From 4bd55232769f51286cb109e53bfa8a7b6d7d600e Mon Sep 17 00:00:00 2001
From: Calvin Leung Huang <cleung2010@gmail.com>
Date: Tue, 15 Mar 2016 17:16:25 -0400
Subject: [PATCH 1/2] Obfuscate token for lookupACL error

---
 consul/acl.go | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/consul/acl.go b/consul/acl.go
index 24cedf8fc0..0397addc1b 100644
--- a/consul/acl.go
+++ b/consul/acl.go
@@ -180,7 +180,14 @@ func (c *aclCache) lookupACL(id, authDC string) (acl.ACL, error) {
 	if strings.Contains(err.Error(), aclNotFound) {
 		return nil, errors.New(aclNotFound)
 	} else {
-		c.logger.Printf("[ERR] consul.acl: Failed to get policy for '%s': %v", id, err)
+		s := id
+		// Print last 3 chars of the token if long enough, otherwise completly hide it
+		if len(s) > 3 {
+			s = fmt.Sprintf("token ending in '%s'", s[len(s)-1:])
+		} else {
+			s = redactedToken
+		}
+		c.logger.Printf("[ERR] consul.acl: Failed to get policy for %s: %v", s, err)
 	}
 
 	// Unable to refresh, apply the down policy

From 912887a4dbee20e5f6c0d1536e4a5060f9676db6 Mon Sep 17 00:00:00 2001
From: Calvin Leung Huang <cleung2010@gmail.com>
Date: Tue, 5 Jul 2016 15:53:30 -0400
Subject: [PATCH 2/2] Fix substring length on obfuscated token

---
 consul/acl.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/consul/acl.go b/consul/acl.go
index 0397addc1b..fa3f558a6c 100644
--- a/consul/acl.go
+++ b/consul/acl.go
@@ -183,7 +183,7 @@ func (c *aclCache) lookupACL(id, authDC string) (acl.ACL, error) {
 		s := id
 		// Print last 3 chars of the token if long enough, otherwise completly hide it
 		if len(s) > 3 {
-			s = fmt.Sprintf("token ending in '%s'", s[len(s)-1:])
+			s = fmt.Sprintf("token ending in '%s'", s[len(s)-3:])
 		} else {
 			s = redactedToken
 		}