diff --git a/Godeps/Godeps.json b/Godeps/Godeps.json index deb226ff..52fcfe11 100644 --- a/Godeps/Godeps.json +++ b/Godeps/Godeps.json @@ -264,11 +264,11 @@ }, { "ImportPath": "k8s.io/api", - "Rev": "3b2b5017183f" + "Rev": "4c9d9526570f" }, { "ImportPath": "k8s.io/apimachinery", - "Rev": "cbbcc3bf2cd4" + "Rev": "d2c4b5819cd0" }, { "ImportPath": "k8s.io/gengo", diff --git a/go.mod b/go.mod index f33abe3d..f638f286 100644 --- a/go.mod +++ b/go.mod @@ -26,8 +26,8 @@ require ( golang.org/x/oauth2 v0.0.0-20190402181905-9f3314589c9a golang.org/x/time v0.0.0-20161028155119-f51c12702a4d google.golang.org/appengine v1.5.0 // indirect - k8s.io/api v0.0.0-20190813220811-3b2b5017183f - k8s.io/apimachinery v0.0.0-20190813220643-cbbcc3bf2cd4 + k8s.io/api v0.0.0-20190813220812-4c9d9526570f + k8s.io/apimachinery v0.0.0-20190813235223-d2c4b5819cd0 k8s.io/klog v0.4.0 k8s.io/utils v0.0.0-20190801114015-581e00157fb1 sigs.k8s.io/yaml v1.1.0 @@ -40,6 +40,6 @@ replace ( golang.org/x/sys => golang.org/x/sys v0.0.0-20190209173611-3b5209105503 golang.org/x/text => golang.org/x/text v0.3.1-0.20181227161524-e6919f6577db golang.org/x/tools => golang.org/x/tools v0.0.0-20190313210603-aa82965741a9 - k8s.io/api => k8s.io/api v0.0.0-20190813220811-3b2b5017183f - k8s.io/apimachinery => k8s.io/apimachinery v0.0.0-20190813220643-cbbcc3bf2cd4 + k8s.io/api => k8s.io/api v0.0.0-20190813220812-4c9d9526570f + k8s.io/apimachinery => k8s.io/apimachinery v0.0.0-20190813235223-d2c4b5819cd0 ) diff --git a/go.sum b/go.sum index 854d7c3b..4d11f4fa 100644 --- a/go.sum +++ b/go.sum @@ -127,8 +127,8 @@ gopkg.in/yaml.v2 v2.2.1 h1:mUhvW9EsL+naU5Q3cakzfE91YhliOondGd6ZrsDBHQE= gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -k8s.io/api v0.0.0-20190813220811-3b2b5017183f/go.mod h1:jQ/7CcVOYUjK7L7XC7+yxtZdjG6mm61Bmv9LU2K7M7c= -k8s.io/apimachinery v0.0.0-20190813220643-cbbcc3bf2cd4/go.mod h1:1Bb79pEWnDgUBI8vkD0vaOot2IDbQD8ONqOd66wgvlM= +k8s.io/api v0.0.0-20190813220812-4c9d9526570f/go.mod h1:jQ/7CcVOYUjK7L7XC7+yxtZdjG6mm61Bmv9LU2K7M7c= +k8s.io/apimachinery v0.0.0-20190813235223-d2c4b5819cd0/go.mod h1:1Bb79pEWnDgUBI8vkD0vaOot2IDbQD8ONqOd66wgvlM= k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= diff --git a/transport/round_trippers.go b/transport/round_trippers.go index 117a9c8c..844ee9a2 100644 --- a/transport/round_trippers.go +++ b/transport/round_trippers.go @@ -409,6 +409,38 @@ func (rt *debuggingRoundTripper) CancelRequest(req *http.Request) { } } +var knownAuthTypes = map[string]bool{ + "bearer": true, + "basic": true, + "negotiate": true, +} + +// maskValue masks credential content from authorization headers +// See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Authorization +func maskValue(key string, value string) string { + if !strings.EqualFold(key, "Authorization") { + return value + } + if len(value) == 0 { + return "" + } + var authType string + if i := strings.Index(value, " "); i > 0 { + authType = value[0:i] + } else { + authType = value + } + if !knownAuthTypes[strings.ToLower(authType)] { + return "" + } + if len(value) > len(authType)+1 { + value = authType + " " + } else { + value = authType + } + return value +} + func (rt *debuggingRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) { reqInfo := newRequestInfo(req) @@ -423,6 +455,7 @@ func (rt *debuggingRoundTripper) RoundTrip(req *http.Request) (*http.Response, e klog.Infof("Request Headers:") for key, values := range reqInfo.RequestHeaders { for _, value := range values { + value = maskValue(key, value) klog.Infof(" %s: %s", key, value) } } diff --git a/transport/round_trippers_test.go b/transport/round_trippers_test.go index abe5ab53..ac8de240 100644 --- a/transport/round_trippers_test.go +++ b/transport/round_trippers_test.go @@ -35,6 +35,91 @@ func (rt *testRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) return rt.Response, rt.Err } +func TestMaskValue(t *testing.T) { + tcs := []struct { + key string + value string + expected string + }{ + { + key: "Authorization", + value: "Basic YWxhZGRpbjpvcGVuc2VzYW1l", + expected: "Basic ", + }, + { + key: "Authorization", + value: "basic", + expected: "basic", + }, + { + key: "Authorization", + value: "Basic", + expected: "Basic", + }, + { + key: "Authorization", + value: "Bearer cn389ncoiwuencr", + expected: "Bearer ", + }, + { + key: "Authorization", + value: "Bearer", + expected: "Bearer", + }, + { + key: "Authorization", + value: "bearer", + expected: "bearer", + }, + { + key: "Authorization", + value: "bearer ", + expected: "bearer", + }, + { + key: "Authorization", + value: "Negotiate cn389ncoiwuencr", + expected: "Negotiate ", + }, + { + key: "ABC", + value: "Negotiate cn389ncoiwuencr", + expected: "Negotiate cn389ncoiwuencr", + }, + { + key: "Authorization", + value: "Negotiate", + expected: "Negotiate", + }, + { + key: "Authorization", + value: "Negotiate ", + expected: "Negotiate", + }, + { + key: "Authorization", + value: "negotiate", + expected: "negotiate", + }, + { + key: "Authorization", + value: "abc cn389ncoiwuencr", + expected: "", + }, + { + key: "Authorization", + value: "", + expected: "", + }, + } + for _, tc := range tcs { + maskedValue := maskValue(tc.key, tc.value) + if tc.expected != maskedValue { + t.Errorf("unexpected value %s, given %s.", maskedValue, tc.value) + } + } +} + func TestBearerAuthRoundTripper(t *testing.T) { rt := &testRoundTripper{} req := &http.Request{}