diff --git a/server/service/appconfig.go b/server/service/appconfig.go index bbd7127cd3..1e638fd327 100644 --- a/server/service/appconfig.go +++ b/server/service/appconfig.go @@ -71,9 +71,6 @@ func getAppConfigEndpoint(ctx context.Context, request interface{}, svc fleet.Se // only admin can see smtp, sso, and host expiry settings if vc.User.GlobalRole != nil && *vc.User.GlobalRole == fleet.RoleAdmin { smtpSettings = config.SMTPSettings - if smtpSettings.SMTPPassword != "" { - smtpSettings.SMTPPassword = "********" - } ssoSettings = config.SSOSettings hostExpirySettings = config.HostExpirySettings agentOptions = config.AgentOptions @@ -109,7 +106,19 @@ func (svc *Service) AppConfig(ctx context.Context) (*fleet.AppConfig, error) { } } - return svc.ds.AppConfig(ctx) + ac, err := svc.ds.AppConfig(ctx) + if err != nil { + return nil, err + } + + if ac.SMTPSettings.SMTPPassword != "" { + ac.SMTPSettings.SMTPPassword = "********" + } + + for _, jiraIntegration := range ac.Integrations.Jira { + jiraIntegration.APIToken = "********" + } + return ac, nil } //////////////////////////////////////////////////////////////////////////////// diff --git a/server/service/appconfig_test.go b/server/service/appconfig_test.go index 9383063e12..7b88420b4c 100644 --- a/server/service/appconfig_test.go +++ b/server/service/appconfig_test.go @@ -275,3 +275,64 @@ func TestMissingMetadata(t *testing.T) { assert.Contains(t, invalid.Error(), "metadata") assert.Contains(t, invalid.Error(), "either metadata or metadata_url must be defined") } + +func TestAppConfigSecretsObfuscated(t *testing.T) { + ds := new(mock.Store) + svc := newTestService(t, ds, nil, nil) + + // start a TLS server and use its URL as the server URL in the app config, + // required by the CertificateChain service call. + srv := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {})) + defer srv.Close() + + ds.AppConfigFunc = func(ctx context.Context) (*fleet.AppConfig, error) { + return &fleet.AppConfig{ + SMTPSettings: fleet.SMTPSettings{SMTPPassword: "smtppassword"}, + Integrations: fleet.Integrations{Jira: []*fleet.JiraIntegration{{APIToken: "jiratoken"}}}, + }, nil + } + + testCases := []struct { + name string + user *fleet.User + }{ + { + "global admin", + &fleet.User{GlobalRole: ptr.String(fleet.RoleAdmin)}, + }, + { + "global maintainer", + &fleet.User{GlobalRole: ptr.String(fleet.RoleMaintainer)}, + }, + { + "global observer", + &fleet.User{GlobalRole: ptr.String(fleet.RoleObserver)}, + }, + { + "team admin", + &fleet.User{Teams: []fleet.UserTeam{{Team: fleet.Team{ID: 1}, Role: fleet.RoleAdmin}}}, + }, + { + "team maintainer", + &fleet.User{Teams: []fleet.UserTeam{{Team: fleet.Team{ID: 1}, Role: fleet.RoleMaintainer}}}, + }, + { + "team observer", + &fleet.User{Teams: []fleet.UserTeam{{Team: fleet.Team{ID: 1}, Role: fleet.RoleObserver}}}, + }, + { + "user", + &fleet.User{ID: 777}, + }, + } + for _, tt := range testCases { + t.Run(tt.name, func(t *testing.T) { + ctx := viewer.NewContext(context.Background(), viewer.Viewer{User: tt.user}) + + ac, err := svc.AppConfig(ctx) + require.NoError(t, err) + require.Equal(t, ac.SMTPSettings.SMTPPassword, "********") + require.Equal(t, ac.Integrations.Jira[0].APIToken, "********") + }) + } +} diff --git a/server/service/integration_core_test.go b/server/service/integration_core_test.go index 88e426f115..8bd87f1d5a 100644 --- a/server/service/integration_core_test.go +++ b/server/service/integration_core_test.go @@ -2643,6 +2643,7 @@ func (s *integrationTestSuite) TestVulnerabilitiesWebhookConfig() { t := s.T() s.DoRaw("PATCH", "/api/latest/fleet/config", []byte(`{ + "integrations": {"jira": []}, "webhook_settings": { "vulnerabilities_webhook": { "enable_vulnerabilities_webhook": true, @@ -2700,7 +2701,7 @@ func (s *integrationTestSuite) TestIntegrationsConfig() { require.Len(t, config.Integrations.Jira, 1) require.Equal(t, srv.URL, config.Integrations.Jira[0].URL) require.Equal(t, "ok", config.Integrations.Jira[0].Username) - require.Equal(t, "bar", config.Integrations.Jira[0].APIToken) + require.Equal(t, "********", config.Integrations.Jira[0].APIToken) require.Equal(t, "qux", config.Integrations.Jira[0].ProjectKey) require.True(t, config.Integrations.Jira[0].EnableSoftwareVulnerabilities)