fix(RedactSecrets): add additional keywords to be redacted (#191)

Fixes: #190 Signed-off-by: Phil Adams <[email protected]>
IBM · Aug 22, 2023 · d176568 · d176568
1 parent 9c39119
commit d176568
Show file tree

Hide file tree

Showing 2 changed files with 101 additions and 7 deletions.
diff --git a/core/utils.go b/core/utils.go
@@ -316,19 +316,91 @@ func GetQueryParamAsInt(urlStr *string, param string) (value *int64, err error)
 	return
 }
 
+// keywords that are redacted
+var redactedKeywords = []string{
+	"apikey",
+	"api_key",
+	"passcode",
+	"password",
+	"token",
+
+	"aadClientId",
+	"aadClientSecret",
+	"auth",
+	"auth_provider_x509_cert_url",
+	"auth_uri",
+	"client_email",
+	"client_id",
+	"client_x509_cert_url",
+	"key",
+	"project_id",
+	"secret",
+	"subscriptionId",
+	"tenantId",
+	"thumbprint",
+	"token_uri",
+
+	// Information from issue: https://github.com/IBM/go-sdk-core/issues/190
+	// // Redhat
+	// "ibm-cos-access-key",
+	// "ibm-cos-secret-key",
+	// "iam-api-key",
+	// "kms-root-key",
+	// "kms-api-key",
+
+	// // AWS
+	// "aws-access-key",
+	// "aws-secret-access-key",
+
+	// // Azure
+	// "tenantId",
+	// "subscriptionId",
+	// "aadClientId",
+	// "aadClientSecret",
+
+	// // Google
+	// "project_id",
+	// "private_key_id",
+	// "private_key",
+	// "client_email",
+	// "client_id",
+	// "auth_uri",
+	// "token_uri",
+	// "auth_provider_x509_cert_url",
+	// "client_x509_cert_url",
+
+	// // IBM
+	// "primary-gui-api-user",
+	// "primary-gui-api-password",
+	// "owning-gui-api-user",
+	// "owning-gui-api-password",
+	// "g2_api_key",
+
+	// // NetApp
+	// "username",
+	// "password",
+
+	// // VMware
+	// "vcenter-username",
+	// "vcenter-password",
+	// "thumbprint",
+}
+
+var redactedTokens = strings.Join(redactedKeywords, "|")
+
 // Pre-compiled regular expressions used by RedactSecrets().
 var reAuthHeader = regexp.MustCompile(`(?m)^(Authorization|X-Auth\S*): .*`)
-var rePassword1 = regexp.MustCompile(`(?i)(password|token|apikey|api_key|passcode)=[^&]*(&|$)`)
-var rePassword2 = regexp.MustCompile(`(?i)"([^"]*(password|token|apikey|api_key)[^"_]*)":\s*"[^\,]*"`)
+var rePropertySetting = regexp.MustCompile(`(?i)(` + redactedTokens + `)=[^&]*(&|$)`)
+var reJsonField = regexp.MustCompile(`(?i)"([^"]*(` + redactedTokens + `)[^"_]*)":\s*"[^\,]*"`)
 
 // RedactSecrets() returns the input string with secrets redacted.
 func RedactSecrets(input string) string {
 	var redacted = "[redacted]"
 
 	redactedString := input
 	redactedString = reAuthHeader.ReplaceAllString(redactedString, "$1: "+redacted)
-	redactedString = rePassword1.ReplaceAllString(redactedString, "$1="+redacted+"$2")
-	redactedString = rePassword2.ReplaceAllString(redactedString, fmt.Sprintf(`"$1":"%s"`, redacted))
+	redactedString = rePropertySetting.ReplaceAllString(redactedString, "$1="+redacted+"$2")
+	redactedString = reJsonField.ReplaceAllString(redactedString, fmt.Sprintf(`"$1":"%s"`, redacted))
 
 	return redactedString
 }
diff --git a/core/utils_test.go b/core/utils_test.go
@@ -659,11 +659,33 @@ func TestRedactSecrets(t *testing.T) {
 	assert.NotContains(t, RedactSecrets("Authorization: Basic secret"), "secret")
 	assert.NotContains(t, RedactSecrets("X-Authorization: secret"), "secret")
 
-	assert.NotContains(t, RedactSecrets("PASSword=secret"), "secret")
 	assert.NotContains(t, RedactSecrets("ApIKey=secret"), "secret")
-	assert.NotContains(t, RedactSecrets("toKen=secret"), "secret")
+	assert.NotContains(t, RedactSecrets("ApI_Key=secret"), "secret")
 	assert.NotContains(t, RedactSecrets("passCode=secret"), "secret")
+	assert.NotContains(t, RedactSecrets("PASSword=secret"), "secret")
+	assert.NotContains(t, RedactSecrets("toKen=secret"), "secret")
+
+	assert.NotContains(t, RedactSecrets("client_id=secret"), "secret")
+	assert.NotContains(t, RedactSecrets("client_x509_cert_url=secret"), "secret")
+	assert.NotContains(t, RedactSecrets("client_id=secret"), "secret")
+	assert.NotContains(t, RedactSecrets("key=secret"), "secret")
+	assert.NotContains(t, RedactSecrets("project_id=secret"), "secret")
+	assert.NotContains(t, RedactSecrets("secret=DaSecret"), "DaSecret")
+	assert.NotContains(t, RedactSecrets("subscriptionId=secret"), "secret")
+	assert.NotContains(t, RedactSecrets("tenantId=secret"), "secret")
+	assert.NotContains(t, RedactSecrets("thumbprint=secret"), "secret")
+	assert.NotContains(t, RedactSecrets("token_uri=secret"), "secret")
 
-	assert.NotContains(t, RedactSecrets(`"token": "secret",`), "secret")
 	assert.NotContains(t, RedactSecrets(`xxx "apIKEy":    "secret",xxx`), "secret")
+	assert.NotContains(t, RedactSecrets(`xxx "apI_KEy":    "secret",xxx`), "secret")
+	assert.NotContains(t, RedactSecrets(`xxx "pAsSCoDe":    "secret",xxx`), "secret")
+	assert.NotContains(t, RedactSecrets(`xxx "passWORD":    "secret",xxx`), "secret")
+	assert.NotContains(t, RedactSecrets(`xxx "token":    "secret",xxx`), "secret")
+
+	assert.NotContains(t, RedactSecrets(`xxx "aadClientId":    "secret",xxx`), "secret")
+	assert.NotContains(t, RedactSecrets(`xxx "aadClientSecret":    "secret",xxx`), "secret")
+	assert.NotContains(t, RedactSecrets(`xxx "auth":    "secret",xxx`), "secret")
+	assert.NotContains(t, RedactSecrets(`xxx "auth_provider_x509_cert_url":    "secret",xxx`), "secret")
+	assert.NotContains(t, RedactSecrets(`xxx "auth_uri":    "secret",xxx`), "secret")
+	assert.NotContains(t, RedactSecrets(`xxx "client_email":    "secret",xxx`), "secret")
 }