From 2d73fea0a560b545d1617e62980adb425fd462c5 Mon Sep 17 00:00:00 2001
From: Simon Behar <simbeh7@gmail.com>
Date: Tue, 22 Oct 2019 10:11:34 -0700
Subject: [PATCH] Redact secrets in dex logs (#2538)

* Done

* Pre-commit

* Added test

* Pre-commit

* Goimports
---
 cmd/argocd-util/main.go      |  8 +++-
 cmd/argocd-util/main_test.go | 73 ++++++++++++++++++++++++++++++++++++
 2 files changed, 80 insertions(+), 1 deletion(-)
 create mode 100644 cmd/argocd-util/main_test.go

diff --git a/cmd/argocd-util/main.go b/cmd/argocd-util/main.go
index 13fa7871ff..28c39978c7 100644
--- a/cmd/argocd-util/main.go
+++ b/cmd/argocd-util/main.go
@@ -8,6 +8,7 @@ import (
 	"io/ioutil"
 	"os"
 	"os/exec"
+	"regexp"
 	"syscall"
 
 	"github.com/ghodss/yaml"
@@ -108,7 +109,7 @@ func NewRunDexCommand() *cobra.Command {
 				} else {
 					err = ioutil.WriteFile("/tmp/dex.yaml", dexCfgBytes, 0644)
 					errors.CheckError(err)
-					log.Info(string(dexCfgBytes))
+					log.Info(redactor(string(dexCfgBytes)))
 					cmd = exec.Command("dex", "serve", "/tmp/dex.yaml")
 					cmd.Stdout = os.Stdout
 					cmd.Stderr = os.Stderr
@@ -558,6 +559,11 @@ func NewClusterConfig() *cobra.Command {
 	return command
 }
 
+func redactor(dirtyString string) string {
+	dirtyString = regexp.MustCompile("(clientSecret: )[^ \n]*").ReplaceAllString(dirtyString, "$1********")
+	return regexp.MustCompile("(secret: )[^ \n]*").ReplaceAllString(dirtyString, "$1********")
+}
+
 func main() {
 	if err := NewCommand().Execute(); err != nil {
 		fmt.Println(err)
diff --git a/cmd/argocd-util/main_test.go b/cmd/argocd-util/main_test.go
new file mode 100644
index 0000000000..dc7801ecf3
--- /dev/null
+++ b/cmd/argocd-util/main_test.go
@@ -0,0 +1,73 @@
+package main
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+var textToRedact = `
+- config:
+    clientID: aabbccddeeff00112233
+    clientSecret: $dex.github.clientSecret
+    orgs:
+    - name: your-github-org
+    redirectURI: https://argocd.example.com/api/dex/callback
+  id: github
+  name: GitHub
+  type: github
+grpc:
+  addr: 0.0.0.0:5557
+issuer: https://argocd.example.com/api/dex
+oauth2:
+  skipApprovalScreen: true
+staticClients:
+- id: argo-cd
+  name: Argo CD
+  redirectURIs:
+  - https://argocd.example.com/auth/callback
+  secret: Dis9M-GA11oTwZVQQWdDklPQw-sWXZkWJFyyEhMs
+- id: argo-cd-cli
+  name: Argo CD CLI
+  public: true
+  redirectURIs:
+  - http://localhost
+storage:
+  type: memory
+web:
+  http: 0.0.0.0:5556`
+
+var expectedRedaction = `
+- config:
+    clientID: aabbccddeeff00112233
+    clientSecret: ********
+    orgs:
+    - name: your-github-org
+    redirectURI: https://argocd.example.com/api/dex/callback
+  id: github
+  name: GitHub
+  type: github
+grpc:
+  addr: 0.0.0.0:5557
+issuer: https://argocd.example.com/api/dex
+oauth2:
+  skipApprovalScreen: true
+staticClients:
+- id: argo-cd
+  name: Argo CD
+  redirectURIs:
+  - https://argocd.example.com/auth/callback
+  secret: ********
+- id: argo-cd-cli
+  name: Argo CD CLI
+  public: true
+  redirectURIs:
+  - http://localhost
+storage:
+  type: memory
+web:
+  http: 0.0.0.0:5556`
+
+func TestSecretsRedactor(t *testing.T) {
+	assert.Equal(t, expectedRedaction, redactor(textToRedact))
+}