the format of
-// "KEY=VAL" and returns the key and val separately.
-func splitVariable(v string) (key, val string) {
-	parts := strings.SplitN(v, "=", 2)
-	key = parts[0]
-	if len(parts) > 1 {
-		val = parts[1]
-	}
-
-	return
-}