github.com/lukasheimann/cloudfoundrycli@v7.1.0+incompatible/cf/trace/trace_test.go (about) 1 package trace_test 2 3 import ( 4 . "code.cloudfoundry.org/cli/cf/trace" 5 . "github.com/onsi/ginkgo" 6 . "github.com/onsi/gomega" 7 ) 8 9 var _ = Describe("trace", func() { 10 Describe("Sanitize", func() { 11 It("hides the authorization token header", func() { 12 request := ` 13 REQUEST: 14 GET /v2/organizations HTTP/1.1 15 Host: api.run.pivotal.io 16 Accept: application/json 17 Authorization: bearer eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI3NDRkNWQ1My0xODkxLTQzZjktYjNiMy1mMTQxNDZkYzQ4ZmUiLCJzdWIiOiIzM2U3ZmVkNy1iMWMyLTRjMjAtOTU0My0yMTBiMjc2ODM1MDgiLCJzY29wZSI6WyJjbG91ZF9jb250cm9sbGVyLnJlYWQiLCJjbG91ZF9jb250cm9sbGVyLndyaXRlIiwib3BlbmlkIiwicGFzc3dvcmQud3JpdGUiXSwiY2xpZW50X2lkIjoiY2YiLCJjaWQiOiJjZiIsImdyYW50X3R5cGUiOiJwYXNzd29yZCIsInVzZXJfaWQiOiIzM2U3ZmVkNy1iMWMyLTRjMjAtOTU0My0yMTBiMjc2ODM1MDgiLCJ1c2VyX25hbWUiOiJtZ2VoYXJkK2NsaUBwaXZvdGFsbGFicy5jb20iLCJlbWFpbCI6Im1nZWhhcmQrY2xpQHBpdm90YWxsYWJzLmNvbSIsImlhdCI6MTM3ODI0NzgxNiwiZXhwIjoxMzc4MjkxMDE2LCJpc3MiOiJodHRwczovL3VhYS5ydW4ucGl2b3RhbC5pby9vYXV0aC90b2tlbiIsImF1ZCI6WyJvcGVuaWQiLCJjbG91ZF9jb250cm9sbGVyIiwicGFzc3dvcmQiXX0.LL_QLO0SztGRENmU-9KA2WouOyPkKVENGQoUtjqrGR-UIekXMClH6fmKELzHtB69z3n9x7_jYJbvv32D-dX1J7p1CMWIDLOzXUnIUDK7cU5Q2yuYszf4v5anKiJtrKWU0_Pg87cQTZ_lWXAhdsi-bhLVR_pITxehfz7DKChjC8gh-FiuDvH5qHxxPqYHUl9jPso5OQ0y0fqZpLt8Yq23DKWaFAZehLnrhFltdQ_jSLy1QAYYZVD_HpQDf9NozKXruIvXhyIuwGj99QmUs3LSyNWecy822VqOoBtPYS6CLegMuWWlO64TJNrnZuh5YsOuW8SudJONx2wwEqARysJIHw 18 This is the body. Please don't get rid of me even though I contain Authorization: and some other text 19 ` 20 21 expected := ` 22 REQUEST: 23 GET /v2/organizations HTTP/1.1 24 Host: api.run.pivotal.io 25 Accept: application/json 26 Authorization: [PRIVATE DATA HIDDEN] 27 This is the body. Please don't get rid of me even though I contain Authorization: and some other text 28 ` 29 30 Expect(Sanitize(request)).To(Equal(expected)) 31 }) 32 33 It("hides the cookies", func() { 34 request := ` 35 REQUEST: 36 GET /v2/organizations HTTP/1.1 37 Host: api.run.pivotal.io 38 Accept: application/json 39 Set-Cookie: I like leaking credentials 40 This is the body. Please don't get rid of me even though I contain Set-Cookie: and some other text 41 ` 42 43 expected := ` 44 REQUEST: 45 GET /v2/organizations HTTP/1.1 46 Host: api.run.pivotal.io 47 Accept: application/json 48 Set-Cookie: [PRIVATE DATA HIDDEN] 49 This is the body. Please don't get rid of me even though I contain Set-Cookie: and some other text 50 ` 51 52 