Skip to content

The API token outputted during verbose will now be masked by default #866

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
kytrinyx merged 9 commits into from
Aug 8, 2019
Merged

The API token outputted during verbose will now be masked by default #866

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
52e2906
Inital Commit
Aug 2, 2019
867ff5e
Inital Commit
Aug 2, 2019
9b9ff08
Added doc for Redact and Added empty string case for header
Aug 2, 2019
a81e36b
Fixing test
Aug 2, 2019
f937826
Update cmd/root.go
Jrank2013 Aug 2, 2019
3559f20
Reverting go.mod and go.sum
Jrank2013 Aug 4, 2019
332b16d
Changed function comment to match codebase
Jrank2013 Aug 4, 2019
7f4bb27
Added Comment for UnamskAPIKey
Jrank2013 Aug 4, 2019
c7bab26
Removing utils package and moving Redact to the debug package
Aug 7, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions cmd/root.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,9 @@ Download exercises and submit your solutions.`,
if verbose, _ := cmd.Flags().GetBool("verbose"); verbose {
debug.Verbose = verbose
}
if unmask, _ := cmd.Flags().GetBool("unmask-token"); unmask {
debug.UnmaskAPIKey = unmask
}
if timeout, _ := cmd.Flags().GetInt("timeout"); timeout > 0 {
cli.TimeoutInSeconds = timeout
api.TimeoutInSeconds = timeout
Expand All @@ -46,4 +49,5 @@ func init() {
api.UserAgent = fmt.Sprintf("github.com/exercism/cli v%s (%s/%s)", Version, runtime.GOOS, runtime.GOARCH)
RootCmd.PersistentFlags().BoolP("verbose", "v", false, "verbose output")
RootCmd.PersistentFlags().IntP("timeout", "", 0, "override the default HTTP timeout (seconds)")
RootCmd.PersistentFlags().BoolP("unmask-token", "", false, "will unmask the API during a request/response dump")
}
10 changes: 2 additions & 8 deletions cmd/troubleshoot.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,12 @@ import (
"fmt"
"html/template"
"runtime"
"strings"
"sync"
"time"

"github.com/exercism/cli/cli"
"github.com/exercism/cli/config"
"github.com/exercism/cli/debug"
"github.com/spf13/cobra"
"github.com/spf13/viper"
)
Expand Down Expand Up @@ -192,7 +192,7 @@ func newConfigurationStatus(status *Status) configurationStatus {
TokenURL: config.SettingsURL(v.GetString("apibaseurl")),
}
if status.Censor && cs.Token != "" {
cs.Token = redact(cs.Token)
cs.Token = debug.Redact(cs.Token)
}
return cs
}
Expand All @@ -212,12 +212,6 @@ func (ping *apiPing) Call(wg *sync.WaitGroup) {
ping.Status = "connected"
}

func redact(token string) string {
str := token[4 : len(token)-3]
redaction := strings.Repeat("*", len(str))
return string(token[:4]) + redaction + string(token[len(token)-3:])
}

const tmplSelfTest = `
Troubleshooting Information
===========================
Expand Down
14 changes: 0 additions & 14 deletions cmd/troubleshoot_test.go
View file
Open in desktop

This file was deleted.

19 changes: 19 additions & 0 deletions debug/debug.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,12 +9,15 @@ import (
"net/http"
"net/http/httputil"
"os"
"strings"
)

var (
// Verbose determines if debugging output is displayed to the user
Verbose bool
output io.Writer = os.Stderr
// UnmaskAPIKey determines if the API key should de displayed during a dump
UnmaskAPIKey bool
)

// Println conditionally outputs a message to Stderr
Expand All @@ -41,6 +44,14 @@ func DumpRequest(req *http.Request) {
body := io.TeeReader(req.Body, &bodyCopy)
req.Body = ioutil.NopCloser(body)

temp := req.Header.Get("Authorization")

if !UnmaskAPIKey {
if token := strings.Split(temp, " ")[1]; token != "" {
req.Header.Set("Authorization", "Bearer "+Redact(token))
}
}
Comment thread
Jrank2013 marked this conversation as resolved.

dump, err := httputil.DumpRequest(req, req.ContentLength > 0)
if err != nil {
log.Fatal(err)
Expand All @@ -51,6 +62,7 @@ func DumpRequest(req *http.Request) {
Println("========================= END DumpRequest =========================")
Println("")

req.Header.Set("Authorization", temp)
req.Body = ioutil.NopCloser(&bodyCopy)
}

Expand All @@ -76,3 +88,10 @@ func DumpResponse(res *http.Response) {

res.Body = ioutil.NopCloser(body)
}

// Redact masks the given token by replacing part of the string with *
func Redact(token string) string {
str := token[4 : len(token)-3]
redaction := strings.Repeat("*", len(str))
return string(token[:4]) + redaction + string(token[len(token)-3:])
}
9 changes: 9 additions & 0 deletions debug/debug_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@ package debug
import (
"bytes"
"testing"

"github.com/stretchr/testify/assert"
)

func TestVerboseEnabled(t *testing.T) {
Expand All @@ -26,3 +28,10 @@ func TestVerboseDisabled(t *testing.T) {
t.Error("expected '' got", b.String())
}
}

func TestRedact(t *testing.T) {
fakeToken := "1a11111aaaa111aa1a11111a11111aa1"
expected := "1a11*************************aa1"

assert.Equal(t, expected, Redact(fakeToken))
}