Merge pull request #860 from hashicorp/f-hide-tokens
Hide tokens from logs and monitor
This commit is contained in:
commit
74b9af5c48
|
@ -282,17 +282,26 @@ func (s *HTTPServer) wrap(handler func(resp http.ResponseWriter, req *http.Reque
|
||||||
f := func(resp http.ResponseWriter, req *http.Request) {
|
f := func(resp http.ResponseWriter, req *http.Request) {
|
||||||
setHeaders(resp, s.agent.config.HTTPAPIResponseHeaders)
|
setHeaders(resp, s.agent.config.HTTPAPIResponseHeaders)
|
||||||
|
|
||||||
|
// Obfuscate any tokens from appearing in the logs
|
||||||
|
req.ParseForm()
|
||||||
|
logURL := req.URL.String()
|
||||||
|
if tokens, ok := req.Form["token"]; ok {
|
||||||
|
for _, token := range tokens {
|
||||||
|
logURL = strings.Replace(logURL, token, "<hidden>", -1)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// Invoke the handler
|
// Invoke the handler
|
||||||
start := time.Now()
|
start := time.Now()
|
||||||
defer func() {
|
defer func() {
|
||||||
s.logger.Printf("[DEBUG] http: Request %v (%v)", req.URL, time.Now().Sub(start))
|
s.logger.Printf("[DEBUG] http: Request %v (%v)", logURL, time.Now().Sub(start))
|
||||||
}()
|
}()
|
||||||
obj, err := handler(resp, req)
|
obj, err := handler(resp, req)
|
||||||
|
|
||||||
// Check for an error
|
// Check for an error
|
||||||
HAS_ERR:
|
HAS_ERR:
|
||||||
if err != nil {
|
if err != nil {
|
||||||
s.logger.Printf("[ERR] http: Request %v, error: %v", req.URL, err)
|
s.logger.Printf("[ERR] http: Request %v, error: %v", logURL, err)
|
||||||
code := 500
|
code := 500
|
||||||
errMsg := err.Error()
|
errMsg := err.Error()
|
||||||
if strings.Contains(errMsg, "Permission denied") || strings.Contains(errMsg, "ACL not found") {
|
if strings.Contains(errMsg, "Permission denied") || strings.Contains(errMsg, "ACL not found") {
|
||||||
|
|
|
@ -6,6 +6,7 @@ import (
|
||||||
"fmt"
|
"fmt"
|
||||||
"io"
|
"io"
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
|
"log"
|
||||||
"net"
|
"net"
|
||||||
"net/http"
|
"net/http"
|
||||||
"net/http/httptest"
|
"net/http/httptest"
|
||||||
|
@ -13,6 +14,7 @@ import (
|
||||||
"path/filepath"
|
"path/filepath"
|
||||||
"runtime"
|
"runtime"
|
||||||
"strconv"
|
"strconv"
|
||||||
|
"strings"
|
||||||
"testing"
|
"testing"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
@ -274,6 +276,30 @@ func TestContentTypeIsJSON(t *testing.T) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestHTTP_wrap_obfuscateLog(t *testing.T) {
|
||||||
|
dir, srv := makeHTTPServer(t)
|
||||||
|
defer os.RemoveAll(dir)
|
||||||
|
defer srv.Shutdown()
|
||||||
|
defer srv.agent.Shutdown()
|
||||||
|
|
||||||
|
// Attach a custom logger so we can inspect it
|
||||||
|
buf := &bytes.Buffer{}
|
||||||
|
srv.logger = log.New(buf, "", log.LstdFlags)
|
||||||
|
|
||||||
|
resp := httptest.NewRecorder()
|
||||||
|
req, _ := http.NewRequest("GET", "/some/url?token=secret1&token=secret2", nil)
|
||||||
|
|
||||||
|
handler := func(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
||||||
|
return nil, nil
|
||||||
|
}
|
||||||
|
srv.wrap(handler)(resp, req)
|
||||||
|
|
||||||
|
// Make sure no tokens from the URL show up in the log
|
||||||
|
if strings.Contains(buf.String(), "secret") {
|
||||||
|
t.Fatalf("bad: %s", buf.String())
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
func TestPrettyPrint(t *testing.T) {
|
func TestPrettyPrint(t *testing.T) {
|
||||||
testPrettyPrint("pretty=1", t)
|
testPrettyPrint("pretty=1", t)
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue