github.com/mook-as/cf-cli@v7.0.0-beta.28.0.20200120190804-b91c115fae48+incompatible/cf/trace/trace_test.go (about) 1 package trace_test 2 3 import ( 4 . "code.cloudfoundry.org/cli/cf/trace" 5 . "github.com/onsi/ginkgo" 6 . "github.com/onsi/gomega" 7 ) 8 9 var _ = Describe("trace", func() { 10 Describe("Sanitize", func() { 11 It("hides the authorization token header", func() { 12 request := ` 13 REQUEST: 14 GET /v2/organizations HTTP/1.1 15 Host: api.run.pivotal.io 16 Accept: application/json 17 Authorization: bearer eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI3NDRkNWQ1My0xODkxLTQzZjktYjNiMy1mMTQxNDZkYzQ4ZmUiLCJzdWIiOiIzM2U3ZmVkNy1iMWMyLTRjMjAtOTU0My0yMTBiMjc2ODM1MDgiLCJzY29wZSI6WyJjbG91ZF9jb250cm9sbGVyLnJlYWQiLCJjbG91ZF9jb250cm9sbGVyLndyaXRlIiwib3BlbmlkIiwicGFzc3dvcmQud3JpdGUiXSwiY2xpZW50X2lkIjoiY2YiLCJjaWQiOiJjZiIsImdyYW50X3R5cGUiOiJwYXNzd29yZCIsInVzZXJfaWQiOiIzM2U3ZmVkNy1iMWMyLTRjMjAtOTU0My0yMTBiMjc2ODM1MDgiLCJ1c2VyX25hbWUiOiJtZ2VoYXJkK2NsaUBwaXZvdGFsbGFicy5jb20iLCJlbWFpbCI6Im1nZWhhcmQrY2xpQHBpdm90YWxsYWJzLmNvbSIsImlhdCI6MTM3ODI0NzgxNiwiZXhwIjoxMzc4MjkxMDE2LCJpc3MiOiJodHRwczovL3VhYS5ydW4ucGl2b3RhbC5pby9vYXV0aC90b2tlbiIsImF1ZCI6WyJvcGVuaWQiLCJjbG91ZF9jb250cm9sbGVyIiwicGFzc3dvcmQiXX0.LL_QLO0SztGRENmU-9KA2WouOyPkKVENGQoUtjqrGR-UIekXMClH6fmKELzHtB69z3n9x7_jYJbvv32D-dX1J7p1CMWIDLOzXUnIUDK7cU5Q2yuYszf4v5anKiJtrKWU0_Pg87cQTZ_lWXAhdsi-bhLVR_pITxehfz7DKChjC8gh-FiuDvH5qHxxPqYHUl9jPso5OQ0y0fqZpLt8Yq23DKWaFAZehLnrhFltdQ_jSLy1QAYYZVD_HpQDf9NozKXruIvXhyIuwGj99QmUs3LSyNWecy822VqOoBtPYS6CLegMuWWlO64TJNrnZuh5YsOuW8SudJONx2wwEqARysJIHw 18 This is the body. Please don't get rid of me even though I contain Authorization: and some other text 19 ` 20 21 expected := ` 22 REQUEST: 23 GET /v2/organizations HTTP/1.1 24 Host: api.run.pivotal.io 25 Accept: application/json 26 Authorization: [PRIVATE DATA HIDDEN] 27 This is the body. Please don't get rid of me even though I contain Authorization: and some other text 28 ` 29 30 Expect(Sanitize(request)).To(Equal(expected)) 31 }) 32 33 Describe("hiding passwords in the body of requests", func() { 34 It("hides passwords in query args", func() { 35 request := ` 36 POST /oauth/token HTTP/1.1 37 Host: login.run.pivotal.io 38 Accept: application/json 39 Authorization: [PRIVATE DATA HIDDEN] 40 Content-Type: application/x-www-form-urlencoded 41 42 grant_type=password&password=password&scope=&username=mgehard%2Bcli%40pivotallabs.com 43 ` 44 45 expected := ` 46 POST /oauth/token HTTP/1.1 47 Host: login.run.pivotal.io 48 Accept: application/json 49 Authorization: [PRIVATE DATA HIDDEN] 50 Content-Type: application/x-www-form-urlencoded 51 52 grant_type=password&password=[PRIVATE DATA HIDDEN]&scope=&username=mgehard%2Bcli%40pivotallabs.com 53 ` 54 Expect(Sanitize(request)).To(Equal(expected)) 55 }) 56 57 It("hides passwords in the first and last query parameters", func() { 58 response := ` 59 HTTP/1.1 200 BORK 60 61 { 