Expect(Sanitize(request)).To(Equal(expected)) 53 }) 54 Describe("hiding passwords in the body of requests", func() { 55 It("hides passwords in query args", func() { 56 request := ` 57 POST /oauth/token HTTP/1.1 58 Host: login.run.pivotal.io 59 Accept: application/json 60 Authorization: [PRIVATE DATA HIDDEN] 61 Content-Type: application/x-www-form-urlencoded 62 63 grant_type=password&password=password&scope=&username=mgehard%2Bcli%40pivotallabs.com 64 ` 65 66 expected := ` 67 POST /oauth/token HTTP/1.1 68 Host: login.run.pivotal.io 69 Accept: application/json 70 Authorization: [PRIVATE DATA HIDDEN] 71 Content-Type: application/x-www-form-urlencoded 72 73 grant_type=password&password=[PRIVATE DATA HIDDEN]&scope=&username=mgehard%2Bcli%40pivotallabs.com 74 ` 75 Expect(Sanitize(request)).To(Equal(expected)) 76 }) 77 78 It("hides ssh codes in query args", func() { 79 request := ` 80 GET /login?code=secret-ssh-code 81 Host: uaa.run.pivotal.io 82 Authorization: [PRIVATE DATA HIDDEN] 83 Referer: https://uaa.run.pivotal.io/oauth/authorize?client_id=ssh-proxy&grant_type=authorization_code&response_type=code 84 ` 85 86 expected := ` 87 GET /login?code=[PRIVATE DATA HIDDEN] 88 Host: uaa.run.pivotal.io 89 Authorization: [PRIVATE DATA HIDDEN] 90 Referer: https://uaa.run.pivotal.io/oauth/authorize?client_id=ssh-proxy&grant_type=authorization_code&response_type=code 91 ` 92 Expect(Sanitize(request)).To(Equal(expected)) 93 }) 94 It("hides passwords in the first and last query parameters", func() { 95 response := ` 96 HTTP/1.1 200 BORK 97 98 { 99 "resources": [ 100 { 101 "entity": { 102 "credentials": { 103 "jdbcUrl": "jdbc:mysql://hostname/db-name?user=username&password=very-secret-password" 104 } 105 } 106 }, 107 { 108 "entity": { 109 "credentials": { 110 "jdbcUrl": "jdbc:mysql://hostname/db-name?password=very-secret-password&user=username" 111 } 112 } 113 } 114 ] 115 } 116 ` 117 118 expected := ` 119 HTTP/1.1 200 BORK 120 121 { 122 "resources": [ 123 { 124 "entity": { 125 "credentials": { 126 "jdbcUrl": "jdbc:mysql://hostname/db-name?user=username&password=[PRIVATE DATA HIDDEN]" 127 } 128 } 129 }, 130 { 131 "entity": { 132 "credentials": { 133 "jdbcUrl": "jdbc:mysql://hostname/db-name?password=[PRIVATE DATA HIDDEN]&user=username" 134 } 135 } 136 } 137 ] 138 } 139 ` 140 141 Expect(Sanitize(response)).To(Equal(expected)) 142 }) 143 144 It("hides passwords in the JSON-formatted request body", func() { 145 request := ` 146 REQUEST: [2014-03-07T10:53:36-08:00] 147 PUT /Users/user-guid-goes-here/password HTTP/1.1 148 149 {"password":"stanleysPasswordIsCool","oldPassword":"stanleypassword!"