Merge pull request #642 from screwdriver-cd/dont-show-tokens

fix(tokens): don't show tokens in server logs
screwdriver-cd · Jul 19, 2017 · 04be9e0 · 04be9e0
2 parents 0231dd7 + 555eadf
commit 04be9e0
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 5 deletions.
diff --git a/plugins/logging.js b/plugins/logging.js
@@ -1,6 +1,7 @@
 'use strict';
 
 const good = require('good');
+const suppressAPITokens = require('./tokens/filter');
 
 module.exports = {
     register: good,
@@ -15,7 +16,7 @@ module.exports = {
                 args: [{ error: '*', log: '*', response: '*', request: '*' }]
             }, {
                 module: 'good-console'
-            }, 'stdout']
+            }, suppressAPITokens, 'stdout']
         }
     }
 };
diff --git a/plugins/tokens/filter.js b/plugins/tokens/filter.js
@@ -0,0 +1,10 @@
+'use strict';
+
+const { Transform } = require('stream');
+const tokenRegex = /(^|[^a-zA-Z0-9_-])[a-zA-Z0-9_-]{43}([^a-zA-Z0-9_-]|$)/g;
+
+module.exports = new Transform({
+    transform(chunk, encoding, callback) {
+        callback(null, chunk.toString().replace(tokenRegex, '$1(API Token Suppressed)$2'));
+    }
+});
diff --git a/test/plugins/tokens.test.js b/test/plugins/tokens.test.js
@@ -1,12 +1,16 @@
 'use strict';
 
-const assert = require('chai').assert;
-const sinon = require('sinon');
+const { assert } = require('chai');
 const hapi = require('hapi');
 const mockery = require('mockery');
+const { PassThrough } = require('stream');
+const sinon = require('sinon');
+const suppressAPITokens = require('../../plugins/tokens/filter');
 const urlLib = require('url');
+
 const testToken = require('./data/token.json');
-const testTokenWithValue = Object.assign({}, testToken, { value: '1234' });
+const testValue = '1234123412341234123412341234123412341234123';
+const testTokenWithValue = Object.assign({}, testToken, { value: testValue });
 
 delete testTokenWithValue.hash;
 
@@ -141,7 +145,7 @@ describe('token plugin test', () => {
         });
 
         it('returns 201 and correct token data', () => {
-            tokenMock = getTokenMock(Object.assign({}, testToken, { value: '1234' }));
+            tokenMock = getTokenMock(testTokenWithValue);
             tokenFactoryMock.create.resolves(tokenMock);
 
             return server.inject(options).then((reply) => {
@@ -436,4 +440,20 @@ describe('token plugin test', () => {
             });
         });
     });
+
+    describe('Logging suppresses API tokens', () => {
+        it('does not print API tokens in logs', (done) => {
+            const source = new PassThrough({ objectMode: true });
+            const result = new PassThrough({ objectMode: true });
+
+            source.write(`This is a string with a token in it! ${testTokenWithValue.value}`);
+
+            source.pipe(suppressAPITokens).pipe(result);
+
+            result.on('data', (chunk) => {
+                assert.equal(chunk, 'This is a string with a token in it! (API Token Suppressed)');
+                done();
+            });
+        });
+    });
 });