From 2fce9e3eefd9dda6d74660ebe49f731f8b11111a Mon Sep 17 00:00:00 2001 From: Jan Chaloupka Date: Thu, 2 Jan 2020 12:29:57 +0100 Subject: [PATCH] Hide bearer token in logs: upstream #81330 --- .../k8s.io/client-go/transport/round_trippers.go | 33 ++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/src/k8s.io/kubernetes/staging/src/k8s.io/client-go/transport/round_trippers.go b/src/k8s.io/kubernetes/staging/src/k8s.io/client-go/transport/round_trippers.go index 117a9c8..844ee9a 100644 --- a/src/k8s.io/kubernetes/staging/src/k8s.io/client-go/transport/round_trippers.go +++ b/src/k8s.io/kubernetes/staging/src/k8s.io/client-go/transport/round_trippers.go @@ -409,6 +409,38 @@ func (rt *debuggingRoundTripper) CancelRequest(req *http.Request) { } } +var knownAuthTypes = map[string]bool{ + "bearer": true, + "basic": true, + "negotiate": true, +} + +// maskValue masks credential content from authorization headers +// See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Authorization +func maskValue(key string, value string) string { + if !strings.EqualFold(key, "Authorization") { + return value + } + if len(value) == 0 { + return "" + } + var authType string + if i := strings.Index(value, " "); i > 0 { + authType = value[0:i] + } else { + authType = value + } + if !knownAuthTypes[strings.ToLower(authType)] { + return "" + } + if len(value) > len(authType)+1 { + value = authType + " " + } else { + value = authType + } + return value +} + func (rt *debuggingRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) { reqInfo := newRequestInfo(req) @@ -423,6 +455,7 @@ func (rt *debuggingRoundTripper) RoundTrip(req *http.Request) (*http.Response, e klog.Infof("Request Headers:") for key, values := range reqInfo.RequestHeaders { for _, value := range values { + value = maskValue(key, value) klog.Infof(" %s: %s", key, value) } } -- 2.7.5