} 150 ` 151 152 expected := ` 153 REQUEST: [2014-03-07T10:53:36-08:00] 154 PUT /Users/user-guid-goes-here/password HTTP/1.1 155 156 {"password":"[PRIVATE DATA HIDDEN]","oldPassword":"[PRIVATE DATA HIDDEN]"} 157 ` 158 159 Expect(Sanitize(request)).To(Equal(expected)) 160 }) 161 162 It("hides password containing \" in the JSON-formatted request body", func() { 163 request := ` 164 REQUEST: [2014-03-07T10:53:36-08:00] 165 PUT /Users/user-guid-goes-here/password HTTP/1.1 166 167 {"password":"stanleys\"PasswordIsCool","oldPassword":"stanleypassword!"} 168 ` 169 170 expected := ` 171 REQUEST: [2014-03-07T10:53:36-08:00] 172 PUT /Users/user-guid-goes-here/password HTTP/1.1 173 174 {"password":"[PRIVATE DATA HIDDEN]","oldPassword":"[PRIVATE DATA HIDDEN]"} 175 ` 176 177 Expect(Sanitize(request)).To(Equal(expected)) 178 }) 179 180 It("hides create-user passwords", func() { 181 request := ` 182 REQUEST: [2014-03-07T12:15:08-08:00] 183 POST /Users HTTP/1.1 184 { 185 "userName": "jiro", 186 "emails": [{"value":"jiro"}], 187 "password": "leansushi", 188 "name": {"givenName":"jiro", "familyName":"jiro"} 189 } 190 ` 191 expected := ` 192 REQUEST: [2014-03-07T12:15:08-08:00] 193 POST /Users HTTP/1.1 194 { 195 "userName": "jiro", 196 "emails": [{"value":"jiro"}], 197 "password":"[PRIVATE DATA HIDDEN]", 198 "name": {"givenName":"jiro", "familyName":"jiro"} 199 } 200 ` 201 Expect(Sanitize(request)).To(Equal(expected)) 202 }) 203 }) 204 205 It("hides oauth tokens in the body of requests", func() { 206 response := ` 207 HTTP/1.1 200 OK 208 Content-Length: 2132 209 Cache-Control: no-cache 210 Cache-Control: no-store 211 Cache-Control: no-store 212 Connection: keep-alive 213 Content-Type: application/json;charset=UTF-8 214 Date: Thu, 05 Sep 2013 16:31:43 GMT 215 Expires: Thu, 01 Jan 1970 00:00:00 GMT 216 Pragma: no-cache 217 Pragma: no-cache 218 Server: Apache-Coyote/1.1 219 220 {"access_token":"eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJjNmE3YzEzNi02NDk3LTRmYWYtODc5OS00YzQyZTFmM2M2ZjUiLCJzdWIiOiIzM2U3ZmVkNy1iMWMyLTRjMjAtOTU0My0yMTBiMjc2ODM1MDgiLCJzY29wZSI6WyJjbG91ZF9jb250cm9sbGVyLnJlYWQiLCJjbG91ZF9jb250cm9sbGVyLndyaXRlIiwib3BlbmlkIiwicGFzc3dvcmQud3JpdGUiXSwiY2xpZW50X2lkIjoiY2YiLCJjaWQiOiJjZiIsImdyYW50X3R5cGUiOiJwYXNzd29yZCIsInVzZXJfaWQiOiIzM2U3ZmVkNy1iMWMyLTRjMjAtOTU0My0yMTBiMjc2ODM1MDgiLCJ1c2VyX25hbWUiOiJtZ2VoYXJkK2NsaUBwaXZvdGFsbGFicy5jb20iLCJlbWFpbCI6Im1nZWhhcmQrY2xpQHBpdm90YWxsYWJzLmNvbSIsImlhdCI6MTM3ODM5ODcwMywiZXhwIjoxMzc4NDQxOTAzLCJpc3MiOiJodHRwczovL3VhYS5ydW4ucGl2b3RhbC5pby9vYXV0aC90b2tlbiIsImF1ZCI6WyJvcGVuaWQiLCJjbG91ZF9jb250cm9sbGVyIiwicGFzc3dvcmQiXX0.VZErs4AnXgAzEirSY1A0yV0xQItXiPqaMfpO__MBwCihEpMEtMKemvlUPn3HEKyOGINk9YzhPV30ILrBb0oPt9plCD42BLEtyr_cbeo-1zap6QuhN8YjAAKQgjNYKORSvgi9x13JrXtCGByviHVEBP39Zeum2ZoehZfClWS7YP9lUfqaIBWUDLLBQtT6AZRlbzLwH-MJ5GkH1DOkIXzuWBk0OXp4VNm38kxzLQMnOJ3aJTcWv3YBxJeIgasoQLadTPaEPLxDGeC7V6SqhGJdyyZVnGTOKLt5ict-fxDoX6CxFnT_ZuMvseSocPfS2Or0HR_FICHAv2_C_6yv_4aI7w","token_type":"bearer","refresh_token":"eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJjMjM2M2E3Yi04M2MwLTRiN2ItYjg0Zi1mNTM3MTA4ZGExZmEiLCJzdWIiOiIzM2U3ZmVkNy1iMWMyLTRjMjAtOTU0My0yMTBiMjc2ODM1MDgiLCJzY29wZSI6WyJjbG91ZF9jb250cm9sbGVyLnJlYWQiLCJjbG91ZF9jb250cm9sbGVyLndyaXRlIiwib3BlbmlkIiwicGFzc3dvcmQud3JpdGUiXSwiaWF0IjoxMzc4Mzk4NzAzLCJleHAiOjEzODA5OTA3MDMsImNpZCI6ImNmIiwiaXNzIjoiaHR0cHM6Ly91YWEucnVuLnBpdm90YWwuaW8vb2F1dGgvdG9rZW4iLCJncmFudF90eXBlIjoicGFzc3dvcmQiLCJ1c2VyX25hbWUiOiJtZ2VoYXJkK2NsaUBwaXZvdGFsbGFicy5jb20iLCJhdWQiOlsiY2xvdWRfY29udHJvbGxlci5yZWFkIiwiY2xvdWRfY29udHJvbGxlci53cml0ZSIsIm9wZW5pZCIsInBhc3N3b3JkLndyaXRlIl19.G8K9hVy2TGvxWEHMmVT86iQ5szMjnN0pWog2ASawpDiV8A4QODn9lJQq0G08LjjElV6wKQywAxM6eU8p32byW6RU9Tu-0iz9lW96aWSppTjsb4itbPLxsdMXLSRKOow0vuuGhwaTYx9OZIMpzNbXJVwbRRyWlhty6LVrEZp3hG37HO-N7g2oJdFZwxATaE63iL5ZnikcvKrPkBTKUGZ8OIAvsAlHQiEnbB8mfaw6Bh74ciTjOl0DYbHlZoEMQazXkLnY3INgCyErRcjtNkjRQGe6fOV4v1Wx3PAZ05gaBsAOaThgifz4Rmaf--hnrhtYI5F3g17tDmht6udZv1_C6A","expires_in":43199,"scope":"cloud_controller.read cloud_controller.write openid password.write","jti":"c6a7c136-6497-4faf-8799-4c42e1f3c6f5"} 221 ` 222 223 expected := ` 224 HTTP/1.1 200 OK 225 Content-Length: 2132 226 Cache-Control: no-cache 227 Cache-Control: no-store 228 Cache-Control: no-store 229 Connection: keep-alive 230 Content-Type: application/json;charset=UTF-8 231 Date: Thu, 05 Sep 2013 16:31:43 GMT 232 Expires: Thu, 01 Jan 1970 00:00:00 GMT 233 Pragma: no-cache 234 Pragma: no-cache 235 Server: Apache-Coyote/1.1 236 237 {"access_token":"[PRIVATE DATA HIDDEN]","token_type":"[PRIVATE DATA HIDDEN]","refresh_token":"[PRIVATE DATA HIDDEN]","expires_in":43199,"scope":"cloud_controller.read cloud_controller.write openid password.write","jti":"c6a7c136-6497-4faf-8799-4c42e1f3c6f5"} 238 ` 239 240 Expect(Sanitize(response)).To(Equal(expected)) 241 }) 242 243 It("hides service auth tokens in the request body", func() { 244 response := ` 245 HTTP/1.1 200 OK 246 Content-Length: 2132 247 Cache-Control: no-cache 248 Cache-Control: no-store 249 Cache-Control: no-store 250 Connection: keep-alive 251 Content-Type: application/json;charset=UTF-8 252 