mirror of https://github.com/prometheus/prometheus
config: hide authentication credentials in String() output
parent
92c20168c4
commit
02e06839f2
|
@ -20,6 +20,7 @@ var (
|
||||||
patJobName = regexp.MustCompile(`^[a-zA-Z_][a-zA-Z0-9_-]*$`)
|
patJobName = regexp.MustCompile(`^[a-zA-Z_][a-zA-Z0-9_-]*$`)
|
||||||
patFileSDName = regexp.MustCompile(`^[^*]*(\*[^/]*)?\.(json|yml|yaml|JSON|YML|YAML)$`)
|
patFileSDName = regexp.MustCompile(`^[^*]*(\*[^/]*)?\.(json|yml|yaml|JSON|YML|YAML)$`)
|
||||||
patRulePath = regexp.MustCompile(`^[^*]*(\*[^/]*)?$`)
|
patRulePath = regexp.MustCompile(`^[^*]*(\*[^/]*)?$`)
|
||||||
|
patAuthLine = regexp.MustCompile(`((?:username|password):\s+)(".+"|'.+'|[^\s]+)`)
|
||||||
)
|
)
|
||||||
|
|
||||||
// Load parses the YAML input s into a Config.
|
// Load parses the YAML input s into a Config.
|
||||||
|
@ -118,14 +119,17 @@ func checkOverflow(m map[string]interface{}, ctx string) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c Config) String() string {
|
func (c Config) String() string {
|
||||||
|
var s string
|
||||||
if c.original != "" {
|
if c.original != "" {
|
||||||
return c.original
|
s = c.original
|
||||||
}
|
} else {
|
||||||
b, err := yaml.Marshal(c)
|
b, err := yaml.Marshal(c)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Sprintf("<error creating config string: %s>", err)
|
return fmt.Sprintf("<error creating config string: %s>", err)
|
||||||
}
|
}
|
||||||
return string(b)
|
s = string(b)
|
||||||
|
}
|
||||||
|
return patAuthLine.ReplaceAllString(s, "${1}<hidden>")
|
||||||
}
|
}
|
||||||
|
|
||||||
// UnmarshalYAML implements the yaml.Unmarshaler interface.
|
// UnmarshalYAML implements the yaml.Unmarshaler interface.
|
||||||
|
|
|
@ -85,8 +85,8 @@ var expectedConf = &Config{
|
||||||
ScrapeTimeout: Duration(5 * time.Second),
|
ScrapeTimeout: Duration(5 * time.Second),
|
||||||
|
|
||||||
BasicAuth: &BasicAuth{
|
BasicAuth: &BasicAuth{
|
||||||
Username: "admin",
|
Username: "admin_name",
|
||||||
Password: "password",
|
Password: "admin_password",
|
||||||
},
|
},
|
||||||
MetricsPath: "/my_path",
|
MetricsPath: "/my_path",
|
||||||
Scheme: "https",
|
Scheme: "https",
|
||||||
|
@ -183,6 +183,12 @@ func TestLoadConfig(t *testing.T) {
|
||||||
if !reflect.DeepEqual(c, expectedConf) {
|
if !reflect.DeepEqual(c, expectedConf) {
|
||||||
t.Fatalf("%s: unexpected config result: \n\n%s\n expected\n\n%s", "testdata/conf.good.yml", bgot, bexp)
|
t.Fatalf("%s: unexpected config result: \n\n%s\n expected\n\n%s", "testdata/conf.good.yml", bgot, bexp)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// String method must not reveal authentication credentials.
|
||||||
|
s := c.String()
|
||||||
|
if strings.Contains(s, "admin_name") || strings.Contains(s, "admin_password") {
|
||||||
|
t.Fatalf("config's String method reveals authentication credentials.")
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
var expectedErrors = []struct {
|
var expectedErrors = []struct {
|
||||||
|
|
|
@ -49,8 +49,8 @@ scrape_configs:
|
||||||
- job_name: service-x
|
- job_name: service-x
|
||||||
|
|
||||||
basic_auth:
|
basic_auth:
|
||||||
username: admin
|
username: admin_name
|
||||||
password: password
|
password: admin_password
|
||||||
|
|
||||||
scrape_interval: 50s
|
scrape_interval: 50s
|
||||||
scrape_timeout: 5s
|
scrape_timeout: 5s
|
||||||
|
|
Loading…
Reference in New Issue