Merge pull request #81330 from tedyu/hide-auth-hdr

Hide bearer token in logs Kubernetes-commit: 4441f1d9c3e94d9a3d93b4f184a591cab02a5245
2025-06-27 23:48:30 +00:00 · 2019-08-13 21:38:49 -07:00 · 2019-08-13 21:38:49 -07:00 · 1ca6f0db2b
commit 1ca6f0db2b
parent 7eecfc25a0 689d090711
5 changed files with 126 additions and 8 deletions
--- a/Godeps/Godeps.json
+++ b/Godeps/Godeps.json
@ -264,11 +264,11 @@
 		},
 		{
 			"ImportPath": "k8s.io/api",
-			"Rev": "3b2b5017183f"
+			"Rev": "4c9d9526570f"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery",
-			"Rev": "cbbcc3bf2cd4"
+			"Rev": "d2c4b5819cd0"
 		},
 		{
 			"ImportPath": "k8s.io/gengo",
--- a/go.mod
+++ b/go.mod
@ -26,8 +26,8 @@ require (
 	golang.org/x/oauth2 v0.0.0-20190402181905-9f3314589c9a
 	golang.org/x/time v0.0.0-20161028155119-f51c12702a4d
 	google.golang.org/appengine v1.5.0 // indirect
-	k8s.io/api v0.0.0-20190813220811-3b2b5017183f
-	k8s.io/apimachinery v0.0.0-20190813220643-cbbcc3bf2cd4
+	k8s.io/api v0.0.0-20190813220812-4c9d9526570f
+	k8s.io/apimachinery v0.0.0-20190813235223-d2c4b5819cd0
 	k8s.io/klog v0.4.0
 	k8s.io/utils v0.0.0-20190801114015-581e00157fb1
 	sigs.k8s.io/yaml v1.1.0
@ -40,6 +40,6 @@ replace (
 	golang.org/x/sys => golang.org/x/sys v0.0.0-20190209173611-3b5209105503
 	golang.org/x/text => golang.org/x/text v0.3.1-0.20181227161524-e6919f6577db
 	golang.org/x/tools => golang.org/x/tools v0.0.0-20190313210603-aa82965741a9
-	k8s.io/api => k8s.io/api v0.0.0-20190813220811-3b2b5017183f
-	k8s.io/apimachinery => k8s.io/apimachinery v0.0.0-20190813220643-cbbcc3bf2cd4
+	k8s.io/api => k8s.io/api v0.0.0-20190813220812-4c9d9526570f
+	k8s.io/apimachinery => k8s.io/apimachinery v0.0.0-20190813235223-d2c4b5819cd0
 )
--- a/go.sum
+++ b/go.sum
@ -127,8 +127,8 @@ gopkg.in/yaml.v2 v2.2.1 h1:mUhvW9EsL+naU5Q3cakzfE91YhliOondGd6ZrsDBHQE=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-k8s.io/api v0.0.0-20190813220811-3b2b5017183f/go.mod h1:jQ/7CcVOYUjK7L7XC7+yxtZdjG6mm61Bmv9LU2K7M7c=
-k8s.io/apimachinery v0.0.0-20190813220643-cbbcc3bf2cd4/go.mod h1:1Bb79pEWnDgUBI8vkD0vaOot2IDbQD8ONqOd66wgvlM=
+k8s.io/api v0.0.0-20190813220812-4c9d9526570f/go.mod h1:jQ/7CcVOYUjK7L7XC7+yxtZdjG6mm61Bmv9LU2K7M7c=
+k8s.io/apimachinery v0.0.0-20190813235223-d2c4b5819cd0/go.mod h1:1Bb79pEWnDgUBI8vkD0vaOot2IDbQD8ONqOd66wgvlM=
 k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
 k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
 k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
--- a/transport/round_trippers.go
+++ b/transport/round_trippers.go
@ -409,6 +409,38 @@ func (rt *debuggingRoundTripper) CancelRequest(req *http.Request) {
 	}
 }

