From c0c47d765087ade9cfe749bb4afc29c7c64892de Mon Sep 17 00:00:00 2001
From: Lucas Di Pentima <lucas.dipentima@curii.com>
Date: Mon, 13 May 2024 16:12:43 -0300
Subject: [PATCH] 21678: Improves credentials passing even further.

By using a here-doc, the token doesn't get leaked on any of the process lists.
This also has the advantage of not needing any config file management.

Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <lucas.dipentima@curii.com>
---
 tools/salt-install/installer.sh | 16 +++++-----------
 1 file changed, 5 insertions(+), 11 deletions(-)

diff --git a/tools/salt-install/installer.sh b/tools/salt-install/installer.sh
index 9930fd7708..e97917d333 100755
--- a/tools/salt-install/installer.sh
+++ b/tools/salt-install/installer.sh
@@ -465,19 +465,13 @@ diagnostics-internal)
   declare TESTNODE=$(echo ${ROLE2NODES['shell']} | cut -d\, -f1)
   declare SSH=$(ssh_cmd "$TESTNODE")
 
-  # Set up credentials
-  declare CONFFILE=$(mktemp)
-  trap 'rm "$CONFFILE"' EXIT INT TERM QUIT
-  {
-    echo "ARVADOS_API_HOST=$ARVADOS_API_HOST"
-    echo "ARVADOS_API_TOKEN=$ARVADOS_API_TOKEN"
-  } > $CONFFILE
-  $SSH $DEPLOY_USER@$TESTNODE "sudo bash -c 'mkdir -m 0700 -p ~/.config/arvados'"
-  cat $CONFFILE | $SSH $DEPLOY_USER@$TESTNODE "sudo bash -c 'cat > ~/.config/arvados/settings.conf'"
-
   # Run diagnostics
   echo "Running diagnostics in $TESTNODE..."
-  $SSH $DEPLOY_USER@$TESTNODE "sudo arvados-client diagnostics -internal-client"
+  $SSH $DEPLOY_USER@$TESTNODE bash <<EOF
+  export ARVADOS_API_HOST="${DOMAIN}:${CONTROLLER_EXT_SSL_PORT}" 
+  export ARVADOS_API_TOKEN="$SYSTEM_ROOT_TOKEN" 
+  sudo --preserve-env=ARVADOS_API_HOST,ARVADOS_API_TOKEN arvados-client diagnostics -internal-client
+EOF
 
   ;;
 
-- 
2.30.2