Merge pull request #1349 from DataDog/jpbempel/PROF-1296

Remove sensitive information from debug log
2020-04-03 07:35:27 -04:00 · 2020-04-03 07:35:27 -04:00 · 98da6eb156
parent 40cbd19f8e e1f2052e25
commit 98da6eb156
2 changed files with 39 additions and 0 deletions
--- a/dd-trace-api/src/main/java/datadog/trace/api/Config.java
+++ b/dd-trace-api/src/main/java/datadog/trace/api/Config.java
@ -202,6 +202,18 @@ public class Config {
  /** A tag intended for internal use only, hence not added to the public api DDTags class. */
  private static final String INTERNAL_HOST_NAME = "_dd.hostname";

+  /** Used for masking sensitive information when doing toString */
+  @ToString.Include(name = "profilingApiKey")
+  private String profilingApiKeyMasker() {
+    return profilingApiKey != null ? "****" : null;
+  }
+
+  /** Used for masking sensitive information when doing toString */
+  @ToString.Include(name = "profilingProxyPassword")
+  private String profilingProxyPasswordMasker() {
+    return profilingProxyPassword != null ? "****" : null;
+  }
+
  /**
   * this is a random UUID that gets generated on JVM start up and is attached to every root span
   * and every JMX metric that is sent out.
--- a/dd-trace-api/src/test/groovy/datadog/trace/api/ConfigTest.groovy
+++ b/dd-trace-api/src/test/groovy/datadog/trace/api/ConfigTest.groovy
@ -93,6 +93,7 @@ class ConfigTest extends DDSpecification {
  private static final DD_PROFILING_API_KEY_ENV = "DD_PROFILING_API_KEY"
  private static final DD_PROFILING_API_KEY_OLD_ENV = "DD_PROFILING_APIKEY"
  private static final DD_PROFILING_TAGS_ENV = "DD_PROFILING_TAGS"
+  private static final DD_PROFILING_PROXY_PASSWORD_ENV = "DD_PROFILING_PROXY_PASSWORD"

  def "verify defaults"() {
    when:
@ -1105,4 +1106,30 @@ class ConfigTest extends DDSpecification {

    config.mergedProfilingTags == [a: "1", f: "6", (HOST_TAG): config.getHostName(), (RUNTIME_ID_TAG): config.getRuntimeId(), (SERVICE_TAG): config.serviceName, (LANGUAGE_TAG_KEY): LANGUAGE_TAG_VALUE]
  }
+
+  def "sensitive information removed for toString/debug log"() {
+    setup:
+    environmentVariables.set(DD_PROFILING_API_KEY_ENV, "test-secret-api-key")
+    environmentVariables.set(DD_PROFILING_PROXY_PASSWORD_ENV, "test-secret-proxy-password")
+
+    when:
+    def config = new Config()
+
+    then:
+    config.toString().contains("profilingApiKey=****")
+    !config.toString().contains("test-secret-api-key")
+    config.toString().contains("profilingProxyPassword=****")
+    !config.toString().contains("test-secret-proxy-password")
+    config.profilingApiKey == "test-secret-api-key"
+    config.profilingProxyPassword == "test-secret-proxy-password"
+  }
+
+  def "toString works when passwords are empty"() {
+    when:
+    def config = new Config()
+
+    then:
+    config.toString().contains("profilingApiKey=null")
+    config.toString().contains("profilingProxyPassword=null")
+  }
 }