mirror of
https://github.com/octoleo/restic.git
synced 2024-12-22 19:08:55 +00:00
redact swift auth token in debug output
This commit is contained in:
parent
5a11d14082
commit
6923353c43
@ -75,12 +75,31 @@ func RoundTripper(upstream http.RoundTripper) http.RoundTripper {
|
|||||||
return eofRoundTripper
|
return eofRoundTripper
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func redactHeader(header http.Header) map[string][]string {
|
||||||
|
removedHeaders := make(map[string][]string)
|
||||||
|
for _, hdr := range []string{
|
||||||
|
"Authorization",
|
||||||
|
"X-Auth-Token", // Swift headers
|
||||||
|
"X-Auth-Key",
|
||||||
|
} {
|
||||||
|
origHeader, hasHeader := header[hdr]
|
||||||
|
if hasHeader {
|
||||||
|
removedHeaders[hdr] = origHeader
|
||||||
|
header[hdr] = []string{"**redacted**"}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return removedHeaders
|
||||||
|
}
|
||||||
|
|
||||||
|
func restoreHeader(header http.Header, origHeaders map[string][]string) {
|
||||||
|
for hdr, val := range origHeaders {
|
||||||
|
header[hdr] = val
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
func (tr loggingRoundTripper) RoundTrip(req *http.Request) (res *http.Response, err error) {
|
func (tr loggingRoundTripper) RoundTrip(req *http.Request) (res *http.Response, err error) {
|
||||||
// save original auth and redact it
|
// save original auth and redact it
|
||||||
origAuth, hasAuth := req.Header["Authorization"]
|
origHeaders := redactHeader(req.Header)
|
||||||
if hasAuth {
|
|
||||||
req.Header["Authorization"] = []string{"**redacted**"}
|
|
||||||
}
|
|
||||||
|
|
||||||
trace, err := httputil.DumpRequestOut(req, false)
|
trace, err := httputil.DumpRequestOut(req, false)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -89,10 +108,7 @@ func (tr loggingRoundTripper) RoundTrip(req *http.Request) (res *http.Response,
|
|||||||
Log("------------ HTTP REQUEST -----------\n%s", trace)
|
Log("------------ HTTP REQUEST -----------\n%s", trace)
|
||||||
}
|
}
|
||||||
|
|
||||||
// restore auth
|
restoreHeader(req.Header, origHeaders)
|
||||||
if hasAuth {
|
|
||||||
req.Header["Authorization"] = origAuth
|
|
||||||
}
|
|
||||||
|
|
||||||
res, err = tr.RoundTripper.RoundTrip(req)
|
res, err = tr.RoundTripper.RoundTrip(req)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -100,7 +116,9 @@ func (tr loggingRoundTripper) RoundTrip(req *http.Request) (res *http.Response,
|
|||||||
}
|
}
|
||||||
|
|
||||||
if res != nil {
|
if res != nil {
|
||||||
|
origHeaders := redactHeader(res.Header)
|
||||||
trace, err := httputil.DumpResponse(res, false)
|
trace, err := httputil.DumpResponse(res, false)
|
||||||
|
restoreHeader(res.Header, origHeaders)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
Log("DumpResponse() error: %v\n", err)
|
Log("DumpResponse() error: %v\n", err)
|
||||||
} else {
|
} else {
|
||||||
|
46
internal/debug/round_tripper_debug_test.go
Normal file
46
internal/debug/round_tripper_debug_test.go
Normal file
@ -0,0 +1,46 @@
|
|||||||
|
// +build debug
|
||||||
|
|
||||||
|
package debug
|
||||||
|
|
||||||
|
import (
|
||||||
|
"net/http"
|
||||||
|
"testing"
|
||||||
|
|
||||||
|
"github.com/restic/restic/internal/test"
|
||||||
|
)
|
||||||
|
|
||||||
|
func TestRedactHeader(t *testing.T) {
|
||||||
|
secretHeaders := []string{
|
||||||
|
"Authorization",
|
||||||
|
"X-Auth-Token",
|
||||||
|
"X-Auth-Key",
|
||||||
|
}
|
||||||
|
|
||||||
|
header := make(http.Header)
|
||||||
|
header["Authorization"] = []string{"123"}
|
||||||
|
header["X-Auth-Token"] = []string{"1234"}
|
||||||
|
header["X-Auth-Key"] = []string{"12345"}
|
||||||
|
header["Host"] = []string{"my.host"}
|
||||||
|
|
||||||
|
origHeaders := redactHeader(header)
|
||||||
|
|
||||||
|
for _, hdr := range secretHeaders {
|
||||||
|
test.Equals(t, "**redacted**", header[hdr][0])
|
||||||
|
}
|
||||||
|
test.Equals(t, "my.host", header["Host"][0])
|
||||||
|
|
||||||
|
restoreHeader(header, origHeaders)
|
||||||
|
test.Equals(t, "123", header["Authorization"][0])
|
||||||
|
test.Equals(t, "1234", header["X-Auth-Token"][0])
|
||||||
|
test.Equals(t, "12345", header["X-Auth-Key"][0])
|
||||||
|
test.Equals(t, "my.host", header["Host"][0])
|
||||||
|
|
||||||
|
delete(header, "X-Auth-Key")
|
||||||
|
origHeaders = redactHeader(header)
|
||||||
|
_, hasHeader := header["X-Auth-Key"]
|
||||||
|
test.Assert(t, !hasHeader, "Unexpected header: %v", header["X-Auth-Key"])
|
||||||
|
|
||||||
|
restoreHeader(header, origHeaders)
|
||||||
|
_, hasHeader = header["X-Auth-Key"]
|
||||||
|
test.Assert(t, !hasHeader, "Unexpected header: %v", header["X-Auth-Key"])
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user