You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by ro...@apache.org on 2022/10/09 07:45:25 UTC

[couchdb] branch main updated: Redact passwords in log file (#4198)

This is an automated email from the ASF dual-hosted git repository.

ronny pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/couchdb.git


The following commit(s) were added to refs/heads/main by this push:
     new 0c5842273 Redact passwords in log file (#4198)
0c5842273 is described below

commit 0c584227350afe963d5c0acc8af45791200deb38
Author: Ronny <ro...@apache.org>
AuthorDate: Sun Oct 9 09:45:17 2022 +0200

    Redact passwords in log file (#4198)
    
    In some log messages user passwords were not redacted. Move and
    introduce a global helper function `remove_sensitive_data` to redact
    passwords.
---
 src/couch/src/couch_util.erl  |  7 +++++++
 src/setup/src/setup.erl       |  4 ++--
 src/setup/src/setup_httpd.erl | 15 ++++++---------
 3 files changed, 15 insertions(+), 11 deletions(-)

diff --git a/src/couch/src/couch_util.erl b/src/couch/src/couch_util.erl
index afce1e0a5..dc58e2bf6 100644
--- a/src/couch/src/couch_util.erl
+++ b/src/couch/src/couch_util.erl
@@ -45,6 +45,7 @@
 -export([version_to_binary/1]).
 -export([verify_hash_names/2]).
 -export([get_config_hash_algorithms/0]).
+-export([remove_sensitive_data/1]).
 
 -include_lib("couch/include/couch_db.hrl").
 
@@ -860,3 +861,9 @@ get_config_hash_algorithms() ->
         [] -> [?DEFAULT_HASH_ALGORITHM];
         VerifiedHashNames -> VerifiedHashNames
     end.
+
+-spec remove_sensitive_data(list()) -> list().
+remove_sensitive_data(KVList) ->
+    KVList1 = lists:keyreplace(<<"password">>, 1, KVList, {<<"password">>, <<"****">>}),
+    % some KVList entries are atoms, so test fo this too
+    lists:keyreplace(password, 1, KVList1, {password, <<"****">>}).
diff --git a/src/setup/src/setup.erl b/src/setup/src/setup.erl
index 1757a43e7..35830284d 100644
--- a/src/setup/src/setup.erl
+++ b/src/setup/src/setup.erl
@@ -166,7 +166,7 @@ enable_cluster_int(Options, false) ->
     Port = proplists:get_value(port, Options),
 
     setup_node(NewCredentials, NewBindAddress, NodeCount, Port),
-    couch_log:debug("Enable Cluster: ~p~n", [Options]).
+    couch_log:debug("Enable Cluster: ~p~n", [couch_util:remove_sensitive_data(Options)]).
 
 set_admin(Username, Password) ->
     config:set("admins", binary_to_list(Username), binary_to_list(Password), #{sensitive => true}).
@@ -325,7 +325,7 @@ add_node(Options) ->
 add_node_int(_Options, false) ->
     {error, cluster_not_enabled};
 add_node_int(Options, true) ->
-    couch_log:debug("add node_int: ~p~n", [Options]),
+    couch_log:debug("add node_int: ~p~n", [couch_util:remove_sensitive_data(Options)]),
     ErlangCookie = erlang:get_cookie(),
 
     % POST to nodeB/_setup
diff --git a/src/setup/src/setup_httpd.erl b/src/setup/src/setup_httpd.erl
index 418a72845..ac688c4c6 100644
--- a/src/setup/src/setup_httpd.erl
+++ b/src/setup/src/setup_httpd.erl
@@ -19,7 +19,7 @@ handle_setup_req(#httpd{method = 'POST'} = Req) ->
     ok = chttpd:verify_is_server_admin(Req),
     couch_httpd:validate_ctype(Req, "application/json"),
     Setup = get_body(Req),
-    couch_log:notice("Setup: ~p~n", [remove_sensitive(Setup)]),
+    couch_log:notice("Setup: ~p~n", [couch_util:remove_sensitive_data(Setup)]),
     Action = binary_to_list(couch_util:get_value(<<"action">>, Setup, <<"missing">>)),
     case handle_action(Action, Setup) of
         ok ->
@@ -92,7 +92,7 @@ handle_action("enable_cluster", Setup) ->
             ok
     end;
 handle_action("finish_cluster", Setup) ->
-    couch_log:notice("finish_cluster: ~p~n", [remove_sensitive(Setup)]),
+    couch_log:notice("finish_cluster: ~p~n", [couch_util:remove_sensitive_data(Setup)]),
 
     Options = get_options(
         [
@@ -108,7 +108,7 @@ handle_action("finish_cluster", Setup) ->
             ok
     end;
 handle_action("enable_single_node", Setup) ->
-    couch_log:notice("enable_single_node: ~p~n", [remove_sensitive(Setup)]),
+    couch_log:notice("enable_single_node: ~p~n", [couch_util:remove_sensitive_data(Setup)]),
 
     Options = get_options(
         [
@@ -129,7 +129,7 @@ handle_action("enable_single_node", Setup) ->
             ok
     end;
 handle_action("add_node", Setup) ->
-    couch_log:notice("add_node: ~p~n", [remove_sensitive(Setup)]),
+    couch_log:notice("add_node: ~p~n", [couch_util:remove_sensitive_data(Setup)]),
 
     Options = get_options(
         [
@@ -154,9 +154,9 @@ handle_action("add_node", Setup) ->
             ok
     end;
 handle_action("remove_node", Setup) ->
-    couch_log:notice("remove_node: ~p~n", [remove_sensitive(Setup)]);
+    couch_log:notice("remove_node: ~p~n", [couch_util:remove_sensitive_data(Setup)]);
 handle_action("receive_cookie", Setup) ->
-    couch_log:notice("receive_cookie: ~p~n", [remove_sensitive(Setup)]),
+    couch_log:notice("receive_cookie: ~p~n", [couch_util:remove_sensitive_data(Setup)]),
     Options = get_options(
         [
             {cookie, <<"cookie">>}
@@ -181,6 +181,3 @@ get_body(Req) ->
             couch_log:notice("Body Fail: ~p~n", [Else]),
             couch_httpd:send_error(Req, 400, <<"bad_request">>, <<"Missing JSON body'">>)
     end.
-
-remove_sensitive(KVList) ->
-    lists:keyreplace(<<"password">>, 1, KVList, {<<"password">>, <<"****">>}).