Mask the password in the events

elastic · Jan 20, 2020 · ebe0e7d · ebe0e7d
1 parent e260032
commit ebe0e7d
Show file tree

Hide file tree

Showing 5 changed files with 45 additions and 16 deletions.
diff --git a/metricbeat/mb/testing/fetcher.go b/metricbeat/mb/testing/fetcher.go
@@ -26,8 +26,7 @@ import (
 
 // Fetcher is an interface implemented by all fetchers for testing purpouses
 type Fetcher interface {
-	Module() mb.Module
-	Name() string
+	mb.MetricSet
 
 	FetchEvents() ([]mb.Event, []error)
 	WriteEvents(testing.TB, string)

diff --git a/x-pack/metricbeat/module/sql/query/_meta/data.json b/x-pack/metricbeat/module/sql/query/_meta/data.json
@@ -10,7 +10,7 @@
         "period": 10000
     },
     "service": {
-        "address": "root:test@tcp(172.22.0.3:3306)/",
+        "address": "xxxxx",
         "type": "sql"
     },
     "sql": {

diff --git a/x-pack/metricbeat/module/sql/query/_meta/data_postgres.json b/x-pack/metricbeat/module/sql/query/_meta/data_postgres.json
@@ -10,7 +10,7 @@
         "period": 10000
     },
     "service": {
-        "address": "user=postgres password=postgres sslmode=disable host=172.22.0.2 port=5432",
+        "address": "xxxxx",
         "type": "sql"
     },
     "sql": {
@@ -19,25 +19,25 @@
             "numeric": {
                 "blk_read_time": 0,
                 "blk_write_time": 0,
-                "blks_hit": 4251,
-                "blks_read": 103,
+                "blks_hit": 2793,
+                "blks_read": 116,
                 "conflicts": 0,
                 "datid": 12379,
                 "deadlocks": 0,
                 "numbackends": 1,
                 "temp_bytes": 0,
                 "temp_files": 0,
                 "tup_deleted": 0,
-                "tup_fetched": 2847,
+                "tup_fetched": 1832,
                 "tup_inserted": 0,
-                "tup_returned": 4877,
+                "tup_returned": 2898,
                 "tup_updated": 0,
-                "xact_commit": 49,
+                "xact_commit": 28,
                 "xact_rollback": 0
             },
             "string": {
                 "datname": "postgres",
-                "stats_reset": "2020-01-20 19:48:28.217"
+                "stats_reset": "2020-01-20 21:02:53.21"
             }
         },
         "query": "select * from pg_stat_database"

diff --git a/x-pack/metricbeat/module/sql/query/query.go b/x-pack/metricbeat/module/sql/query/query.go
@@ -63,6 +63,14 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) {
 	}, nil
 }
 
+// Host returns the host string that will be stored in the events, as the
+// module is generic, the value in `hosts` can contain passwords in different
+// places, so mask the whole value.
+func (m *MetricSet) Host() string {
+	// TODO: Return something more meaningful
+	return "xxxxx"
+}
+
 // Fetch methods implements the data gathering and data conversion to the right
 // format. It publishes the event which is then forwarded to the output. In case
 // of an error set the Error field of mb.Event or simply call report.Error().

diff --git a/x-pack/metricbeat/module/sql/query/query_integration_test.go b/x-pack/metricbeat/module/sql/query/query_integration_test.go
@@ -11,13 +11,16 @@ import (
 	"net"
 	"testing"
 
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
 	// Drivers
 	_ "github.com/go-sql-driver/mysql"
 	_ "github.com/lib/pq"
 
+	"github.com/elastic/beats/libbeat/beat"
 	"github.com/elastic/beats/libbeat/tests/compose"
+	"github.com/elastic/beats/metricbeat/mb"
 	mbtest "github.com/elastic/beats/metricbeat/mb/testing"
 	"github.com/elastic/beats/metricbeat/module/mysql"
 	"github.com/elastic/beats/metricbeat/module/postgresql"
@@ -27,14 +30,17 @@ type testFetchConfig struct {
 	Driver string
 	Query  string
 	Host   string
+
+	Assertion func(t *testing.T, event beat.Event)
 }
 
 func TestMySQL(t *testing.T) {
 	service := compose.EnsureUp(t, "mysql")
 	config := testFetchConfig{
-		Driver: "mysql",
-		Query:  "select table_schema, table_name, engine, table_rows from information_schema.tables where table_rows > 0;",
-		Host:   mysql.GetMySQLEnvDSN(service.Host()),
+		Driver:    "mysql",
+		Query:     "select table_schema, table_name, engine, table_rows from information_schema.tables where table_rows > 0;",
+		Host:      mysql.GetMySQLEnvDSN(service.Host()),
+		Assertion: assertFieldNotContains("service.address", "root:test@"),
 	}
 
 	t.Run("fetch", func(t *testing.T) {
@@ -55,9 +61,10 @@ func TestPostgreSQL(t *testing.T) {
 	password := postgresql.GetEnvPassword()
 
 	config := testFetchConfig{
-		Driver: "postgres",
-		Query:  "select * from pg_stat_database",
-		Host:   fmt.Sprintf("user=%s password=%s sslmode=disable host=%s port=%s", user, password, host, port),
+		Driver:    "postgres",
+		Query:     "select * from pg_stat_database",
+		Host:      fmt.Sprintf("user=%s password=%s sslmode=disable host=%s port=%s", user, password, host, port),
+		Assertion: assertFieldNotContains("service.address", "password="+password),
 	}
 
 	t.Run("fetch", func(t *testing.T) {
@@ -75,6 +82,12 @@ func testFetch(t *testing.T, cfg testFetchConfig) {
 	require.Empty(t, errs)
 	require.NotEmpty(t, events)
 	t.Logf("%s/%s event: %+v", m.Module().Name(), m.Name(), events[0])
+
+	if cfg.Assertion != nil {
+		for _, event := range events {
+			cfg.Assertion(t, mbtest.StandardizeEvent(m, event, mb.AddMetricSetInfo))
+		}
+	}
 }
 
 func testData(t *testing.T, cfg testFetchConfig, postfix string) {
@@ -91,3 +104,12 @@ func getConfig(cfg testFetchConfig) map[string]interface{} {
 		"sql_query":  cfg.Query,
 	}
 }
+
+func assertFieldNotContains(field, s string) func(t *testing.T, event beat.Event) {
+	return func(t *testing.T, event beat.Event) {
+		address, err := event.GetValue(field)
+		assert.NoError(t, err)
+		require.NotEmpty(t, address.(string))
+		require.NotContains(t, address.(string), s)
+	}
+}