Redact static tokens and custom http headers

elastic · Dec 5, 2024 · 1f86340 · 1f86340
1 parent cf41f38
commit 1f86340
Show file tree

Hide file tree

Showing 2 changed files with 65 additions and 0 deletions.
diff --git a/internal/pkg/config/config.go b/internal/pkg/config/config.go
@@ -8,6 +8,7 @@ package config
 import (
 	"context"
 	"errors"
+	"strings"
 	"sync"
 
 	"github.com/gofrs/uuid"
@@ -168,6 +169,12 @@ func redactOutput(cfg *Config) Output {
 		redacted.Elasticsearch.TLS = &newTLS
 	}
 
+	for k := range redacted.Elasticsearch.Headers {
+		if strings.Contains(strings.ToLower(k), "auth") {
+			redacted.Elasticsearch.Headers[k] = kRedacted
+		}
+	}
+
 	return redacted
 }
 
@@ -195,6 +202,10 @@ func redactServer(cfg *Config) Server {
 		redacted.Instrumentation.SecretToken = kRedacted
 	}
 
+	for i := range redacted.StaticPolicyTokens.PolicyTokens {
+		redacted.StaticPolicyTokens.PolicyTokens[i].TokenKey = kRedacted
+	}
+
 	return redacted
 }
 

diff --git a/internal/pkg/config/config_test.go b/internal/pkg/config/config_test.go
@@ -426,6 +426,60 @@ func TestConfigRedact(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "Redact custom authorization output header",
+			inputCfg: &Config{
+				Inputs: []Input{{}},
+				Output: Output{
+					Elasticsearch: Elasticsearch{
+						Protocol:         "https",
+						Hosts:            []string{"localhost:9200"},
+						Headers:          map[string]string{"X-Authorization": "secretValue", "X-Custom": "value"},
+						ServiceTokenPath: "path/to/file",
+					},
+				},
+			},
+			redactedCfg: &Config{
+				Inputs: []Input{{}},
+				Output: Output{
+					Elasticsearch: Elasticsearch{
+						Protocol:         "https",
+						Hosts:            []string{"localhost:9200"},
+						Headers:          map[string]string{"X-Authorization": kRedacted, "X-Custom": "value"},
+						ServiceTokenPath: "path/to/file",
+					},
+				},
+			},
+		},
+		{
+			name: "redact static tokens",
+			inputCfg: &Config{
+				Inputs: []Input{{
+					Server: Server{
+						StaticPolicyTokens: StaticPolicyTokens{
+							Enabled: true,
+							PolicyTokens: []PolicyToken{{
+								TokenKey: "secretValue",
+								PolicyID: "testPolicy",
+							}},
+						},
+					},
+				}},
+			},
+			redactedCfg: &Config{
+				Inputs: []Input{{
+					Server: Server{
+						StaticPolicyTokens: StaticPolicyTokens{
+							Enabled: true,
+							PolicyTokens: []PolicyToken{{
+								TokenKey: kRedacted,
+								PolicyID: "testPolicy",
+							}},
+						},
+					},
+				}},
+			},
+		},
 	}
 
 	for _, tt := range testcases {