mirror of
https://github.com/oauth2-proxy/oauth2-proxy.git
synced 2024-11-24 08:52:25 +02:00
Merge pull request #292 from nickmiller-wf/redact-access-token
Strip sensitive URL parameters from provider log output
This commit is contained in:
commit
a0e4a36821
@ -85,7 +85,8 @@ func (p *GitHubProvider) hasOrg(accessToken string) (bool, error) {
|
|||||||
return false, err
|
return false, err
|
||||||
}
|
}
|
||||||
if resp.StatusCode != 200 {
|
if resp.StatusCode != 200 {
|
||||||
return false, fmt.Errorf("got %d from %q %s", resp.StatusCode, endpoint, body)
|
return false, fmt.Errorf(
|
||||||
|
"got %d from %q %s", resp.StatusCode, stripToken(endpoint.String()), body)
|
||||||
}
|
}
|
||||||
|
|
||||||
if err := json.Unmarshal(body, &orgs); err != nil {
|
if err := json.Unmarshal(body, &orgs); err != nil {
|
||||||
@ -140,7 +141,8 @@ func (p *GitHubProvider) hasOrgAndTeam(accessToken string) (bool, error) {
|
|||||||
return false, err
|
return false, err
|
||||||
}
|
}
|
||||||
if resp.StatusCode != 200 {
|
if resp.StatusCode != 200 {
|
||||||
return false, fmt.Errorf("got %d from %q %s", resp.StatusCode, endpoint, body)
|
return false, fmt.Errorf(
|
||||||
|
"got %d from %q %s", resp.StatusCode, stripToken(endpoint.String()), body)
|
||||||
}
|
}
|
||||||
|
|
||||||
if err := json.Unmarshal(body, &teams); err != nil {
|
if err := json.Unmarshal(body, &teams); err != nil {
|
||||||
@ -217,9 +219,10 @@ func (p *GitHubProvider) GetEmailAddress(s *SessionState) (string, error) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if resp.StatusCode != 200 {
|
if resp.StatusCode != 200 {
|
||||||
return "", fmt.Errorf("got %d from %q %s", resp.StatusCode, endpoint, body)
|
return "", fmt.Errorf("got %d from %q %s",
|
||||||
|
resp.StatusCode, stripToken(endpoint.String()), body)
|
||||||
} else {
|
} else {
|
||||||
log.Printf("got %d from %q %s", resp.StatusCode, endpoint, body)
|
log.Printf("got %d from %q %s", resp.StatusCode, stripToken(endpoint.String()), body)
|
||||||
}
|
}
|
||||||
|
|
||||||
if err := json.Unmarshal(body, &emails); err != nil {
|
if err := json.Unmarshal(body, &emails); err != nil {
|
||||||
|
@ -9,6 +9,42 @@ import (
|
|||||||
"github.com/bitly/oauth2_proxy/api"
|
"github.com/bitly/oauth2_proxy/api"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
// stripToken is a helper function to obfuscate "access_token"
|
||||||
|
// query parameters
|
||||||
|
func stripToken(endpoint string) string {
|
||||||
|
return stripParam("access_token", endpoint)
|
||||||
|
}
|
||||||
|
|
||||||
|
// stripParam generalizes the obfuscation of a particular
|
||||||
|
// query parameter - typically 'access_token' or 'client_secret'
|
||||||
|
// The parameter's second half is replaced by '...' and returned
|
||||||
|
// as part of the encoded query parameters.
|
||||||
|
// If the target parameter isn't found, the endpoint is returned
|
||||||
|
// unmodified.
|
||||||
|
func stripParam(param, endpoint string) string {
|
||||||
|
u, err := url.Parse(endpoint)
|
||||||
|
if err != nil {
|
||||||
|
log.Printf("error attempting to strip %s: %s", param, err)
|
||||||
|
return endpoint
|
||||||
|
}
|
||||||
|
|
||||||
|
if u.RawQuery != "" {
|
||||||
|
values, err := url.ParseQuery(u.RawQuery)
|
||||||
|
if err != nil {
|
||||||
|
log.Printf("error attempting to strip %s: %s", param, err)
|
||||||
|
return u.String()
|
||||||
|
}
|
||||||
|
|
||||||
|
if val := values.Get(param); val != "" {
|
||||||
|
values.Set(param, val[:(len(val)/2)]+"...")
|
||||||
|
u.RawQuery = values.Encode()
|
||||||
|
return u.String()
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return endpoint
|
||||||
|
}
|
||||||
|
|
||||||
// validateToken returns true if token is valid
|
// validateToken returns true if token is valid
|
||||||
func validateToken(p Provider, access_token string, header http.Header) bool {
|
func validateToken(p Provider, access_token string, header http.Header) bool {
|
||||||
if access_token == "" || p.Data().ValidateURL == nil {
|
if access_token == "" || p.Data().ValidateURL == nil {
|
||||||
@ -28,7 +64,7 @@ func validateToken(p Provider, access_token string, header http.Header) bool {
|
|||||||
|
|
||||||
body, _ := ioutil.ReadAll(resp.Body)
|
body, _ := ioutil.ReadAll(resp.Body)
|
||||||
resp.Body.Close()
|
resp.Body.Close()
|
||||||
log.Printf("%d GET %s %s", resp.StatusCode, endpoint, body)
|
log.Printf("%d GET %s %s", resp.StatusCode, stripToken(endpoint), body)
|
||||||
|
|
||||||
if resp.StatusCode == 200 {
|
if resp.StatusCode == 200 {
|
||||||
return true
|
return true
|
||||||
|
@ -119,3 +119,14 @@ func TestValidateSessionStateExpiredToken(t *testing.T) {
|
|||||||
vt_test.response_code = 401
|
vt_test.response_code = 401
|
||||||
assert.Equal(t, false, validateToken(vt_test.provider, "foobar", nil))
|
assert.Equal(t, false, validateToken(vt_test.provider, "foobar", nil))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestStripTokenNotPresent(t *testing.T) {
|
||||||
|
test := "http://local.test/api/test?a=1&b=2"
|
||||||
|
assert.Equal(t, test, stripToken(test))
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestStripToken(t *testing.T) {
|
||||||
|
test := "http://local.test/api/test?access_token=deadbeef&b=1&c=2"
|
||||||
|
expected := "http://local.test/api/test?access_token=dead...&b=1&c=2"
|
||||||
|
assert.Equal(t, expected, stripToken(test))
|
||||||
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user