config: hide authentication credentials in String() output

02e06839 · Fabian Reinartz · 92c20168 · 02e06839 · 02e06839 · 02e06839
隐藏空白更改
内联并排

Showing with 20 addition and 10 deletion

config/config.go config/config.go +10 -6

config/config_test.go config/config_test.go +8 -2

config/testdata/conf.good.yml config/testdata/conf.good.yml +2 -2

未找到文件。
--- a/config/config.go
+++ b/config/config.go
@@ -20,6 +20,7 @@ var (
 	patJobName    = regexp.MustCompile(`^[a-zA-Z_][a-zA-Z0-9_-]*$`)
 	patFileSDName = regexp.MustCompile(`^[^*]*(\*[^/]*)?\.(json|yml|yaml|JSON|YML|YAML)$`)
 	patRulePath   = regexp.MustCompile(`^[^*]*(\*[^/]*)?$`)
+	patAuthLine   = regexp.MustCompile(`((?:username|password):\s+)(".+"|'.+'|[^\s]+)`)
 )

 // Load parses the YAML input s into a Config.
@@ -118,14 +119,17 @@ func checkOverflow(m map[string]interface{}, ctx string) error {
 }

 func (c Config) String() string {
+	var s string
 	if c.original != "" {
-		return c.original
-	}
-	b, err := yaml.Marshal(c)
-	if err != nil {
-		return fmt.Sprintf("<error creating config string: %s>", err)
+		s = c.original
+	} else {
+		b, err := yaml.Marshal(c)
+		if err != nil {
+			return fmt.Sprintf("<error creating config string: %s>", err)
+		}
+		s = string(b)
 	}
-	return string(b)
+	return patAuthLine.ReplaceAllString(s, "${1}<hidden>")
 }

 // UnmarshalYAML implements the yaml.Unmarshaler interface.

--- a/config/config_test.go
+++ b/config/config_test.go
@@ -85,8 +85,8 @@ var expectedConf = &Config{
 			ScrapeTimeout:  Duration(5 * time.Second),

 			BasicAuth: &BasicAuth{
-				Username: "admin",
-				Password: "password",
+				Username: "admin_name",
+				Password: "admin_password",
 			},
 			MetricsPath: "/my_path",
 			Scheme:      "https",
@@ -183,6 +183,12 @@ func TestLoadConfig(t *testing.T) {
 	if !reflect.DeepEqual(c, expectedConf) {
 		t.Fatalf("%s: unexpected config result: \n\n%s\n expected\n\n%s", "testdata/conf.good.yml", bgot, bexp)
 	}
+
+	// String method must not reveal authentication credentials.
+	s := c.String()
+	if strings.Contains(s, "admin_name") || strings.Contains(s, "admin_password") {
+		t.Fatalf("config's String method reveals authentication credentials.")
+	}
 }

 var expectedErrors = []struct {

--- a/config/testdata/conf.good.yml
+++ b/config/testdata/conf.good.yml
@@ -49,8 +49,8 @@ scrape_configs:
 - job_name: service-x

  basic_auth:
-    username: admin
-    password: password
+    username: admin_name
+    password: admin_password

  scrape_interval: 50s
  scrape_timeout:  5s