+var knownAuthTypes = map[string]bool{
+	"bearer":    true,
+	"basic":     true,
+	"negotiate": true,
+}
+
+// maskValue masks credential content from authorization headers
+// See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Authorization
+func maskValue(key string, value string) string {
+	if !strings.EqualFold(key, "Authorization") {
+		return value
+	}
+	if len(value) == 0 {
+		return ""
+	}
+	var authType string
+	if i := strings.Index(value, " "); i > 0 {
+		authType = value[0:i]
+	} else {
+		authType = value
+	}
+	if !knownAuthTypes[strings.ToLower(authType)] {
+		return "<masked>"
+	}
+	if len(value) > len(authType)+1 {
+		value = authType + " <masked>"
+	} else {
+		value = authType
+	}
+	return value
+}
+
 func (rt *debuggingRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
 	reqInfo := newRequestInfo(req)

@ -423,6 +455,7 @@ func (rt *debuggingRoundTripper) RoundTrip(req *http.Request) (*http.Response, e
 		klog.Infof("Request Headers:")
 		for key, values := range reqInfo.RequestHeaders {
 			for _, value := range values {
+				value = maskValue(key, value)
 				klog.Infof("    %s: %s", key, value)
 			}
 		}
--- a/transport/round_trippers_test.go
+++ b/transport/round_trippers_test.go
@ -35,6 +35,91 @@ func (rt *testRoundTripper) RoundTrip(req *http.Request) (*http.Response, error)
 	return rt.Response, rt.Err
 }

+func TestMaskValue(t *testing.T) {
+	tcs := []struct {
+		key      string
+		value    string
+		expected string
+	}{
+		{
+			key:      "Authorization",
+			value:    "Basic YWxhZGRpbjpvcGVuc2VzYW1l",
+			expected: "Basic <masked>",
+		},
+		{
+			key:      "Authorization",
+			value:    "basic",
+			expected: "basic",
+		},
+		{
+			key:      "Authorization",
+			value:    "Basic",
+			expected: "Basic",
+		},
+		{
+			key:      "Authorization",
+			value:    "Bearer cn389ncoiwuencr",
+			expected: "Bearer <masked>",
+		},
+		{
+			key:      "Authorization",
+			value:    "Bearer",
+			expected: "Bearer",
+		},
+		{
+			key:      "Authorization",
+			value:    "bearer",
+			expected: "bearer",
+		},
+		{
+			key:      "Authorization",
+			value:    "bearer ",
+			expected: "bearer",
+		},
+		{
+			key:      "Authorization",
+			value:    "Negotiate cn389ncoiwuencr",
+			expected: "Negotiate <masked>",
+		},
+		{
+			key:      "ABC",
+			value:    "Negotiate cn389ncoiwuencr",
+			expected: "Negotiate cn389ncoiwuencr",
+		},
+		{
+			key:      "Authorization",
+			value:    "Negotiate",
+			expected: "Negotiate",
+		},
+		{
+			key:      "Authorization",
+			value:    "Negotiate ",
+			expected: "Negotiate",
+		},
+		{
+			key:      "Authorization",
+			value:    "negotiate",
+			expected: "negotiate",
+		},
+		{
+			key:      "Authorization",
+			value:    "abc cn389ncoiwuencr",
+			expected: "<masked>",
+		},
+		{
+			key:      "Authorization",
+			value:    "",
+			expected: "",
+		},
+	}
+	for _, tc := range tcs {
+		maskedValue := maskValue(tc.key, tc.value)
+		if tc.expected != maskedValue {
+			t.Errorf("unexpected value %s, given %s.", maskedValue, tc.value)
+		}
+	}
+}
+
 func TestBearerAuthRoundTripper(t *testing.T) {
 	rt := &testRoundTripper{}
 	req := &http.Request{}