diff --git a/.github/workflows/code-review.yml b/.github/workflows/code-review.yml index d1c318c..2315798 100644 --- a/.github/workflows/code-review.yml +++ b/.github/workflows/code-review.yml @@ -11,7 +11,7 @@ jobs: pull-requests: read steps: - name: Harden Runner - uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0 + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 with: disable-sudo: true egress-policy: block diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 8220858..82a059c 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -37,7 +37,7 @@ jobs: # Learn more about CodeQL language support at https://git.io/codeql-language-support steps: - - uses: step-security/harden-runner@v1 + - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 with: egress-policy: audit - name: Checkout repository diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index ea4d000..d1813ba 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -17,7 +17,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1 + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 with: egress-policy: audit diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1b1f53b..33d8396 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,7 +13,7 @@ jobs: contents: write runs-on: ubuntu-20.04 steps: - - uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1 + - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 with: allowed-endpoints: api.github.com:443 diff --git a/agent.go b/agent.go index 80b5cd1..e182fa4 100644 --- a/agent.go +++ b/agent.go @@ -65,8 +65,9 @@ func Run(ctx context.Context, configFilePath string, hostDNSServer DNSServer, return err } - apiclient := &ApiClient{Client: &http.Client{Timeout: 3 * time.Second}, APIURL: config.APIURL, DisableTelemetry: config.DisableTelemetry, EgressPolicy: config.EgressPolicy} + apiclient := &ApiClient{Client: &http.Client{Timeout: 3 * time.Second}, APIURL: config.APIURL, DisableTelemetry: config.DisableTelemetry, EgressPolicy: config.EgressPolicy, OneTimeKey: config.OneTimeKey} + config.OneTimeKey = "" // TODO: pass in an iowriter/ use log library WriteLog(fmt.Sprintf("read config \n %+v", config)) WriteLog("\n") diff --git a/apiclient.go b/apiclient.go index 2ed19eb..471fdd1 100644 --- a/apiclient.go +++ b/apiclient.go @@ -40,6 +40,7 @@ type ApiClient struct { APIURL string DisableTelemetry bool EgressPolicy string + OneTimeKey string } const agentApiBaseUrl = "https://apiurl/v1" @@ -113,6 +114,7 @@ func (apiclient *ApiClient) sendApiRequest(method, url string, body interface{}) return err } + req.Header.Add("x-one-time-key", apiclient.OneTimeKey) if body != nil { req.Header.Add("Content-Type", "application/json; charset=UTF-8") } diff --git a/config.go b/config.go index 47f2c90..f927477 100644 --- a/config.go +++ b/config.go @@ -16,6 +16,7 @@ type config struct { RunId string WorkingDirectory string APIURL string + OneTimeKey string Endpoints map[string][]Endpoint EgressPolicy string DisableTelemetry bool @@ -35,6 +36,7 @@ type configFile struct { RunId string `json:"run_id"` WorkingDirectory string `json:"working_directory"` APIURL string `json:"api_url"` + OneTimeKey string `json:"one_time_key"` AllowedEndpoints string `json:"allowed_endpoints"` EgressPolicy string `json:"egress_policy"` DisableTelemetry bool `json:"disable_telemetry"` @@ -67,6 +69,7 @@ func (c *config) init(configFilePath string) error { c.DisableSudo = configFile.DisableSudo c.DisableFileMonitoring = configFile.DisableFileMonitoring c.Private = configFile.Private + c.OneTimeKey = configFile.OneTimeKey return nil }