Merge pull request #6441 from hashicorp/b-agent-token

Redact replication tokens in /agent/self
hashicorp · Oct 8, 2019 · e59cc7c · e59cc7c
2 parents 9882de1 + 068c859
commit e59cc7c
Show file tree

Hide file tree

Showing 2 changed files with 52 additions and 21 deletions.
diff --git a/command/agent/agent_endpoint.go b/command/agent/agent_endpoint.go
@@ -87,6 +87,18 @@ func (s *HTTPServer) AgentSelfRequest(resp http.ResponseWriter, req *http.Reques
 		self.Config.Vault.Token = "<redacted>"
 	}
 
+	if self.Config != nil && self.Config.ACL != nil && self.Config.ACL.ReplicationToken != "" {
+		self.Config.ACL.ReplicationToken = "<redacted>"
+	}
+
+	if self.Config != nil && self.Config.Consul != nil && self.Config.Consul.Token != "" {
+		self.Config.Consul.Token = "<redacted>"
+	}
+
+	if self.Config != nil && self.Config.Telemetry != nil && self.Config.Telemetry.CirconusAPIToken != "" {
+		self.Config.Telemetry.CirconusAPIToken = "<redacted>"
+	}
+
 	return self, nil
 }
 

diff --git a/command/agent/agent_endpoint_test.go b/command/agent/agent_endpoint_test.go
@@ -22,45 +22,64 @@ import (
 
 func TestHTTP_AgentSelf(t *testing.T) {
 	t.Parallel()
+	require := require.New(t)
+
 	httpTest(t, nil, func(s *TestAgent) {
 		// Make the HTTP request
 		req, err := http.NewRequest("GET", "/v1/agent/self", nil)
-		if err != nil {
-			t.Fatalf("err: %v", err)
-		}
+		require.NoError(err)
 		respW := httptest.NewRecorder()
 
 		// Make the request
 		obj, err := s.Server.AgentSelfRequest(respW, req)
-		if err != nil {
-			t.Fatalf("err: %v", err)
-		}
+		require.NoError(err)
 
 		// Check the job
 		self := obj.(agentSelf)
-		if self.Config == nil {
-			t.Fatalf("bad: %#v", self)
-		}
-		if len(self.Stats) == 0 {
-			t.Fatalf("bad: %#v", self)
-		}
+		require.NotNil(self.Config)
+		require.NotNil(self.Config.ACL)
+		require.NotEmpty(self.Stats)
 
 		// Check the Vault config
-		if self.Config.Vault.Token != "" {
-			t.Fatalf("bad: %#v", self)
-		}
+		require.Empty(self.Config.Vault.Token)
 
 		// Assign a Vault token and require it is redacted.
 		s.Config.Vault.Token = "badc0deb-adc0-deba-dc0d-ebadc0debadc"
 		respW = httptest.NewRecorder()
 		obj, err = s.Server.AgentSelfRequest(respW, req)
-		if err != nil {
-			t.Fatalf("err: %v", err)
-		}
+		require.NoError(err)
 		self = obj.(agentSelf)
-		if self.Config.Vault.Token != "<redacted>" {
-			t.Fatalf("bad: %#v", self)
-		}
+		require.Equal("<redacted>", self.Config.Vault.Token)
+
+		// Assign a ReplicationToken token and require it is redacted.
+		s.Config.ACL.ReplicationToken = "badc0deb-adc0-deba-dc0d-ebadc0debadc"
+		respW = httptest.NewRecorder()
+		obj, err = s.Server.AgentSelfRequest(respW, req)
+		require.NoError(err)
+		self = obj.(agentSelf)
+		require.Equal("<redacted>", self.Config.ACL.ReplicationToken)
+
+		// Check the Consul config
+		require.Empty(self.Config.Consul.Token)
+
+		// Assign a Consul token and require it is redacted.
+		s.Config.Consul.Token = "badc0deb-adc0-deba-dc0d-ebadc0debadc"
+		respW = httptest.NewRecorder()
+		obj, err = s.Server.AgentSelfRequest(respW, req)
+		require.NoError(err)
+		self = obj.(agentSelf)
+		require.Equal("<redacted>", self.Config.Consul.Token)
+
+		// Check the Circonus config
+		require.Empty(self.Config.Telemetry.CirconusAPIToken)
+
+		// Assign a Consul token and require it is redacted.
+		s.Config.Telemetry.CirconusAPIToken = "badc0deb-adc0-deba-dc0d-ebadc0debadc"
+		respW = httptest.NewRecorder()
+		obj, err = s.Server.AgentSelfRequest(respW, req)
+		require.NoError(err)
+		self = obj.(agentSelf)
+		require.Equal("<redacted>", self.Config.Telemetry.CirconusAPIToken)
 	})
 }