One time key

.github/workflows/code-review.yml

@@ -11,7 +11,7 @@ jobs:
       pull-requests: read
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
+        uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
         with:
           disable-sudo: true
           egress-policy: block

.github/workflows/codeql-analysis.yml

@@ -37,7 +37,7 @@ jobs:
         # Learn more about CodeQL language support at https://git.io/codeql-language-support
 
     steps:
-    - uses: step-security/harden-runner@v1
+    - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
       with:
         egress-policy: audit
     - name: Checkout repository

.github/workflows/dependency-review.yml

@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1
+        uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
         with:
           egress-policy: audit
 

.github/workflows/release.yml

@@ -13,7 +13,7 @@ jobs:
       contents: write
     runs-on: ubuntu-20.04
     steps:
-    - uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1
+    - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
       with:
         allowed-endpoints: 
           api.github.com:443

agent.go

@@ -65,8 +65,9 @@ func Run(ctx context.Context, configFilePath string, hostDNSServer DNSServer,
 		return err
 	}
 
-	apiclient := &ApiClient{Client: &http.Client{Timeout: 3 * time.Second}, APIURL: config.APIURL, DisableTelemetry: config.DisableTelemetry, EgressPolicy: config.EgressPolicy}
+	apiclient := &ApiClient{Client: &http.Client{Timeout: 3 * time.Second}, APIURL: config.APIURL, DisableTelemetry: config.DisableTelemetry, EgressPolicy: config.EgressPolicy, OneTimeKey: config.OneTimeKey}
 
+	config.OneTimeKey = ""
 	// TODO: pass in an iowriter/ use log library
 	WriteLog(fmt.Sprintf("read config \n %+v", config))
 	WriteLog("\n")

apiclient.go

@@ -40,6 +40,7 @@ type ApiClient struct {
 	APIURL           string
 	DisableTelemetry bool
 	EgressPolicy     string
+	OneTimeKey       string
 }
 
 const agentApiBaseUrl = "https://apiurl/v1"
@@ -113,6 +114,7 @@ func (apiclient *ApiClient) sendApiRequest(method, url string, body interface{})
 		return err
 	}
 
+	req.Header.Add("x-one-time-key", apiclient.OneTimeKey)
 	if body != nil {
 		req.Header.Add("Content-Type", "application/json; charset=UTF-8")
 	}

config.go

@@ -16,6 +16,7 @@ type config struct {
 	RunId                 string
 	WorkingDirectory      string
 	APIURL                string
+	OneTimeKey            string
 	Endpoints             map[string][]Endpoint
 	EgressPolicy          string
 	DisableTelemetry      bool
@@ -35,6 +36,7 @@ type configFile struct {
 	RunId                 string `json:"run_id"`
 	WorkingDirectory      string `json:"working_directory"`
 	APIURL                string `json:"api_url"`
+	OneTimeKey            string `json:"one_time_key"`
 	AllowedEndpoints      string `json:"allowed_endpoints"`
 	EgressPolicy          string `json:"egress_policy"`
 	DisableTelemetry      bool   `json:"disable_telemetry"`
@@ -67,6 +69,7 @@ func (c *config) init(configFilePath string) error {
 	c.DisableSudo = configFile.DisableSudo
 	c.DisableFileMonitoring = configFile.DisableFileMonitoring
 	c.Private = configFile.Private
+	c.OneTimeKey = configFile.OneTimeKey
 	return nil
 }