Date: Thu, 05 Sep 2013 16:31:43 GMT 253 Expires: Thu, 01 Jan 1970 00:00:00 GMT 254 Pragma: no-cache 255 Pragma: no-cache 256 Server: Apache-Coyote/1.1 257 258 {"label":"some label","provider":"some provider","token":"some-token-with-stuff-in-it"} 259 ` 260 261 expected := ` 262 HTTP/1.1 200 OK 263 Content-Length: 2132 264 Cache-Control: no-cache 265 Cache-Control: no-store 266 Cache-Control: no-store 267 Connection: keep-alive 268 Content-Type: application/json;charset=UTF-8 269 Date: Thu, 05 Sep 2013 16:31:43 GMT 270 Expires: Thu, 01 Jan 1970 00:00:00 GMT 271 Pragma: no-cache 272 Pragma: no-cache 273 Server: Apache-Coyote/1.1 274 275 {"label":"some label","provider":"some provider","token":"[PRIVATE DATA HIDDEN]"} 276 ` 277 278 Expect(Sanitize(response)).To(Equal(expected)) 279 }) 280 281 Describe("hiding credentials in application environment variables", func() { 282 It("hides the value of any key matching case-insensitive substring 'token'", func() { 283 response := ` 284 HTTP/1.1 200 OK 285 Content-Type: application/json;charset=utf-8 286 287 {"guid":"99fefc8e-845e-47f3-a8b1-26e8a00222d9","name":"example","environment_json":{"token":"mytoken","TOKEN":"mytoken","foo_token_bar":"mytoken","FOO_TOKEN_BAR":"mytoken"},"memory":1024,"instances":1} 288 ` 289 290 expected := ` 291 HTTP/1.1 200 OK 292 Content-Type: application/json;charset=utf-8 293 294 {"guid":"99fefc8e-845e-47f3-a8b1-26e8a00222d9","name":"example","environment_json":{"token":"[PRIVATE DATA HIDDEN]","TOKEN":"[PRIVATE DATA HIDDEN]","foo_token_bar":"[PRIVATE DATA HIDDEN]","FOO_TOKEN_BAR":"[PRIVATE DATA HIDDEN]"},"memory":1024,"instances":1} 295 ` 296 297 Expect(Sanitize(response)).To(Equal(expected)) 298 }) 299 300 It("hides the value of any key matching case-insensitive substring 'password'", func() { 301 response := ` 302 HTTP/1.1 200 OK 303 Content-Type: application/json;charset=utf-8 304 305 {"guid":"99fefc8e-845e-47f3-a8b1-26e8a00222d9","name":"example","environment_json":{"password":"mypass","PASSWORD":"mypass","foo_password_bar":"mypass","FOO_PASSWORD_BAR":"mypass"},"memory":1024,"instances":1} 306 ` 307 308 expected := ` 309 HTTP/1.1 200 OK 310 Content-Type: application/json;charset=utf-8 311 312 {"guid":"99fefc8e-845e-47f3-a8b1-26e8a00222d9","name":"example","environment_json":{"password":"[PRIVATE DATA HIDDEN]","PASSWORD":"[PRIVATE DATA HIDDEN]","foo_password_bar":"[PRIVATE DATA HIDDEN]","FOO_PASSWORD_BAR":"[PRIVATE DATA HIDDEN]"},"memory":1024,"instances":1} 313 ` 314 315 Expect(Sanitize(response)).To(Equal(expected)) 316 }) 317 }) 318 }) 319 })