Merge pull request #19340 from droslean/git-clonerefs-censor

censor the potential token in git outputs and messages
kubernetes · Sep 24, 2020 · 369a496 · 369a496
2 parents d950ef3 + 2563309
commit 369a496
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 11 deletions.
diff --git a/prow/pod-utils/clone/clone.go b/prow/pod-utils/clone/clone.go
@@ -64,7 +64,7 @@ func Run(refs prowapi.Refs, dir, gitUserName, gitUserEmail, cookiePath string, e
 				message = err.Error()
 				record.Failed = true
 			}
-			record.Commands = append(record.Commands, Command{Command: censorGitCommand(formattedCommand, oauthToken), Output: output, Error: message})
+			record.Commands = append(record.Commands, Command{Command: censorToken(formattedCommand, oauthToken), Output: censorToken(output, oauthToken), Error: censorToken(message, oauthToken)})
 			if err != nil {
 				return err
 			}
@@ -95,11 +95,11 @@ func Run(refs prowapi.Refs, dir, gitUserName, gitUserEmail, cookiePath string, e
 	return record
 }
 
-func censorGitCommand(command, token string) string {
+func censorToken(msg, token string) string {
 	if token == "" {
-		return command
+		return msg
 	}
-	censored := bytes.ReplaceAll([]byte(command), []byte(token), []byte("CENSORED"))
+	censored := bytes.ReplaceAll([]byte(msg), []byte(token), []byte("CENSORED"))
 	return string(censored)
 }
 

diff --git a/prow/pod-utils/clone/clone_test.go b/prow/pod-utils/clone/clone_test.go
@@ -669,31 +669,45 @@ func makeFakeGitRepo(fakeTimestamp int) (string, error) {
 	return fakeGitDir, nil
 }
 
-func TestCensorGitCommand(t *testing.T) {
+func TestCensorToken(t *testing.T) {
 	testCases := []struct {
 		id       string
 		token    string
-		command  string
+		msg      string
 		expected string
 	}{
 		{
 			id:       "no token",
-			command:  "git fetch https://github.com/kubernetes/test-infra.git",
+			msg:      "git fetch https://github.com/kubernetes/test-infra.git",
 			expected: "git fetch https://github.com/kubernetes/test-infra.git",
 		},
 		{
 			id:       "with token",
 			token:    "123456789",
-			command:  "git fetch 123456789:x-oauth-basic@https://github.com/kubernetes/test-infra.git",
+			msg:      "git fetch 123456789:x-oauth-basic@https://github.com/kubernetes/test-infra.git",
 			expected: "git fetch CENSORED:x-oauth-basic@https://github.com/kubernetes/test-infra.git",
 		},
+		{
+			id:    "git output with token",
+			token: "123456789",
+			msg: `
+Cloning into 'test-infa'...
+remote: Invalid username or password.
+fatal: Authentication failed for 'https://[email protected]/kubernetes/test-infa/'
+`,
+			expected: `
+Cloning into 'test-infa'...
+remote: Invalid username or password.
+fatal: Authentication failed for 'https://[email protected]/kubernetes/test-infa/'
+`,
+		},
 	}
 
 	for _, tc := range testCases {
 		t.Run(tc.id, func(t *testing.T) {
-			censoredCommand := censorGitCommand(tc.command, tc.token)
-			if !reflect.DeepEqual(censoredCommand, tc.expected) {
-				t.Fatalf("expected: %s got %s", tc.expected, censoredCommand)
+			censoredMsg := censorToken(tc.msg, tc.token)
+			if !reflect.DeepEqual(censoredMsg, tc.expected) {
+				t.Fatalf("expected: %s got %s", tc.expected, censoredMsg)
 			}
 		})
 	}