Redact APM API key and secret token (#4057)

pchila · web-flow · commit 25e23ead693f · 2024-10-31T10:18:53.000+01:00
diff --git a/internal/pkg/config/config.go b/internal/pkg/config/config.go
@@ -186,6 +186,14 @@ func redactServer(cfg *Config) Server {
 		redacted.TLS = &newTLS
 	}
 
+	if redacted.Instrumentation.APIKey != "" {
+		redacted.Instrumentation.APIKey = kRedacted
+	}
+
+	if redacted.Instrumentation.SecretToken != "" {
+		redacted.Instrumentation.SecretToken = kRedacted
+	}
+
 	return redacted
 }
 
diff --git a/internal/pkg/config/config_test.go b/internal/pkg/config/config_test.go
@@ -306,6 +306,132 @@ func TestLoadServerLimits(t *testing.T) {
 
 }
 
+func TestConfigRedact(t *testing.T) {
+
+	testcases := []struct {
+		name        string
+		inputCfg    *Config
+		redactedCfg *Config
+	}{
+		{
+			name: "do not modify empty APM secrets",
+			inputCfg: &Config{
+				Inputs: []Input{
+					{
+						Type: "fleet-server",
+						Server: Server{
+							Instrumentation: Instrumentation{
+								SecretToken: "",
+								APIKey:      "",
+							},
+						},
+					},
+				},
+			},
+			redactedCfg: &Config{
+				Inputs: []Input{
+					{
+						Server: Server{
+							Instrumentation: Instrumentation{
+								SecretToken: "",
+								APIKey:      "",
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "redact APM secret token",
+			inputCfg: &Config{
+				Inputs: []Input{
+					{
+						Type: "fleet-server",
+						Server: Server{
+							Instrumentation: Instrumentation{
+								SecretToken: "secret value that noone should know",
+							},
+						},
+					},
+				},
+			},
+			redactedCfg: &Config{
+				Inputs: []Input{
+					{
+						Server: Server{
+							Instrumentation: Instrumentation{
+								SecretToken: kRedacted,
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "redact APM API key",
+			inputCfg: &Config{
+				Inputs: []Input{
+					{
+						Type: "fleet-server",
+						Server: Server{
+							Instrumentation: Instrumentation{
+								APIKey: "secret value that noone should know",
+							},
+						},
+					},
+				},
+			},
+			redactedCfg: &Config{
+				Inputs: []Input{
+					{
+						Server: Server{
+							Instrumentation: Instrumentation{
+								APIKey: kRedacted,
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "redact both APM API key and secret token",
+			inputCfg: &Config{
+				Inputs: []Input{
+					{
+						Type: "fleet-server",
+						Server: Server{
+							Instrumentation: Instrumentation{
+								APIKey:      "secret value that noone should know",
+								SecretToken: "another value that noone should know",
+							},
+						},
+					},
+				},
+			},
+			redactedCfg: &Config{
+				Inputs: []Input{
+					{
+						Server: Server{
+							Instrumentation: Instrumentation{
+								APIKey:      kRedacted,
+								SecretToken: kRedacted,
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+
+	for _, tt := range testcases {
+		t.Run(tt.name, func(t *testing.T) {
+			require.NotNil(t, tt.inputCfg, "input config cannot be nil")
+			actualRedacted := tt.inputCfg.Redact()
+			assert.Equal(t, tt.redactedCfg, actualRedacted)
+		})
+	}
+}
+
 // Stub out the defaults so that the above is easier to maintain
 
 func defaultCache() Cache {

Original file line number	Diff line number	Diff line change
`@@ -186,6 +186,14 @@ func redactServer(cfg *Config) Server {`
`186`	`186`	`redacted.TLS = &newTLS`
`187`	`187`	`}`
`188`	`188`
	`189`	`+ if redacted.Instrumentation.APIKey != "" {`
	`190`	`+ redacted.Instrumentation.APIKey = kRedacted`
	`191`	`+ }`
	`192`	`+`
	`193`	`+ if redacted.Instrumentation.SecretToken != "" {`
	`194`	`+ redacted.Instrumentation.SecretToken = kRedacted`
	`195`	`+ }`
	`196`	`+`
`189`	`197`	`return redacted`
`190`	`198`	`}`
`191`	`199`