Merge pull request #860 from hashicorp/f-hide-tokens

Hide tokens from logs and monitor
This commit is contained in:
Ryan Uber 2015-04-12 11:21:59 -07:00
commit 74b9af5c48
2 changed files with 37 additions and 2 deletions

View file

@ -282,17 +282,26 @@ func (s *HTTPServer) wrap(handler func(resp http.ResponseWriter, req *http.Reque
f := func(resp http.ResponseWriter, req *http.Request) { f := func(resp http.ResponseWriter, req *http.Request) {
setHeaders(resp, s.agent.config.HTTPAPIResponseHeaders) setHeaders(resp, s.agent.config.HTTPAPIResponseHeaders)
// Obfuscate any tokens from appearing in the logs
req.ParseForm()
logURL := req.URL.String()
if tokens, ok := req.Form["token"]; ok {
for _, token := range tokens {
logURL = strings.Replace(logURL, token, "<hidden>", -1)
}
}
// Invoke the handler // Invoke the handler
start := time.Now() start := time.Now()
defer func() { defer func() {
s.logger.Printf("[DEBUG] http: Request %v (%v)", req.URL, time.Now().Sub(start)) s.logger.Printf("[DEBUG] http: Request %v (%v)", logURL, time.Now().Sub(start))
}() }()
obj, err := handler(resp, req) obj, err := handler(resp, req)
// Check for an error // Check for an error
HAS_ERR: HAS_ERR:
if err != nil { if err != nil {
s.logger.Printf("[ERR] http: Request %v, error: %v", req.URL, err) s.logger.Printf("[ERR] http: Request %v, error: %v", logURL, err)
code := 500 code := 500
errMsg := err.Error() errMsg := err.Error()
if strings.Contains(errMsg, "Permission denied") || strings.Contains(errMsg, "ACL not found") { if strings.Contains(errMsg, "Permission denied") || strings.Contains(errMsg, "ACL not found") {

View file

@ -6,6 +6,7 @@ import (
"fmt" "fmt"
"io" "io"
"io/ioutil" "io/ioutil"
"log"
"net" "net"
"net/http" "net/http"
"net/http/httptest" "net/http/httptest"
@ -13,6 +14,7 @@ import (
"path/filepath" "path/filepath"
"runtime" "runtime"
"strconv" "strconv"
"strings"
"testing" "testing"
"time" "time"
@ -274,6 +276,30 @@ func TestContentTypeIsJSON(t *testing.T) {
} }
} }
func TestHTTP_wrap_obfuscateLog(t *testing.T) {
dir, srv := makeHTTPServer(t)
defer os.RemoveAll(dir)
defer srv.Shutdown()
defer srv.agent.Shutdown()
// Attach a custom logger so we can inspect it
buf := &bytes.Buffer{}
srv.logger = log.New(buf, "", log.LstdFlags)
resp := httptest.NewRecorder()
req, _ := http.NewRequest("GET", "/some/url?token=secret1&token=secret2", nil)
handler := func(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
return nil, nil
}
srv.wrap(handler)(resp, req)
// Make sure no tokens from the URL show up in the log
if strings.Contains(buf.String(), "secret") {
t.Fatalf("bad: %s", buf.String())
}
}
func TestPrettyPrint(t *testing.T) { func TestPrettyPrint(t *testing.T) {
testPrettyPrint("pretty=1", t) testPrettyPrint("pretty=1", t)
} }