You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by ja...@apache.org on 2021/02/20 07:03:26 UTC
[couchdb-config] branch sensitive-app-env created (now 85d663b)
This is an automated email from the ASF dual-hosted git repository.
jaydoane pushed a change to branch sensitive-app-env
in repository https://gitbox.apache.org/repos/asf/couchdb-config.git.
at 85d663b Implement is_sensitive/2 using configurable application env
This branch includes the following new commits:
new 05f4d2b Enable eunit coverage
new 85d663b Implement is_sensitive/2 using configurable application env
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
[couchdb-config] 01/02: Enable eunit coverage
Posted by ja...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
jaydoane pushed a commit to branch sensitive-app-env
in repository https://gitbox.apache.org/repos/asf/couchdb-config.git
commit 05f4d2b2c3d2472082b9d52db6063459eefa376a
Author: Jay Doane <ja...@apache.org>
AuthorDate: Fri Feb 19 22:40:02 2021 -0800
Enable eunit coverage
---
rebar.config | 2 ++
1 file changed, 2 insertions(+)
diff --git a/rebar.config b/rebar.config
new file mode 100644
index 0000000..e0d1844
--- /dev/null
+++ b/rebar.config
@@ -0,0 +1,2 @@
+{cover_enabled, true}.
+{cover_print_enabled, true}.
[couchdb-config] 02/02: Implement is_sensitive/2 using configurable
application env
Posted by ja...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
jaydoane pushed a commit to branch sensitive-app-env
in repository https://gitbox.apache.org/repos/asf/couchdb-config.git
commit 85d663bcb14e3cddc4832da6309c1683eee67964
Author: Jay Doane <ja...@apache.org>
AuthorDate: Fri Feb 19 23:03:05 2021 -0800
Implement is_sensitive/2 using configurable application env
If it exists, consult a file to configure application env. If
`sensitive` env key is found therein, use it to determine which values
to redact from log entries. The value of the `sensitive` key should be
a dict of the form:
```
#{
Section1 => [Field1, Field2, ...],
Section2 => all
}
```
where `Section`s are strings that define sections which contain
sensitive fields, and `Field`s are strings. The atom `all` indicates
all fields for that section are sensitive. A typical configuration
might look like:
```
#{
"admins" => all,
"replicator" => ["password"]
}
```
meaning that all values in the `[admins]` section, and the `password`
value in the `[replicator]` section will be redacted from the logs.
---
src/{config.app.src => config.app.src.script} | 12 +++++++++++-
src/config.erl | 24 ++++++++++++++++++++++--
2 files changed, 33 insertions(+), 3 deletions(-)
diff --git a/src/config.app.src b/src/config.app.src.script
similarity index 72%
rename from src/config.app.src
rename to src/config.app.src.script
index 7f8eef6..e4faf27 100644
--- a/src/config.app.src
+++ b/src/config.app.src.script
@@ -10,6 +10,15 @@
% License for the specific language governing permissions and limitations under
% the License.
+ConfigPath = filename:join([os:getenv("COUCHDB_APPS_CONFIG_DIR"), "config.config"]),
+AppEnv = case filelib:is_file(ConfigPath) of
+ true ->
+ {ok, Result} = file:consult(ConfigPath),
+ Result;
+ false ->
+ []
+end.
+
{application, config, [
{description, "INI file configuration system for Apache CouchDB"},
{vsn, git},
@@ -18,5 +27,6 @@
config_event
]},
{applications, [kernel, stdlib]},
- {mod, {config_app, []}}
+ {mod, {config_app, []}},
+ {env, AppEnv}
]}.
diff --git a/src/config.erl b/src/config.erl
index e8f7533..b87ff34 100644
--- a/src/config.erl
+++ b/src/config.erl
@@ -40,6 +40,8 @@
-export([init/1, terminate/2, code_change/3]).
-export([handle_call/3, handle_cast/2, handle_info/2]).
+-export([is_sensitive/2]).
+
-define(FEATURES, "features").
-define(TIMEOUT, 30000).
@@ -247,7 +249,7 @@ handle_call(all, _From, Config) ->
handle_call({set, Sec, Key, Val, Opts}, _From, Config) ->
Persist = maps:get(persist, Opts, true),
Reason = maps:get(reason, Opts, nil),
- IsSensitive = maps:get(sensitive, Opts, false),
+ IsSensitive = is_sensitive(Sec, Key),
case validate_config_update(Sec, Key, Val) of
{error, ValidationError} when IsSensitive ->
couch_log:error("~p: [~s] ~s = '****' rejected for reason ~p",
@@ -322,7 +324,16 @@ handle_call(reload, _From, Config) ->
true ->
ok;
false ->
- couch_log:notice("Reload detected config change ~s.~s = ~p", [Sec, Key, V]),
+ case is_sensitive(Sec, Key) of
+ false ->
+ couch_log:notice(
+ "Reload detected config change ~s.~s = ~p",
+ [Sec, Key, V]);
+ true ->
+ couch_log:notice(
+ "Reload detected config change ~s.~s = '****'",
+ [Sec, Key])
+ end,
Event = {config_change, Sec, Key, V, true},
gen_event:sync_notify(config_event, Event)
end
@@ -356,6 +367,15 @@ code_change(_OldVsn, State, _Extra) ->
{ok, State}.
+is_sensitive(Section, Key) ->
+ Sensitive = application:get_env(config, sensitive, #{}),
+ case maps:get(Section, Sensitive, false) of
+ all -> true;
+ Fields when is_list(Fields) -> lists:member(Key, Fields);
+ _ -> false
+ end.
+
+
parse_ini_file(IniFile) ->
IniFilename = config_util:abs_pathname(IniFile),
IniBin =