preprocessor: remove stale CUE_TEST_LOGINS env var

As a temporary measure we historically passed CUE_TEST_LOGINS through from the user "host" environment to multi-step scripts in order that they could write out logins.json files as a way of doing hidden auth with the Central Registry. This has since been superseded via a mechanism by which a page declares what test credentials it needs, out of a set of well-defined test credentials that a privileged user (the one running the preprocessor) can access from a hidden endpoint on the Central Registry API that vends short-lived credentials for these test users. Hence we can drop CUE_TEST_LOGINS entirely. Preprocessor-No-Write-Cache: true Signed-off-by: Paul Jolly <[email protected]> Change-Id: Ib77fa5afb07ab076b9cf28cb634df94db6aa88a4 Dispatch-Trailer: {"type":"trybot","CL":1204422,"patchset":2,"ref":"refs/changes/22/1204422/2","targetBranch":"master"}
cue-lang · Nov 21, 2024 · ff0e662 · ff0e662
1 parent f414e38
commit ff0e662
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 50 deletions.
diff --git a/internal/cmd/preprocessor/cmd/rootfile.go b/internal/cmd/preprocessor/cmd/rootfile.go
@@ -705,31 +705,6 @@ func (m *multiStepScript) run() {
 		// otherwise stderr is not line buffered
 		"-t",
 
-		// TODO: as a temporary measure, pass CUE_TEST_LOGINS through from the
-		// host (documentation author) environment to the running multi-step
-		// script. CUE_TEST_LOGINS should be set to a string that can be written
-		// to $CUE_CONFIG_DIR/logins.json. This allows us to perform a headless
-		// 'cue login' step in a guide, whilst asking the user (via #norun
-		// script) to perform an actual 'cue login'.
-		//
-		// The proper/complete solution here is to have the host provide a blob
-		// of JSON that maps from a set of well-known users to credentials. These
-		// well-known users are isolated and limited bot accounts that we define
-		// to perform well-known roles. e.g. user1 has access to these repos,
-		// write access to these others, but no access to these private repos.
-		// We will document the role each such user plays. The central registry
-		// will then give those with sufficient permissions the ability to create
-		// short-lived tokens for these users. The short-lived tokens can then be
-		// passed to the preprocessor. Each guide can then declare the list of
-		// well-known test users it requires. The preprocessor can then lookup
-		// the credentials in the host-provided blob, and make the credentials
-		// available via well-known environment variables e.g.
-		// USER1_CUE_TEST_LOGINS or similar. This approach will also allow us to
-		// know precisely what data that is passed in is credentials. We can also
-		// therefore perform a final "blanking" phase for safety's sake where we
-		// string replace credentials with '*****' or similar.
-		"-e", "CUE_TEST_LOGINS",
-
 		// mount the bash script
 		"--mount", fmt.Sprintf("type=bind,source=%s,target=/scripts,readonly", scriptsDir),
 	)

diff --git a/internal/cmd/preprocessor/cmd/testdata/execute_multistagescript.txtar b/internal/cmd/preprocessor/cmd/testdata/execute_multistagescript.txtar
@@ -2,8 +2,6 @@
 # This includes formatting an upload node, running a script node, and
 # skipping formatting a file in another upload node.
 
-env CUE_TEST_LOGINS=blah
-
 unquote content/dir/en.md golden/content/dir/en.md.writeBack
 
 # Run the preprocessor
@@ -146,10 +144,6 @@ Hello!
 >{{{with script "en" "subst env var"}}}
 >echo $CUELANG_CUE_DEFAULT
 >{{{end}}}
->
->{{{with script "en" "passed in env var"}}}
->echo $CUE_TEST_LOGINS
->{{{end}}}
 -- golden/content/dir/en.md.writeBack --
 >---
 >title: JSON Superset
@@ -215,10 +209,6 @@ Hello!
 >{{{with script "en" "subst env var"}}}
 >echo $CUELANG_CUE_DEFAULT
 >{{{end}}}
->
->{{{with script "en" "passed in env var"}}}
->echo $CUE_TEST_LOGINS
->{{{end}}}
 -- golden/hugo/content/en/dir/index.md --
 ---
 title: JSON Superset
@@ -285,11 +275,6 @@ $ nonexistent command
 $ echo v0.9.0-alpha.3
 v0.9.0-alpha.3
 ```
-
-```text { title="TERMINAL" type="terminal" codeToCopy="ZWNobyAkQ1VFX1RFU1RfTE9HSU5T" }
-$ echo $CUE_TEST_LOGINS
-blah
-```
 -- golden/content/dir/gen_cache.cue --
 package site
 {
@@ -303,8 +288,8 @@ package site
 						"in-subdir":       "0qJmh3aq7QZU2/HOLE30MQebvDJcPzZbV6DUBf0kyNM="
 					}
 					multi_step: {
-						hash:       "J4VHBNFQTQD3N68LBEHKLFF8JBD9SEROLP4Q44MPPKE5AGTIUVRG===="
-						scriptHash: "RTE18RDQ3BFG4B5U2VR92496OPO5NOT61C424QBCDDT1RAAGPOUG===="
+						hash:       "VIP77P8O62HK9CELKATL279BJ4GLEA4IBHAA10DCIR66FIDSENO0===="
+						scriptHash: "4R7CKCD6U3F6M7HMDOORM6L5LARG5T2HN3S7TGFFUFAJ61CAS8LG===="
 						steps: [{
 							doc:      ""
 							cmd:      "cat nested/file.txt"
@@ -385,14 +370,6 @@ package site
 							output: """
 									v0.9.0-alpha.3
 
-									"""
-						}, {
-							doc:      ""
-							cmd:      "echo $CUE_TEST_LOGINS"
-							exitCode: 0
-							output: """
-									blah
-
 									"""
 						}]
 					}