From ecdeb34fbda647e5b1cbb5513257625aaa9e1575 Mon Sep 17 00:00:00 2001 From: michel-laterman Date: Fri, 6 Dec 2024 09:14:29 -0800 Subject: [PATCH] Review feedback --- internal/pkg/config/config.go | 9 ++++++++- internal/pkg/config/config_test.go | 31 +++++++++++++++++++++++++++--- 2 files changed, 36 insertions(+), 4 deletions(-) diff --git a/internal/pkg/config/config.go b/internal/pkg/config/config.go index 69dfb8d85..739976799 100644 --- a/internal/pkg/config/config.go +++ b/internal/pkg/config/config.go @@ -170,11 +170,18 @@ func redactOutput(cfg *Config) Output { } for k := range redacted.Elasticsearch.Headers { - if strings.Contains(strings.ToLower(k), "auth") || strings.Contains(strings.ToLower(k), "token") || strings.Contains(strings.ToLower(k), "key") { // best-effort scan to redact sensitive headers + lk := strings.ToLower(k) + if strings.Contains(lk, "auth") || strings.Contains(lk, "token") || strings.Contains(lk, "key") || strings.Contains(lk, "bearer") { // best-effort scan to redact sensitive headers redacted.Elasticsearch.Headers[k] = kRedacted } } + for k := range redacted.Elasticsearch.ProxyHeaders { + lk := strings.ToLower(k) + if strings.Contains(lk, "auth") || strings.Contains(lk, "token") || strings.Contains(lk, "key") || strings.Contains(lk, "bearer") { // best-effort scan to redact sensitive headers + redacted.Elasticsearch.ProxyHeaders[k] = kRedacted + } + } return redacted } diff --git a/internal/pkg/config/config_test.go b/internal/pkg/config/config_test.go index 16175a97b..9fc46a449 100644 --- a/internal/pkg/config/config_test.go +++ b/internal/pkg/config/config_test.go @@ -427,14 +427,14 @@ func TestConfigRedact(t *testing.T) { }, }, { - name: "Redact custom authorization output header", + name: "Redact custom output headers", inputCfg: &Config{ Inputs: []Input{{}}, Output: Output{ Elasticsearch: Elasticsearch{ Protocol: "https", Hosts: []string{"localhost:9200"}, - Headers: map[string]string{"X-Authorization": "secretValue", "X-Custom": "value"}, + Headers: map[string]string{"X-Authorization": "secretValue", "X-Custom": "value", "X-App-Token": "customToken", "X-App-Key": "secretKey", "X-Custom-Bearer": "secretBearer"}, ServiceTokenPath: "path/to/file", }, }, @@ -445,7 +445,32 @@ func TestConfigRedact(t *testing.T) { Elasticsearch: Elasticsearch{ Protocol: "https", Hosts: []string{"localhost:9200"}, - Headers: map[string]string{"X-Authorization": kRedacted, "X-Custom": "value"}, + Headers: map[string]string{"X-Authorization": kRedacted, "X-Custom": "value", "X-App-Token": kRedacted, "X-App-Key": kRedacted, "X-Custom-Bearer": kRedacted}, + ServiceTokenPath: "path/to/file", + }, + }, + }, + }, + { + name: "Redact proxy authorization output header", + inputCfg: &Config{ + Inputs: []Input{{}}, + Output: Output{ + Elasticsearch: Elasticsearch{ + Protocol: "https", + Hosts: []string{"localhost:9200"}, + ProxyHeaders: map[string]string{"X-Proxy-Authorization": "secretValue"}, + ServiceTokenPath: "path/to/file", + }, + }, + }, + redactedCfg: &Config{ + Inputs: []Input{{}}, + Output: Output{ + Elasticsearch: Elasticsearch{ + Protocol: "https", + Hosts: []string{"localhost:9200"}, + ProxyHeaders: map[string]string{"X-Proxy-Authorization": kRedacted}, ServiceTokenPath: "path/to/file", }, },