-
Notifications
You must be signed in to change notification settings - Fork 15
Expand file tree
/
Copy pathtest-token-unset.sh
More file actions
executable file
·74 lines (61 loc) · 2.26 KB
/
test-token-unset.sh
File metadata and controls
executable file
·74 lines (61 loc) · 2.26 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
#!/bin/bash
# Test script to verify tokens are unset from /proc/1/environ after agent starts
set -e
echo "=== Testing token unsetting from entrypoint environ ==="
# Set test tokens
export GITHUB_TOKEN="ghp_test_token_12345"
export OPENAI_API_KEY="sk-test_openai_key_67890"
export ANTHROPIC_API_KEY="sk-ant-test_key_abcdef"
echo "Test tokens set in host environment"
# Run a simple command that waits 10 seconds (longer than the 5-second token unset delay)
# This gives us time to check /proc/1/environ inside the container
echo "Running awf with test tokens..."
sudo -E node dist/cli.js \
--allow-domains example.com \
--build-local \
--keep-containers \
-- bash -c '
echo "Agent started, checking /proc/1/environ in container..."
sleep 2
# Check if tokens are still in /proc/1/environ
echo "Checking /proc/1/environ for GITHUB_TOKEN..."
if cat /proc/1/environ | tr "\0" "\n" | grep -q "GITHUB_TOKEN="; then
echo "ERROR: GITHUB_TOKEN still in /proc/1/environ"
exit 1
else
echo "SUCCESS: GITHUB_TOKEN not in /proc/1/environ"
fi
echo "Checking /proc/1/environ for OPENAI_API_KEY..."
if cat /proc/1/environ | tr "\0" "\n" | grep -q "OPENAI_API_KEY="; then
echo "ERROR: OPENAI_API_KEY still in /proc/1/environ"
exit 1
else
echo "SUCCESS: OPENAI_API_KEY not in /proc/1/environ"
fi
echo "Checking /proc/1/environ for ANTHROPIC_API_KEY..."
if cat /proc/1/environ | tr "\0" "\n" | grep -q "ANTHROPIC_API_KEY="; then
echo "ERROR: ANTHROPIC_API_KEY still in /proc/1/environ"
exit 1
else
echo "SUCCESS: ANTHROPIC_API_KEY not in /proc/1/environ"
fi
# Verify agent can still read tokens via getenv (cached by one-shot-token library)
echo "Checking if agent can still read GITHUB_TOKEN via getenv..."
if [ -n "$GITHUB_TOKEN" ]; then
echo "SUCCESS: Agent can still read GITHUB_TOKEN (value: ${GITHUB_TOKEN:0:10}...)"
else
echo "WARNING: GITHUB_TOKEN not accessible to agent"
fi
echo "All checks passed!"
exit 0
'
EXIT_CODE=$?
# Cleanup
echo "Cleaning up containers..."
sudo docker compose -f /tmp/awf-*/docker-compose.yml down -v 2>/dev/null || true
if [ $EXIT_CODE -eq 0 ]; then
echo "=== TEST PASSED ==="
else
echo "=== TEST FAILED ==="
exit 1
fi