With #3220 we can now provide any environment variable from parent process to PDS launcher scripts when necessary. In most scenarios this works well.
But what happens when have following situation:
PDS is started, but its storage information is not defined via environment variables but in a different way (e.g. yaml file or system properties).
In this case the inheritance from storage data to launcher script will not happen, because the parent process would have not such variables available, the PDS application will still work, because Spring Boot would inject the information correctly (but not as a process environment variable).
This can happen for example when we start integration test servers locally from an IDE. In this situation this can be very irritating.
Most of such information could be also sensitive, means it could be critical if these information would be stored in a file (yaml/properties) or give as command line parameter (visible inside event logs etc.)
Wanted
It shall not be possible to define setup information which can be inherited from PDS launcher scripts as something else than an environment variable. This must be checked/ensured at PDS startup time. If not the PDS server startup process will be interrupted
The documentation shall render those parts as ENV only
Solution
PDS-Solutions
[x] PDS base image (/sechub-pds-solutions/pds-base/docker/run.sh) script must be changed to use environment variables only
Java
[ ] PDS server startup behavior must be changed to stop when one sensitive information is set by something else than a environment variable (can be checked by System.env...). When nothing defined for a key it is always okay.
[ ] Documentation generation must handle this automatically (we need some marker inside the code for this)
[ ] For normal unit tests (where we we need to change system properties on the fly) the assertion must be disabled
Data to mark for PDS startup never something else than ENV variables:
all senstivie parts from PDSStorageConstants.java
spring.datasource.password(integration tests with h2 will still work, because here embedded and not necessary)
pds.admin.userid,
pds.admin.password
pds.techuser.userid
pds.techuserid.password must also be only environment variables
Situation
With #3220 we can now provide any environment variable from parent process to PDS launcher scripts when necessary. In most scenarios this works well.
But what happens when have following situation:
PDS is started, but its storage information is not defined via environment variables but in a different way (e.g. yaml file or system properties).
In this case the inheritance from storage data to launcher script will not happen, because the parent process would have not such variables available, the PDS application will still work, because Spring Boot would inject the information correctly (but not as a process environment variable).
This can happen for example when we start integration test servers locally from an IDE. In this situation this can be very irritating.
Most of such information could be also sensitive, means it could be critical if these information would be stored in a file (yaml/properties) or give as command line parameter (visible inside event logs etc.)
Wanted
Solution
PDS-Solutions
/sechub-pds-solutions/pds-base/docker/run.sh) script must be changed to use environment variables onlyJava
Data to mark for PDS startup never something else than ENV variables:
PDSStorageConstants.javaspring.datasource.password(integration tests with h2 will still work, because here embedded and not necessary)pds.admin.userid,pds.admin.passwordpds.techuser.useridpds.techuserid.passwordmust also be only environment variables