62 "resources": [ 63 { 64 "entity": { 65 "credentials": { 66 "jdbcUrl": "jdbc:mysql://hostname/db-name?user=username&password=very-secret-password" 67 } 68 } 69 }, 70 { 71 "entity": { 72 "credentials": { 73 "jdbcUrl": "jdbc:mysql://hostname/db-name?password=very-secret-password&user=username" 74 } 75 } 76 } 77 ] 78 } 79 ` 80 81 expected := ` 82 HTTP/1.1 200 BORK 83 84 { 85 "resources": [ 86 { 87 "entity": { 88 "credentials": { 89 "jdbcUrl": "jdbc:mysql://hostname/db-name?user=username&password=[PRIVATE DATA HIDDEN]" 90 } 91 } 92 }, 93 { 94 "entity": { 95 "credentials": { 96 "jdbcUrl": "jdbc:mysql://hostname/db-name?password=[PRIVATE DATA HIDDEN]&user=username" 97 } 98 } 99 } 100 ] 101 } 102 ` 103 104 Expect(Sanitize(response)).To(Equal(expected)) 105 }) 106 107 It("hides passwords in the JSON-formatted request body", func() { 108 request := ` 109 REQUEST: [2014-03-07T10:53:36-08:00] 110 PUT /Users/user-guid-goes-here/password HTTP/1.1 111 112 {"password":"stanleysPasswordIsCool","oldPassword":"stanleypassword!"} 113 ` 114 115 expected := ` 116 REQUEST: [2014-03-07T10:53:36-08:00] 117 PUT /Users/user-guid-goes-here/password HTTP/1.1 118 119 {"password":"[PRIVATE DATA HIDDEN]","oldPassword":"[PRIVATE DATA HIDDEN]"} 120 ` 121 122 Expect(Sanitize(request)).To(Equal(expected)) 123 }) 124 125 It("hides password containing \" in the JSON-formatted request body", func() { 126 request := ` 127 REQUEST: [2014-03-07T10:53:36-08:00] 128 PUT /Users/user-guid-goes-here/password HTTP/1.1 129 130 {"password":"stanleys\"PasswordIsCool","oldPassword":"stanleypassword!"} 131 ` 132 133 expected := ` 134 REQUEST: [2014-03-07T10:53:36-08:00] 135 PUT /Users/user-guid-goes-here/password HTTP/1.1 136 137 {"password":"[PRIVATE DATA HIDDEN]","oldPassword":"[PRIVATE DATA HIDDEN]"} 138 ` 139 140 Expect(Sanitize(request)).To(Equal(expected)) 141 }) 142 143 It("hides create-user passwords", func() { 144 request := ` 145 REQUEST: [2014-03-07T12:15:08-08:00] 146 POST /Users HTTP/1.1 147 { 148 "userName": "jiro", 149 "emails": [{"value":"jiro"}], 150 "password": "leansushi", 151 "name": {"givenName":"jiro", "familyName":"jiro"} 152 } 153 ` 154 expected := ` 155 REQUEST: [2014-03-07T12:15:08-08:00] 156 POST /Users HTTP/1.1 157 { 158 "userName": "jiro", 159 "emails": [{"value":"jiro"}], 160 "password":"[PRIVATE DATA HIDDEN]", 161 "name": {"givenName":"jiro", "familyName":"jiro"} 162 } 163 ` 164 Expect(Sanitize(request)).To(Equal(expected)) 165 }) 166 }) 167 168 It("hides oauth tokens in the body of requests", func() { 169 response := ` 170 HTTP/1.1 200 OK 171 Content-Length: 2132 172 Cache-Control: no-cache 173 Cache-Control: no-store 174 Cache-Control: no-store 175 Connection: keep-alive 176 Content-Type: application/json;charset=UTF-8 177 Date: Thu, 05 Sep 2013 16:31:43 GMT 178 Expires: Thu, 01 Jan 1970 00:00:00 GMT 179 Pragma: no-cache 180 Pragma: no-cache 181 Server: