Support new SETFCAP parameter

usimd · Nov 20, 2022 · 612f32a · 612f32a
1 parent a3ed412
commit 612f32a
Show file tree

Hide file tree

Showing 9 changed files with 1,087 additions and 1,278 deletions.
diff --git a/README.md b/README.md
@@ -136,6 +136,12 @@ tries to make sure the stage is respected and its changes are included in the fi
     # buster, bullseye, and testing.
     release: bullseye
 
+    # Setting to `1` will prevent pi-gen from dropping the "capabilities" feature. 
+    # Generating the root filesystem with capabilities enabled and running it from a 
+    # filesystem that does not support capabilities (like NFS) can cause issues. Only 
+    # enable this if you understand what it is.
+    setfcap: ''
+
     # List of stage name to execute in given order. Relative and absolute paths to 
     # custom stage directories are allowed here. Note that by default pi-gen exports 
     # images in stage2 (lite), stage4 and stage5. You probably want to hook in custom 

diff --git a/__test__/configure.test.ts b/__test__/configure.test.ts
@@ -1,5 +1,6 @@
 import {configure} from '../src/configure'
 import * as config from '../src/pi-gen-config'
+import * as core from '@actions/core'
 
 describe('Configure', () => {
   const OLD_ENV = process.env
@@ -31,4 +32,19 @@ describe('Configure', () => {
       })
     )
   })
+
+  it('masks sensitive user input', async () => {
+    jest.spyOn(core, 'info').mockImplementation()
+    jest.spyOn(config, 'validateConfig').mockReturnValue(Promise.resolve())
+
+    process.env['INPUT_IMAGE-NAME'] = 'test'
+    process.env['INPUT_ENABLE-NOOBS'] = 'false'
+    process.env['INPUT_EXPORT-LAST-STAGE-ONLY'] = 'true'
+    process.env['INPUT_PASSWORD'] = 'secretpassword'
+    process.env['INPUT_WPA-PASSWORD'] = 'secretpassword'
+
+    await configure()
+
+    expect(core.info).toBeCalledWith(expect.not.stringContaining('secretpassword'))
+  })
 })
diff --git a/__test__/pi-gen-config.test.ts b/__test__/pi-gen-config.test.ts
@@ -73,6 +73,7 @@ describe('PiGenConfig', () => {
     ['wpaEssid', '0'.repeat(33)],
     ['wpaPassword', '12345'],
     ['wpaPassword', '0'.repeat(64)],
+    ['setfcap', '0'],
     ['stageList', []],
     ['stageList', ['foo']],
     ['stageList', [tmp.fileSync().name]],

diff --git a/action.yml b/action.yml
@@ -12,6 +12,12 @@ inputs:
     description: Use qcow2 images to reduce space and runtime requirements.
     required: false
     default: 1
+  setfcap:
+    description: |
+      Setting to `1` will prevent pi-gen from dropping the "capabilities" feature. Generating the root filesystem with capabilities enabled and running
+      it from a filesystem that does not support capabilities (like NFS) can cause issues. Only enable this if you understand what it is.
+    required: false
+    default: ''
   stage-list:
     description: |
       List of stage name to execute in given order. Relative and absolute paths to custom stage directories are allowed here.

diff --git a/jest.config.js b/jest.config.js
@@ -4,9 +4,9 @@ module.exports = {
   coverageThreshold: {
     global: {
       statements: 96,
-      branches: 78,
+      branches: 79,
       functions: 96,
-      lines: 96
+      lines: 97
     }
   },
   clearMocks: true,