From 5b72db633597080f2e73402671eaf96e322cb60f Mon Sep 17 00:00:00 2001
From: jatin <84621253+h0x0er@users.noreply.github.com>
Date: Thu, 6 Jun 2024 09:12:19 +0530
Subject: [PATCH 1/2] Add one-time-key logic (#430)

---
 agent.go     | 3 ++-
 apiclient.go | 2 ++
 config.go    | 3 +++
 3 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/agent.go b/agent.go
index 80b5cd1..e182fa4 100644
--- a/agent.go
+++ b/agent.go
@@ -65,8 +65,9 @@ func Run(ctx context.Context, configFilePath string, hostDNSServer DNSServer,
 		return err
 	}
 
-	apiclient := &ApiClient{Client: &http.Client{Timeout: 3 * time.Second}, APIURL: config.APIURL, DisableTelemetry: config.DisableTelemetry, EgressPolicy: config.EgressPolicy}
+	apiclient := &ApiClient{Client: &http.Client{Timeout: 3 * time.Second}, APIURL: config.APIURL, DisableTelemetry: config.DisableTelemetry, EgressPolicy: config.EgressPolicy, OneTimeKey: config.OneTimeKey}
 
+	config.OneTimeKey = ""
 	// TODO: pass in an iowriter/ use log library
 	WriteLog(fmt.Sprintf("read config \n %+v", config))
 	WriteLog("\n")
diff --git a/apiclient.go b/apiclient.go
index 2ed19eb..471fdd1 100644
--- a/apiclient.go
+++ b/apiclient.go
@@ -40,6 +40,7 @@ type ApiClient struct {
 	APIURL           string
 	DisableTelemetry bool
 	EgressPolicy     string
+	OneTimeKey       string
 }
 
 const agentApiBaseUrl = "https://apiurl/v1"
@@ -113,6 +114,7 @@ func (apiclient *ApiClient) sendApiRequest(method, url string, body interface{})
 		return err
 	}
 
+	req.Header.Add("x-one-time-key", apiclient.OneTimeKey)
 	if body != nil {
 		req.Header.Add("Content-Type", "application/json; charset=UTF-8")
 	}
diff --git a/config.go b/config.go
index 47f2c90..f927477 100644
--- a/config.go
+++ b/config.go
@@ -16,6 +16,7 @@ type config struct {
 	RunId                 string
 	WorkingDirectory      string
 	APIURL                string
+	OneTimeKey            string
 	Endpoints             map[string][]Endpoint
 	EgressPolicy          string
 	DisableTelemetry      bool
@@ -35,6 +36,7 @@ type configFile struct {
 	RunId                 string `json:"run_id"`
 	WorkingDirectory      string `json:"working_directory"`
 	APIURL                string `json:"api_url"`
+	OneTimeKey            string `json:"one_time_key"`
 	AllowedEndpoints      string `json:"allowed_endpoints"`
 	EgressPolicy          string `json:"egress_policy"`
 	DisableTelemetry      bool   `json:"disable_telemetry"`
@@ -67,6 +69,7 @@ func (c *config) init(configFilePath string) error {
 	c.DisableSudo = configFile.DisableSudo
 	c.DisableFileMonitoring = configFile.DisableFileMonitoring
 	c.Private = configFile.Private
+	c.OneTimeKey = configFile.OneTimeKey
 	return nil
 }
 

From 1c261e00f657e1759c5d19e6dceccc182effed78 Mon Sep 17 00:00:00 2001
From: Varun Sharma <varunsh@stepsecurity.io>
Date: Wed, 5 Jun 2024 20:41:36 -0700
Subject: [PATCH 2/2] Update harden-runner versions

---
 .github/workflows/code-review.yml       | 2 +-
 .github/workflows/codeql-analysis.yml   | 2 +-
 .github/workflows/dependency-review.yml | 2 +-
 .github/workflows/release.yml           | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/code-review.yml b/.github/workflows/code-review.yml
index d1c318c..2315798 100644
--- a/.github/workflows/code-review.yml
+++ b/.github/workflows/code-review.yml
@@ -11,7 +11,7 @@ jobs:
       pull-requests: read
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
+        uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
         with:
           disable-sudo: true
           egress-policy: block
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 8220858..82a059c 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -37,7 +37,7 @@ jobs:
         # Learn more about CodeQL language support at https://git.io/codeql-language-support
 
     steps:
-    - uses: step-security/harden-runner@v1
+    - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
       with:
         egress-policy: audit
     - name: Checkout repository
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
index ea4d000..d1813ba 100644
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1
+        uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
         with:
           egress-policy: audit
 
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 1b1f53b..33d8396 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -13,7 +13,7 @@ jobs:
       contents: write
     runs-on: ubuntu-20.04
     steps:
-    - uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1
+    - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
       with:
         allowed-endpoints: 
           api.github.com:443