Apache-Coyote/1.1 182 183 {"access_token":"eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJjNmE3YzEzNi02NDk3LTRmYWYtODc5OS00YzQyZTFmM2M2ZjUiLCJzdWIiOiIzM2U3ZmVkNy1iMWMyLTRjMjAtOTU0My0yMTBiMjc2ODM1MDgiLCJzY29wZSI6WyJjbG91ZF9jb250cm9sbGVyLnJlYWQiLCJjbG91ZF9jb250cm9sbGVyLndyaXRlIiwib3BlbmlkIiwicGFzc3dvcmQud3JpdGUiXSwiY2xpZW50X2lkIjoiY2YiLCJjaWQiOiJjZiIsImdyYW50X3R5cGUiOiJwYXNzd29yZCIsInVzZXJfaWQiOiIzM2U3ZmVkNy1iMWMyLTRjMjAtOTU0My0yMTBiMjc2ODM1MDgiLCJ1c2VyX25hbWUiOiJtZ2VoYXJkK2NsaUBwaXZvdGFsbGFicy5jb20iLCJlbWFpbCI6Im1nZWhhcmQrY2xpQHBpdm90YWxsYWJzLmNvbSIsImlhdCI6MTM3ODM5ODcwMywiZXhwIjoxMzc4NDQxOTAzLCJpc3MiOiJodHRwczovL3VhYS5ydW4ucGl2b3RhbC5pby9vYXV0aC90b2tlbiIsImF1ZCI6WyJvcGVuaWQiLCJjbG91ZF9jb250cm9sbGVyIiwicGFzc3dvcmQiXX0.VZErs4AnXgAzEirSY1A0yV0xQItXiPqaMfpO__MBwCihEpMEtMKemvlUPn3HEKyOGINk9YzhPV30ILrBb0oPt9plCD42BLEtyr_cbeo-1zap6QuhN8YjAAKQgjNYKORSvgi9x13JrXtCGByviHVEBP39Zeum2ZoehZfClWS7YP9lUfqaIBWUDLLBQtT6AZRlbzLwH-MJ5GkH1DOkIXzuWBk0OXp4VNm38kxzLQMnOJ3aJTcWv3YBxJeIgasoQLadTPaEPLxDGeC7V6SqhGJdyyZVnGTOKLt5ict-fxDoX6CxFnT_ZuMvseSocPfS2Or0HR_FICHAv2_C_6yv_4aI7w","token_type":"bearer","refresh_token":"eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJjMjM2M2E3Yi04M2MwLTRiN2ItYjg0Zi1mNTM3MTA4ZGExZmEiLCJzdWIiOiIzM2U3ZmVkNy1iMWMyLTRjMjAtOTU0My0yMTBiMjc2ODM1MDgiLCJzY29wZSI6WyJjbG91ZF9jb250cm9sbGVyLnJlYWQiLCJjbG91ZF9jb250cm9sbGVyLndyaXRlIiwib3BlbmlkIiwicGFzc3dvcmQud3JpdGUiXSwiaWF0IjoxMzc4Mzk4NzAzLCJleHAiOjEzODA5OTA3MDMsImNpZCI6ImNmIiwiaXNzIjoiaHR0cHM6Ly91YWEucnVuLnBpdm90YWwuaW8vb2F1dGgvdG9rZW4iLCJncmFudF90eXBlIjoicGFzc3dvcmQiLCJ1c2VyX25hbWUiOiJtZ2VoYXJkK2NsaUBwaXZvdGFsbGFicy5jb20iLCJhdWQiOlsiY2xvdWRfY29udHJvbGxlci5yZWFkIiwiY2xvdWRfY29udHJvbGxlci53cml0ZSIsIm9wZW5pZCIsInBhc3N3b3JkLndyaXRlIl19.G8K9hVy2TGvxWEHMmVT86iQ5szMjnN0pWog2ASawpDiV8A4QODn9lJQq0G08LjjElV6wKQywAxM6eU8p32byW6RU9Tu-0iz9lW96aWSppTjsb4itbPLxsdMXLSRKOow0vuuGhwaTYx9OZIMpzNbXJVwbRRyWlhty6LVrEZp3hG37HO-N7g2oJdFZwxATaE63iL5ZnikcvKrPkBTKUGZ8OIAvsAlHQiEnbB8mfaw6Bh74ciTjOl0DYbHlZoEMQazXkLnY3INgCyErRcjtNkjRQGe6fOV4v1Wx3PAZ05gaBsAOaThgifz4Rmaf--hnrhtYI5F3g17tDmht6udZv1_C6A","expires_in":43199,"scope":"cloud_controller.read cloud_controller.write openid password.write","jti":"c6a7c136-6497-4faf-8799-4c42e1f3c6f5"} 184 ` 185 186 expected := ` 187 HTTP/1.1 200 OK 188 Content-Length: 2132 189 Cache-Control: no-cache 190 Cache-Control: no-store 191 Cache-Control: no-store 192 Connection: keep-alive 193 Content-Type: application/json;charset=UTF-8 194 Date: Thu, 05 Sep 2013 16:31:43 GMT 195 Expires: Thu, 01 Jan 1970 00:00:00 GMT 196 Pragma: no-cache 197 Pragma: no-cache 198 Server: Apache-Coyote/1.1 199 200 {"access_token":"[PRIVATE DATA HIDDEN]","token_type":"[PRIVATE DATA HIDDEN]","refresh_token":"[PRIVATE DATA HIDDEN]","expires_in":43199,"scope":"cloud_controller.read cloud_controller.write openid password.write","jti":"c6a7c136-6497-4faf-8799-4c42e1f3c6f5"} 201 ` 202 203 