hide jira api token from the config API (#5196)

* hide jira api token from the config API

* Update based on reviews and fix tests

server/service/appconfig.go

@@ -71,9 +71,6 @@ func getAppConfigEndpoint(ctx context.Context, request interface{}, svc fleet.Se
 	// only admin can see smtp, sso, and host expiry settings
 	if vc.User.GlobalRole != nil && *vc.User.GlobalRole == fleet.RoleAdmin {
 		smtpSettings = config.SMTPSettings
-		if smtpSettings.SMTPPassword != "" {
-			smtpSettings.SMTPPassword = "********"
-		}
 		ssoSettings = config.SSOSettings
 		hostExpirySettings = config.HostExpirySettings
 		agentOptions = config.AgentOptions
@@ -109,7 +106,19 @@ func (svc *Service) AppConfig(ctx context.Context) (*fleet.AppConfig, error) {
 		}
 	}
 
-	return svc.ds.AppConfig(ctx)
+	ac, err := svc.ds.AppConfig(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	if ac.SMTPSettings.SMTPPassword != "" {
+		ac.SMTPSettings.SMTPPassword = "********"
+	}
+
+	for _, jiraIntegration := range ac.Integrations.Jira {
+		jiraIntegration.APIToken = "********"
+	}
+	return ac, nil
 }
 
 ////////////////////////////////////////////////////////////////////////////////

server/service/appconfig_test.go

@@ -275,3 +275,64 @@ func TestMissingMetadata(t *testing.T) {
 	assert.Contains(t, invalid.Error(), "metadata")
 	assert.Contains(t, invalid.Error(), "either metadata or metadata_url must be defined")
 }
+
+func TestAppConfigSecretsObfuscated(t *testing.T) {
+	ds := new(mock.Store)
+	svc := newTestService(t, ds, nil, nil)
+
+	// start a TLS server and use its URL as the server URL in the app config,
+	// required by the CertificateChain service call.
+	srv := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {}))
+	defer srv.Close()
+
+	ds.AppConfigFunc = func(ctx context.Context) (*fleet.AppConfig, error) {
+		return &fleet.AppConfig{
+			SMTPSettings: fleet.SMTPSettings{SMTPPassword: "smtppassword"},
+			Integrations: fleet.Integrations{Jira: []*fleet.JiraIntegration{{APIToken: "jiratoken"}}},
+		}, nil
+	}
+
+	testCases := []struct {
+		name string
+		user *fleet.User
+	}{
+		{
+			"global admin",
+			&fleet.User{GlobalRole: ptr.String(fleet.RoleAdmin)},
+		},
+		{
+			"global maintainer",
+			&fleet.User{GlobalRole: ptr.String(fleet.RoleMaintainer)},
+		},
+		{
+			"global observer",
+			&fleet.User{GlobalRole: ptr.String(fleet.RoleObserver)},
+		},
+		{
+			"team admin",
+			&fleet.User{Teams: []fleet.UserTeam{{Team: fleet.Team{ID: 1}, Role: fleet.RoleAdmin}}},
+		},
+		{
+			"team maintainer",
+			&fleet.User{Teams: []fleet.UserTeam{{Team: fleet.Team{ID: 1}, Role: fleet.RoleMaintainer}}},
+		},
+		{
+			"team observer",
+			&fleet.User{Teams: []fleet.UserTeam{{Team: fleet.Team{ID: 1}, Role: fleet.RoleObserver}}},
+		},
+		{
+			"user",
+			&fleet.User{ID: 777},
+		},
+	}
+	for _, tt := range testCases {
+		t.Run(tt.name, func(t *testing.T) {
+			ctx := viewer.NewContext(context.Background(), viewer.Viewer{User: tt.user})
+
+			ac, err := svc.AppConfig(ctx)
+			require.NoError(t, err)
+			require.Equal(t, ac.SMTPSettings.SMTPPassword, "********")
+			require.Equal(t, ac.Integrations.Jira[0].APIToken, "********")
+		})
+	}
+}

server/service/integration_core_test.go

@@ -2643,6 +2643,7 @@ func (s *integrationTestSuite) TestVulnerabilitiesWebhookConfig() {
 	t := s.T()
 
 	s.DoRaw("PATCH", "/api/latest/fleet/config", []byte(`{
+		"integrations": {"jira": []},
 		"webhook_settings": {
     		"vulnerabilities_webhook": {
      	 		"enable_vulnerabilities_webhook": true,
@@ -2700,7 +2701,7 @@ func (s *integrationTestSuite) TestIntegrationsConfig() {
 	require.Len(t, config.Integrations.Jira, 1)
 	require.Equal(t, srv.URL, config.Integrations.Jira[0].URL)
 	require.Equal(t, "ok", config.Integrations.Jira[0].Username)
-	require.Equal(t, "bar", config.Integrations.Jira[0].APIToken)
+	require.Equal(t, "********", config.Integrations.Jira[0].APIToken)
 	require.Equal(t, "qux", config.Integrations.Jira[0].ProjectKey)
 	require.True(t, config.Integrations.Jira[0].EnableSoftwareVulnerabilities)