From 5851b2611d593d968eaab27107f47b48ad7c7480 Mon Sep 17 00:00:00 2001 From: Danielle Lancashire Date: Sun, 22 Sep 2019 14:35:53 +0200 Subject: [PATCH 1/2] api: Redact ACL Replication Token Currently when hitting the /v1/agent/self API with ACL Replication enabled results in the token being returned in the API. This commit redacts that information, as it should be treated as a shared secret. --- command/agent/agent_endpoint.go | 4 +++ command/agent/agent_endpoint_test.go | 39 +++++++++++++--------------- 2 files changed, 22 insertions(+), 21 deletions(-) diff --git a/command/agent/agent_endpoint.go b/command/agent/agent_endpoint.go index cc1564e69f1..07988a5f194 100644 --- a/command/agent/agent_endpoint.go +++ b/command/agent/agent_endpoint.go @@ -87,6 +87,10 @@ func (s *HTTPServer) AgentSelfRequest(resp http.ResponseWriter, req *http.Reques self.Config.Vault.Token = "" } + if self.Config != nil && self.Config.ACL != nil && self.Config.ACL.ReplicationToken != "" { + self.Config.ACL.ReplicationToken = "" + } + return self, nil } diff --git a/command/agent/agent_endpoint_test.go b/command/agent/agent_endpoint_test.go index 211cd74cf6f..d5109f2dc78 100644 --- a/command/agent/agent_endpoint_test.go +++ b/command/agent/agent_endpoint_test.go @@ -22,45 +22,42 @@ import ( func TestHTTP_AgentSelf(t *testing.T) { t.Parallel() + require := require.New(t) + httpTest(t, nil, func(s *TestAgent) { // Make the HTTP request req, err := http.NewRequest("GET", "/v1/agent/self", nil) - if err != nil { - t.Fatalf("err: %v", err) - } + require.NoError(err) respW := httptest.NewRecorder() // Make the request obj, err := s.Server.AgentSelfRequest(respW, req) - if err != nil { - t.Fatalf("err: %v", err) - } + require.NoError(err) // Check the job self := obj.(agentSelf) - if self.Config == nil { - t.Fatalf("bad: %#v", self) - } - if len(self.Stats) == 0 { - t.Fatalf("bad: %#v", self) - } + require.NotNil(self.Config) + require.NotNil(self.Config.ACL) + require.NotEmpty(self.Stats) // Check the Vault config - if self.Config.Vault.Token != "" { - t.Fatalf("bad: %#v", self) - } + require.Empty(self.Config.Vault.Token) // Assign a Vault token and require it is redacted. s.Config.Vault.Token = "badc0deb-adc0-deba-dc0d-ebadc0debadc" respW = httptest.NewRecorder() obj, err = s.Server.AgentSelfRequest(respW, req) - if err != nil { - t.Fatalf("err: %v", err) - } + require.NoError(err) self = obj.(agentSelf) - if self.Config.Vault.Token != "" { - t.Fatalf("bad: %#v", self) - } + require.Equal("", self.Config.Vault.Token) + + // Assign a ReplicationToken token and require it is redacted. + s.Config.ACL.ReplicationToken = "badc0deb-adc0-deba-dc0d-ebadc0debadc" + respW = httptest.NewRecorder() + obj, err = s.Server.AgentSelfRequest(respW, req) + require.NoError(err) + self = obj.(agentSelf) + require.Equal("", self.Config.ACL.ReplicationToken) }) } From 068c859237aa16e534b66b106ef87f18de121b31 Mon Sep 17 00:00:00 2001 From: Danielle Lancashire Date: Mon, 23 Sep 2019 19:07:27 +0200 Subject: [PATCH 2/2] api: Redact tokens in /agent/self --- command/agent/agent_endpoint.go | 8 ++++++++ command/agent/agent_endpoint_test.go | 22 ++++++++++++++++++++++ 2 files changed, 30 insertions(+) diff --git a/command/agent/agent_endpoint.go b/command/agent/agent_endpoint.go index 07988a5f194..7fe9eae6f75 100644 --- a/command/agent/agent_endpoint.go +++ b/command/agent/agent_endpoint.go @@ -91,6 +91,14 @@ func (s *HTTPServer) AgentSelfRequest(resp http.ResponseWriter, req *http.Reques self.Config.ACL.ReplicationToken = "" } + if self.Config != nil && self.Config.Consul != nil && self.Config.Consul.Token != "" { + self.Config.Consul.Token = "" + } + + if self.Config != nil && self.Config.Telemetry != nil && self.Config.Telemetry.CirconusAPIToken != "" { + self.Config.Telemetry.CirconusAPIToken = "" + } + return self, nil } diff --git a/command/agent/agent_endpoint_test.go b/command/agent/agent_endpoint_test.go index d5109f2dc78..d9e26f186f8 100644 --- a/command/agent/agent_endpoint_test.go +++ b/command/agent/agent_endpoint_test.go @@ -58,6 +58,28 @@ func TestHTTP_AgentSelf(t *testing.T) { require.NoError(err) self = obj.(agentSelf) require.Equal("", self.Config.ACL.ReplicationToken) + + // Check the Consul config + require.Empty(self.Config.Consul.Token) + + // Assign a Consul token and require it is redacted. + s.Config.Consul.Token = "badc0deb-adc0-deba-dc0d-ebadc0debadc" + respW = httptest.NewRecorder() + obj, err = s.Server.AgentSelfRequest(respW, req) + require.NoError(err) + self = obj.(agentSelf) + require.Equal("", self.Config.Consul.Token) + + // Check the Circonus config + require.Empty(self.Config.Telemetry.CirconusAPIToken) + + // Assign a Consul token and require it is redacted. + s.Config.Telemetry.CirconusAPIToken = "badc0deb-adc0-deba-dc0d-ebadc0debadc" + respW = httptest.NewRecorder() + obj, err = s.Server.AgentSelfRequest(respW, req) + require.NoError(err) + self = obj.(agentSelf) + require.Equal("", self.Config.Telemetry.CirconusAPIToken) }) }