Expect(Sanitize(response)).To(Equal(expected)) 204 }) 205 206 It("hides service auth tokens in the request body", func() { 207 response := ` 208 HTTP/1.1 200 OK 209 Content-Length: 2132 210 Cache-Control: no-cache 211 Cache-Control: no-store 212 Cache-Control: no-store 213 Connection: keep-alive 214 Content-Type: application/json;charset=UTF-8 215 Date: Thu, 05 Sep 2013 16:31:43 GMT 216 Expires: Thu, 01 Jan 1970 00:00:00 GMT 217 Pragma: no-cache 218 Pragma: no-cache 219 Server: Apache-Coyote/1.1 220 221 {"label":"some label","provider":"some provider","token":"some-token-with-stuff-in-it"} 222 ` 223 224 expected := ` 225 HTTP/1.1 200 OK 226 Content-Length: 2132 227 Cache-Control: no-cache 228 Cache-Control: no-store 229 Cache-Control: no-store 230 Connection: keep-alive 231 Content-Type: application/json;charset=UTF-8 232 Date: Thu, 05 Sep 2013 16:31:43 GMT 233 Expires: Thu, 01 Jan 1970 00:00:00 GMT 234 Pragma: no-cache 235 Pragma: no-cache 236 Server: Apache-Coyote/1.1 237 238 {"label":"some label","provider":"some provider","token":"[PRIVATE DATA HIDDEN]"} 239 ` 240 241 Expect(Sanitize(response)).To(Equal(expected)) 242 }) 243 244 Describe("hiding credentials in application environment variables", func() { 245 It("hides the value of any key matching case-insensitive substring 'token'", func() { 246 response := ` 247 HTTP/1.1 200 OK 248 Content-Type: application/json;charset=utf-8 249 250 {"guid":"99fefc8e-845e-47f3-a8b1-26e8a00222d9","name":"example","environment_json":{"token":"mytoken","TOKEN":"mytoken","foo_token_bar":"mytoken","FOO_TOKEN_BAR":"mytoken"},"memory":1024,"instances":1} 251 ` 252 253 expected := ` 254 HTTP/1.1 200 OK 255 Content-Type: application/json;charset=utf-8 256 257 {"guid":"99fefc8e-845e-47f3-a8b1-26e8a00222d9","name":"example","environment_json":{"token":"[PRIVATE DATA HIDDEN]","TOKEN":"[PRIVATE DATA HIDDEN]","foo_token_bar":"[PRIVATE DATA HIDDEN]","FOO_TOKEN_BAR":"[PRIVATE DATA HIDDEN]"},"memory":1024,"instances":1} 258 ` 259 260 Expect(Sanitize(response)).To(Equal(expected)) 261 }) 262 263 It("hides the value of any key matching case-insensitive substring 'password'", func() { 264 response := ` 265 HTTP/1.1 200 OK 266 Content-Type: application/json;charset=utf-8 267 268 {"guid":"99fefc8e-845e-47f3-a8b1-26e8a00222d9","name":"example","environment_json":{"password":"mypass","PASSWORD":"mypass","foo_password_bar":"mypass","FOO_PASSWORD_BAR":"mypass"},"memory":1024,"instances":1} 269 ` 270 271 expected := ` 272 HTTP/1.1 200 OK 273 Content-Type: application/json;charset=utf-8 274 275 {"guid":"99fefc8e-845e-47f3-a8b1-26e8a00222d9","name":"example","environment_json":{"password":"[PRIVATE DATA HIDDEN]","PASSWORD":"[PRIVATE DATA HIDDEN]","foo_password_bar":"[PRIVATE DATA HIDDEN]","FOO_PASSWORD_BAR":"[PRIVATE DATA HIDDEN]"},"memory":1024,"instances":1} 276 ` 277 278 Expect(Sanitize(response)).To(Equal(expected)) 279 }) 280 }) 281 }) 282 })