You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@couchdb.apache.org by ro...@apache.org on 2022/10/07 07:37:32 UTC

[couchdb] branch redact_passwords_in_logs created (now d2eb7239d)

This is an automated email from the ASF dual-hosted git repository.

ronny pushed a change to branch redact_passwords_in_logs
in repository https://gitbox.apache.org/repos/asf/couchdb.git


      at d2eb7239d Redact passwords in log file

This branch includes the following new commits:

     new d2eb7239d Redact passwords in log file

The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.

[couchdb] 01/01: Redact passwords in log file

Posted by ro...@apache.org.

This is an automated email from the ASF dual-hosted git repository.

ronny pushed a commit to branch redact_passwords_in_logs
in repository https://gitbox.apache.org/repos/asf/couchdb.git

commit d2eb7239d60913ce0da2ae601abae35e88afaf18
Author: Ronny Berndt <ro...@apache.org>
AuthorDate: Fri Oct 7 09:37:13 2022 +0200

    Redact passwords in log file
    
    In some log messages user passwords were not redacted. Move and
    introduce a global helper function `remove_sensitive_data` to redact
    passwords.
---
 src/couch/src/couch_util.erl  |  7 +++++++
 src/setup/src/setup.erl       |  4 ++--
 src/setup/src/setup_httpd.erl | 14 ++++++--------
 3 files changed, 15 insertions(+), 10 deletions(-)

diff --git a/src/couch/src/couch_util.erl b/src/couch/src/couch_util.erl
index afce1e0a5..dc58e2bf6 100644
--- a/src/couch/src/couch_util.erl
+++ b/src/couch/src/couch_util.erl
@@ -45,6 +45,7 @@
 -export([version_to_binary/1]).
 -export([verify_hash_names/2]).
 -export([get_config_hash_algorithms/0]).
+-export([remove_sensitive_data/1]).
 
 -include_lib("couch/include/couch_db.hrl").
 
@@ -860,3 +861,9 @@ get_config_hash_algorithms() ->
         [] -> [?DEFAULT_HASH_ALGORITHM];
         VerifiedHashNames -> VerifiedHashNames
     end.
+
+-spec remove_sensitive_data(list()) -> list().
+remove_sensitive_data(KVList) ->
+    KVList1 = lists:keyreplace(<<"password">>, 1, KVList, {<<"password">>, <<"****">>}),
+    % some KVList entries are atoms, so test fo this too
+    lists:keyreplace(password, 1, KVList1, {password, <<"****">>}).
diff --git a/src/setup/src/setup.erl b/src/setup/src/setup.erl
index 1757a43e7..35830284d 100644
--- a/src/setup/src/setup.erl
+++ b/src/setup/src/setup.erl
@@ -166,7 +166,7 @@ enable_cluster_int(Options, false) ->
     Port = proplists:get_value(port, Options),
 
     setup_node(NewCredentials, NewBindAddress, NodeCount, Port),
-    couch_log:debug("Enable Cluster: ~p~n", [Options]).
+    couch_log:debug("Enable Cluster: ~p~n", [couch_util:remove_sensitive_data(Options)]).
 
 set_admin(Username, Password) ->
     config:set("admins", binary_to_list(Username), binary_to_list(Password), #{sensitive => true}).
@@ -325,7 +325,7 @@ add_node(Options) ->
 add_node_int(_Options, false) ->
     {error, cluster_not_enabled};
 add_node_int(Options, true) ->
-    couch_log:debug("add node_int: ~p~n", [Options]),
+    couch_log:debug("add node_int: ~p~n", [couch_util:remove_sensitive_data(Options)]),
     ErlangCookie = erlang:get_cookie(),
 
     % POST to nodeB/_setup
diff --git a/src/setup/src/setup_httpd.erl b/src/setup/src/setup_httpd.erl
index 418a72845..25c12d2a1 100644
--- a/src/setup/src/setup_httpd.erl
+++ b/src/setup/src/setup_httpd.erl
@@ -19,7 +19,7 @@ handle_setup_req(#httpd{method = 'POST'} = Req) ->
     ok = chttpd:verify_is_server_admin(Req),
     couch_httpd:validate_ctype(Req, "application/json"),
     Setup = get_body(Req),
-    couch_log:notice("Setup: ~p~n", [remove_sensitive(Setup)]),
+    couch_log:notice("Setup: ~p~n", [couch_util:remove_sensitive_data(Setup)]),
     Action = binary_to_list(couch_util:get_value(<<"action">>, Setup, <<"missing">>)),
     case handle_action(Action, Setup) of
         ok ->
@@ -92,7 +92,7 @@ handle_action("enable_cluster", Setup) ->
             ok
     end;
 handle_action("finish_cluster", Setup) ->
-    couch_log:notice("finish_cluster: ~p~n", [remove_sensitive(Setup)]),
+    couch_log:notice("finish_cluster: ~p~n", [couch_util:remove_sensitive_data(Setup)]),
 
     Options = get_options(
         [
@@ -108,7 +108,7 @@ handle_action("finish_cluster", Setup) ->
             ok
     end;
 handle_action("enable_single_node", Setup) ->
-    couch_log:notice("enable_single_node: ~p~n", [remove_sensitive(Setup)]),
+    couch_log:notice("enable_single_node: ~p~n", [couch_util:remove_sensitive_data(Setup)]),
 
     Options = get_options(
         [
@@ -129,7 +129,7 @@ handle_action("enable_single_node", Setup) ->
             ok
     end;
 handle_action("add_node", Setup) ->
-    couch_log:notice("add_node: ~p~n", [remove_sensitive(Setup)]),
+    couch_log:notice("add_node: ~p~n", [couch_util:remove_sensitive_data(Setup)]),
 
     Options = get_options(
         [
@@ -154,9 +154,9 @@ handle_action("add_node", Setup) ->
             ok
     end;
 handle_action("remove_node", Setup) ->
-    couch_log:notice("remove_node: ~p~n", [remove_sensitive(Setup)]);
+    couch_log:notice("remove_node: ~p~n", [couch_util:remove_sensitive_data(Setup)]);
 handle_action("receive_cookie", Setup) ->
-    couch_log:notice("receive_cookie: ~p~n", [remove_sensitive(Setup)]),
+    couch_log:notice("receive_cookie: ~p~n", [couch_util:remove_sensitive_data(Setup)]),
     Options = get_options(
         [
             {cookie, <<"cookie">>}
@@ -182,5 +182,3 @@ get_body(Req) ->
             couch_httpd:send_error(Req, 400, <<"bad_request">>, <<"Missing JSON body'">>)
     end.
 
-remove_sensitive(KVList) ->
-    lists:keyreplace(<<"password">>, 1, KVList, {<<"password">>, <<"****">>}).