octoleo/restic
2
2
Fork 0
mirror of https://github.com/octoleo/restic.git synced 2024-12-22 10:58:55 +00:00
Code Issues Releases Wiki Activity

redact swift auth token in debug output

Browse Source
This commit is contained in:
Michael Eischer 2021-08-17 18:43:13 +02:00
parent 5a11d14082
commit 6923353c43
2 changed files with 72 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
internal/debug/round_tripper_debug.go
View File

@ -75,12 +75,31 @@ func RoundTripper(upstream http.RoundTripper) http.RoundTripper {
return eofRoundTripper return eofRoundTripper
} }
func redactHeader(header http.Header) map[string][]string {
removedHeaders := make(map[string][]string)
for _, hdr := range []string{
"Authorization",
"X-Auth-Token", // Swift headers
"X-Auth-Key",
} {
origHeader, hasHeader := header[hdr]
if hasHeader {
removedHeaders[hdr] = origHeader
header[hdr] = []string{"**redacted**"}
}
}
return removedHeaders
}
func restoreHeader(header http.Header, origHeaders map[string][]string) {
for hdr, val := range origHeaders {
header[hdr] = val
}
}
func (tr loggingRoundTripper) RoundTrip(req *http.Request) (res *http.Response, err error) { func (tr loggingRoundTripper) RoundTrip(req *http.Request) (res *http.Response, err error) {
// save original auth and redact it // save original auth and redact it
origAuth, hasAuth := req.Header["Authorization"] origHeaders := redactHeader(req.Header)
if hasAuth {
req.Header["Authorization"] = []string{"**redacted**"}
}
trace, err := httputil.DumpRequestOut(req, false) trace, err := httputil.DumpRequestOut(req, false)
if err != nil { if err != nil {
@ -89,10 +108,7 @@ func (tr loggingRoundTripper) RoundTrip(req *http.Request) (res *http.Response,
Log("------------ HTTP REQUEST -----------\n%s", trace) Log("------------ HTTP REQUEST -----------\n%s", trace)
} }
// restore auth restoreHeader(req.Header, origHeaders)
if hasAuth {
req.Header["Authorization"] = origAuth
}
res, err = tr.RoundTripper.RoundTrip(req) res, err = tr.RoundTripper.RoundTrip(req)
if err != nil { if err != nil {
@ -100,7 +116,9 @@ func (tr loggingRoundTripper) RoundTrip(req *http.Request) (res *http.Response,
} }
if res != nil { if res != nil {
origHeaders := redactHeader(res.Header)
trace, err := httputil.DumpResponse(res, false) trace, err := httputil.DumpResponse(res, false)
restoreHeader(res.Header, origHeaders)
if err != nil { if err != nil {
Log("DumpResponse() error: %v\n", err) Log("DumpResponse() error: %v\n", err)
} else { } else {

46
internal/debug/round_tripper_debug_test.go Normal file
View File

@ -0,0 +1,46 @@
// +build debug
package debug
import (
"net/http"
"testing"
"github.com/restic/restic/internal/test"
)
func TestRedactHeader(t *testing.T) {
secretHeaders := []string{
"Authorization",
"X-Auth-Token",
"X-Auth-Key",
}
header := make(http.Header)
header["Authorization"] = []string{"123"}
header["X-Auth-Token"] = []string{"1234"}
header["X-Auth-Key"] = []string{"12345"}
header["Host"] = []string{"my.host"}
origHeaders := redactHeader(header)
for _, hdr := range secretHeaders {
test.Equals(t, "**redacted**", header[hdr][0])
}
test.Equals(t, "my.host", header["Host"][0])
restoreHeader(header, origHeaders)
test.Equals(t, "123", header["Authorization"][0])
test.Equals(t, "1234", header["X-Auth-Token"][0])
test.Equals(t, "12345", header["X-Auth-Key"][0])
test.Equals(t, "my.host", header["Host"][0])
delete(header, "X-Auth-Key")
origHeaders = redactHeader(header)
_, hasHeader := header["X-Auth-Key"]
test.Assert(t, !hasHeader, "Unexpected header: %v", header["X-Auth-Key"])
restoreHeader(header, origHeaders)
_, hasHeader = header["X-Auth-Key"]
test.Assert(t, !hasHeader, "Unexpected header: %v", header["X-Auth-Key"])
}