config: hide authentication credentials in String() output

This commit is contained in:
Fabian Reinartz 2015-07-06 14:25:20 +02:00
parent 92c20168c4
commit 02e06839f2
3 changed files with 20 additions and 10 deletions

View file

@ -20,6 +20,7 @@ var (
patJobName = regexp.MustCompile(`^[a-zA-Z_][a-zA-Z0-9_-]*$`) patJobName = regexp.MustCompile(`^[a-zA-Z_][a-zA-Z0-9_-]*$`)
patFileSDName = regexp.MustCompile(`^[^*]*(\*[^/]*)?\.(json|yml|yaml|JSON|YML|YAML)$`) patFileSDName = regexp.MustCompile(`^[^*]*(\*[^/]*)?\.(json|yml|yaml|JSON|YML|YAML)$`)
patRulePath = regexp.MustCompile(`^[^*]*(\*[^/]*)?$`) patRulePath = regexp.MustCompile(`^[^*]*(\*[^/]*)?$`)
patAuthLine = regexp.MustCompile(`((?:username|password):\s+)(".+"|'.+'|[^\s]+)`)
) )
// Load parses the YAML input s into a Config. // Load parses the YAML input s into a Config.
@ -118,14 +119,17 @@ func checkOverflow(m map[string]interface{}, ctx string) error {
} }
func (c Config) String() string { func (c Config) String() string {
var s string
if c.original != "" { if c.original != "" {
return c.original s = c.original
} } else {
b, err := yaml.Marshal(c) b, err := yaml.Marshal(c)
if err != nil { if err != nil {
return fmt.Sprintf("<error creating config string: %s>", err) return fmt.Sprintf("<error creating config string: %s>", err)
} }
return string(b) s = string(b)
}
return patAuthLine.ReplaceAllString(s, "${1}<hidden>")
} }
// UnmarshalYAML implements the yaml.Unmarshaler interface. // UnmarshalYAML implements the yaml.Unmarshaler interface.

View file

@ -85,8 +85,8 @@ var expectedConf = &Config{
ScrapeTimeout: Duration(5 * time.Second), ScrapeTimeout: Duration(5 * time.Second),
BasicAuth: &BasicAuth{ BasicAuth: &BasicAuth{
Username: "admin", Username: "admin_name",
Password: "password", Password: "admin_password",
}, },
MetricsPath: "/my_path", MetricsPath: "/my_path",
Scheme: "https", Scheme: "https",
@ -183,6 +183,12 @@ func TestLoadConfig(t *testing.T) {
if !reflect.DeepEqual(c, expectedConf) { if !reflect.DeepEqual(c, expectedConf) {
t.Fatalf("%s: unexpected config result: \n\n%s\n expected\n\n%s", "testdata/conf.good.yml", bgot, bexp) t.Fatalf("%s: unexpected config result: \n\n%s\n expected\n\n%s", "testdata/conf.good.yml", bgot, bexp)
} }
// String method must not reveal authentication credentials.
s := c.String()
if strings.Contains(s, "admin_name") || strings.Contains(s, "admin_password") {
t.Fatalf("config's String method reveals authentication credentials.")
}
} }
var expectedErrors = []struct { var expectedErrors = []struct {

View file

@ -49,8 +49,8 @@ scrape_configs:
- job_name: service-x - job_name: service-x
basic_auth: basic_auth:
username: admin username: admin_name
password: password password: admin_password
scrape_interval: 50s scrape_interval: 50s
scrape_timeout: 5s scrape_timeout: 5s