fix: stop logging dex config secrets #(2904) (#2937)

2026-05-24 09:50:08 +00:00 · 2020-01-02 15:39:57 -08:00 · 2020-01-02 15:39:57 -08:00 · 6d612b47f6
commit 6d612b47f6
parent e07953bf74
2 changed files with 37 additions and 8 deletions
--- a/cmd/argocd-util/main.go
+++ b/cmd/argocd-util/main.go
@ -8,7 +8,6 @@ import (
 	"io/ioutil"
 	"os"
 	"os/exec"
-	"regexp"
 	"syscall"

 	"github.com/ghodss/yaml"
@ -561,9 +560,36 @@ func NewClusterConfig() *cobra.Command {
 	return command
 }

+func iterateStringFields(obj interface{}, callback func(name string, val string) string) {
+	if mapField, ok := obj.(map[string]interface{}); ok {
+		for field, val := range mapField {
+			if strVal, ok := val.(string); ok {
+				mapField[field] = callback(field, strVal)
+			} else {
+				iterateStringFields(val, callback)
+			}
+		}
+	} else if arrayField, ok := obj.([]interface{}); ok {
+		for i := range arrayField {
+			iterateStringFields(arrayField[i], callback)
+		}
+	}
+}
+
 func redactor(dirtyString string) string {
-	dirtyString = regexp.MustCompile("(clientSecret: )[^ \n]*").ReplaceAllString(dirtyString, "$1********")
-	return regexp.MustCompile("(secret: )[^ \n]*").ReplaceAllString(dirtyString, "$1********")
+	config := make(map[string]interface{})
+	err := yaml.Unmarshal([]byte(dirtyString), &config)
+	errors.CheckError(err)
+	iterateStringFields(config, func(name string, val string) string {
+		if name == "clientSecret" || name == "secret" {
+			return "********"
+		} else {
+			return val
+		}
+	})
+	data, err := yaml.Marshal(config)
+	errors.CheckError(err)
+	return string(data)
 }

 func main() {
--- a/cmd/argocd-util/main_test.go
+++ b/cmd/argocd-util/main_test.go
@ -7,9 +7,11 @@ import (
 )

 var textToRedact = `
+connectors:
 - config:
    clientID: aabbccddeeff00112233
-    clientSecret: $dex.github.clientSecret
+    clientSecret: |
+      theSecret
    orgs:
    - name: your-github-org
    redirectURI: https://argocd.example.com/api/dex/callback
@ -37,10 +39,10 @@ storage:
 web:
  http: 0.0.0.0:5556`

-var expectedRedaction = `
+var expectedRedaction = `connectors:
 - config:
    clientID: aabbccddeeff00112233
-    clientSecret: ********
+    clientSecret: '********'
    orgs:
    - name: your-github-org
    redirectURI: https://argocd.example.com/api/dex/callback
@ -57,7 +59,7 @@ staticClients:
  name: Argo CD
  redirectURIs:
  - https://argocd.example.com/auth/callback
-  secret: ********
+  secret: '********'
 - id: argo-cd-cli
  name: Argo CD CLI
  public: true
@ -66,7 +68,8 @@ staticClients:
 storage:
  type: memory
 web:
-  http: 0.0.0.0:5556`
+  http: 0.0.0.0:5556
+`

 func TestSecretsRedactor(t *testing.T) {
 	assert.Equal(t, expectedRedaction, redactor(textToRedact))