mirror of https://github.com/prometheus/prometheus
config: hide authentication credentials in String() output
parent
92c20168c4
commit
02e06839f2
|
@ -20,6 +20,7 @@ var (
|
|||
patJobName = regexp.MustCompile(`^[a-zA-Z_][a-zA-Z0-9_-]*$`)
|
||||
patFileSDName = regexp.MustCompile(`^[^*]*(\*[^/]*)?\.(json|yml|yaml|JSON|YML|YAML)$`)
|
||||
patRulePath = regexp.MustCompile(`^[^*]*(\*[^/]*)?$`)
|
||||
patAuthLine = regexp.MustCompile(`((?:username|password):\s+)(".+"|'.+'|[^\s]+)`)
|
||||
)
|
||||
|
||||
// Load parses the YAML input s into a Config.
|
||||
|
@ -118,14 +119,17 @@ func checkOverflow(m map[string]interface{}, ctx string) error {
|
|||
}
|
||||
|
||||
func (c Config) String() string {
|
||||
var s string
|
||||
if c.original != "" {
|
||||
return c.original
|
||||
s = c.original
|
||||
} else {
|
||||
b, err := yaml.Marshal(c)
|
||||
if err != nil {
|
||||
return fmt.Sprintf("<error creating config string: %s>", err)
|
||||
}
|
||||
s = string(b)
|
||||
}
|
||||
b, err := yaml.Marshal(c)
|
||||
if err != nil {
|
||||
return fmt.Sprintf("<error creating config string: %s>", err)
|
||||
}
|
||||
return string(b)
|
||||
return patAuthLine.ReplaceAllString(s, "${1}<hidden>")
|
||||
}
|
||||
|
||||
// UnmarshalYAML implements the yaml.Unmarshaler interface.
|
||||
|
|
|
@ -85,8 +85,8 @@ var expectedConf = &Config{
|
|||
ScrapeTimeout: Duration(5 * time.Second),
|
||||
|
||||
BasicAuth: &BasicAuth{
|
||||
Username: "admin",
|
||||
Password: "password",
|
||||
Username: "admin_name",
|
||||
Password: "admin_password",
|
||||
},
|
||||
MetricsPath: "/my_path",
|
||||
Scheme: "https",
|
||||
|
@ -183,6 +183,12 @@ func TestLoadConfig(t *testing.T) {
|
|||
if !reflect.DeepEqual(c, expectedConf) {
|
||||
t.Fatalf("%s: unexpected config result: \n\n%s\n expected\n\n%s", "testdata/conf.good.yml", bgot, bexp)
|
||||
}
|
||||
|
||||
// String method must not reveal authentication credentials.
|
||||
s := c.String()
|
||||
if strings.Contains(s, "admin_name") || strings.Contains(s, "admin_password") {
|
||||
t.Fatalf("config's String method reveals authentication credentials.")
|
||||
}
|
||||
}
|
||||
|
||||
var expectedErrors = []struct {
|
||||
|
|
|
@ -49,8 +49,8 @@ scrape_configs:
|
|||
- job_name: service-x
|
||||
|
||||
basic_auth:
|
||||
username: admin
|
||||
password: password
|
||||
username: admin_name
|
||||
password: admin_password
|
||||
|
||||
scrape_interval: 50s
|
||||
scrape_timeout: 5s
|
||||
|
|
Loading…
Reference in New Issue