From 08cf2681d3e908f23ce7b1e4e5a02beb57b27d7c Mon Sep 17 00:00:00 2001
From: Michael Schurter <mschurter@hashicorp.com>
Date: Tue, 21 Sep 2021 12:58:51 -0700
Subject: [PATCH] client: add NOMAD_LICENSE to default env deny list

By default we should not expose the NOMAD_LICENSE environment variable
to tasks.

Also refactor where the DefaultEnvDenyList lives so we don't have to
maintain 2 copies of it. Since client/config is the most obvious
location, keep it there as a pointer to its unfortunate home buried deep
in command/agent/host. Since the agent uses this list as well for the
/agent/host endpoint the list must be accessible from both command/agent
and client.
---
 client/config/config.go    | 10 ++--------
 command/agent/host/host.go | 22 ++++++++++++----------
 2 files changed, 14 insertions(+), 18 deletions(-)

diff --git a/client/config/config.go b/client/config/config.go
index e9c5e0fa5622..e1b8fe64ce60 100644
--- a/client/config/config.go
+++ b/client/config/config.go
@@ -9,6 +9,7 @@ import (
 	"time"
 
 	"github.com/hashicorp/nomad/client/lib/cgutil"
+	"github.com/hashicorp/nomad/command/agent/host"
 
 	log "github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/nomad/client/state"
@@ -23,14 +24,7 @@ import (
 var (
 	// DefaultEnvDenylist is the default set of environment variables that are
 	// filtered when passing the environment variables of the host to a task.
-	// duplicated in command/agent/host, update that if this changes.
-	DefaultEnvDenylist = strings.Join([]string{
-		"CONSUL_TOKEN",
-		"CONSUL_HTTP_TOKEN",
-		"VAULT_TOKEN",
-		"AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN",
-		"GOOGLE_APPLICATION_CREDENTIALS",
-	}, ",")
+	DefaultEnvDenylist = strings.Join(host.DefaultEnvDenyList, ",")
 
 	// DefaultUserDenylist is the default set of users that tasks are not
 	// allowed to run as when using a driver in "user.checked_drivers"
diff --git a/command/agent/host/host.go b/command/agent/host/host.go
index 1940a01d22c8..5fb8fa92adaf 100644
--- a/command/agent/host/host.go
+++ b/command/agent/host/host.go
@@ -87,20 +87,22 @@ func environment() map[string]string {
 	return env
 }
 
+// DefaultEnvDenyList is the default set of environment variables that are
+// filtered when passing the environment variables of the host to the task.
+var DefaultEnvDenyList = []string{
+	"CONSUL_TOKEN",
+	"CONSUL_HTTP_TOKEN",
+	"VAULT_TOKEN",
+	"NOMAD_LICENSE",
+	"AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN",
+	"GOOGLE_APPLICATION_CREDENTIALS",
+}
+
 // makeEnvRedactSet creates a set of well known environment variables that should be
 // redacted in the output
 func makeEnvRedactSet() map[string]struct{} {
-	// Duplicated from config.DefaultEnvBlacklist in order to avoid an import cycle
-	configDefault := []string{
-		"CONSUL_TOKEN",
-		"CONSUL_HTTP_TOKEN",
-		"VAULT_TOKEN",
-		"AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN",
-		"GOOGLE_APPLICATION_CREDENTIALS",
-	}
-
 	set := make(map[string]struct{})
-	for _, e := range configDefault {
+	for _, e := range DefaultEnvDenyList {
 		set[e] = struct{}{}
 	}