Replace setenv with env list supporting host passthrough

2026-04-22 20:47:01 +02:00
parent 76c5be0e72
commit 494da52fc6
7 changed files with 266 additions and 62 deletions
@@ -1163,13 +1163,39 @@ fn whitelist_strips_dbus_vars() {
 }

 #[test]
-fn whitelist_setenv_injects_user_var() {
+fn whitelist_env_sets_user_var() {
    let stdout = printenv_inside(
-        &["--whitelist", "--setenv", "USER_INJECTED=forced"],
+        &["--whitelist", "--env", "USER_INJECTED=forced"],
        &[],
        &["USER_INJECTED"],
    );
-    assert!(stdout.contains("forced"), "setenv not applied: {stdout}");
+    assert!(stdout.contains("forced"), "env not applied: {stdout}");
+}
+
+#[test]
+fn whitelist_env_keep_passes_through_host_var() {
+    let stdout = printenv_inside(
+        &["--whitelist", "--env", "PASSED_THROUGH"],
+        &[("PASSED_THROUGH", "from-host")],
+        &["PASSED_THROUGH"],
+    );
+    assert!(
+        stdout.contains("from-host"),
+        "expected --env KEY to pass host value through: {stdout}"
+    );
+}
+
+#[test]
+fn whitelist_env_keep_absent_host_var_is_skipped() {
+    let stdout = printenv_inside(
+        &["--whitelist", "--env", "NEVER_SET_ON_HOST"],
+        &[],
+        &["NEVER_SET_ON_HOST"],
+    );
+    assert!(
+        stdout.contains("MISSING:NEVER_SET_ON_HOST"),
+        "expected absent keep-var to remain unset: {stdout}"
+    );
 }

 #[test]
@@ -1301,28 +1327,28 @@ fn no_env_filter_blacklist_keeps_secrets() {
 }

 #[test]
-fn no_env_filter_still_honors_user_setenv() {
+fn no_env_filter_still_honors_user_env() {
    let stdout = printenv_inside(
-        &["--no-env-filter", "--setenv", "FORCED=yes"],
+        &["--no-env-filter", "--env", "FORCED=yes"],
        &[],
        &["FORCED"],
    );
    assert!(
        stdout.contains("yes"),
-        "expected user --setenv to still work with --no-env-filter, got: {stdout}"
+        "expected user --env to still work with --no-env-filter, got: {stdout}"
    );
 }

 #[test]
-fn blacklist_setenv_overrides_builtin_deny() {
+fn blacklist_env_overrides_builtin_deny() {
    let stdout = printenv_inside(
-        &["--setenv", "GH_TOKEN=overridden"],
+        &["--env", "GH_TOKEN=overridden"],
        &[("GH_TOKEN", "original")],
        &["GH_TOKEN"],
    );
    assert!(
        stdout.contains("overridden"),
-        "expected --setenv to override deny, got: {stdout}"
+        "expected --env to override deny, got: {stdout}"
    );
    assert!(!stdout.contains("original"));
 }