From adbc5c92c65ccf6086b3e27c231d2075dd208b5a Mon Sep 17 00:00:00 2001 From: Ryan Uber Date: Sun, 12 Apr 2015 11:17:31 -0700 Subject: [PATCH] agent: hide tokens from logs and monitor --- command/agent/http.go | 13 +++++++++++-- command/agent/http_test.go | 26 ++++++++++++++++++++++++++ 2 files changed, 37 insertions(+), 2 deletions(-) diff --git a/command/agent/http.go b/command/agent/http.go index 52e75e6ee..24e0879fd 100644 --- a/command/agent/http.go +++ b/command/agent/http.go @@ -282,17 +282,26 @@ func (s *HTTPServer) wrap(handler func(resp http.ResponseWriter, req *http.Reque f := func(resp http.ResponseWriter, req *http.Request) { setHeaders(resp, s.agent.config.HTTPAPIResponseHeaders) + // Obfuscate any tokens from appearing in the logs + req.ParseForm() + logURL := req.URL.String() + if tokens, ok := req.Form["token"]; ok { + for _, token := range tokens { + logURL = strings.Replace(logURL, token, "", -1) + } + } + // Invoke the handler start := time.Now() defer func() { - s.logger.Printf("[DEBUG] http: Request %v (%v)", req.URL, time.Now().Sub(start)) + s.logger.Printf("[DEBUG] http: Request %v (%v)", logURL, time.Now().Sub(start)) }() obj, err := handler(resp, req) // Check for an error HAS_ERR: if err != nil { - s.logger.Printf("[ERR] http: Request %v, error: %v", req.URL, err) + s.logger.Printf("[ERR] http: Request %v, error: %v", logURL, err) code := 500 errMsg := err.Error() if strings.Contains(errMsg, "Permission denied") || strings.Contains(errMsg, "ACL not found") { diff --git a/command/agent/http_test.go b/command/agent/http_test.go index 1faa4ac99..7adff75fb 100644 --- a/command/agent/http_test.go +++ b/command/agent/http_test.go @@ -6,6 +6,7 @@ import ( "fmt" "io" "io/ioutil" + "log" "net" "net/http" "net/http/httptest" @@ -13,6 +14,7 @@ import ( "path/filepath" "runtime" "strconv" + "strings" "testing" "time" @@ -274,6 +276,30 @@ func TestContentTypeIsJSON(t *testing.T) { } } +func TestHTTP_wrap_obfuscateLog(t *testing.T) { + dir, srv := makeHTTPServer(t) + defer os.RemoveAll(dir) + defer srv.Shutdown() + defer srv.agent.Shutdown() + + // Attach a custom logger so we can inspect it + buf := &bytes.Buffer{} + srv.logger = log.New(buf, "", log.LstdFlags) + + resp := httptest.NewRecorder() + req, _ := http.NewRequest("GET", "/some/url?token=secret1&token=secret2", nil) + + handler := func(resp http.ResponseWriter, req *http.Request) (interface{}, error) { + return nil, nil + } + srv.wrap(handler)(resp, req) + + // Make sure no tokens from the URL show up in the log + if strings.Contains(buf.String(), "secret") { + t.Fatalf("bad: %s", buf.String()) + } +} + func TestPrettyPrint(t *testing.T) { testPrettyPrint("pretty=1", t) }