From 5fa51080a7e7d1e728c9432065c4303bf983f152 Mon Sep 17 00:00:00 2001 From: Jeremy Voorhis Date: Mon, 7 Aug 2017 21:33:18 -0700 Subject: [PATCH 1/2] Redact Vault.Token from AgentSelf response. If Config.Vault.Token is defined, /v1/agent/self will return the string ``. If the token is not set, This endpoint will continue to return the empty string. --- command/agent/agent_endpoint.go | 12 +++++++++++- command/agent/agent_endpoint_test.go | 17 +++++++++++++++++ 2 files changed, 28 insertions(+), 1 deletion(-) diff --git a/command/agent/agent_endpoint.go b/command/agent/agent_endpoint.go index 2ca5c43d967..56fe0a60627 100644 --- a/command/agent/agent_endpoint.go +++ b/command/agent/agent_endpoint.go @@ -7,6 +7,7 @@ import ( "github.com/hashicorp/nomad/nomad/structs" "github.com/hashicorp/serf/serf" + "github.com/mitchellh/copystructure" ) type Member struct { @@ -52,10 +53,19 @@ func (s *HTTPServer) AgentSelfRequest(resp http.ResponseWriter, req *http.Reques } self := agentSelf{ - Config: s.agent.config, Member: nomadMember(member), Stats: s.agent.Stats(), } + if ac, err := copystructure.Copy(s.agent.config); err != nil { + return nil, CodedError(500, err.Error()) + } else { + self.Config = ac.(*Config) + } + + if self.Config.Vault.Token != "" { + self.Config.Vault.Token = "" + } + return self, nil } diff --git a/command/agent/agent_endpoint_test.go b/command/agent/agent_endpoint_test.go index af2eade98a5..6e977d9a00f 100644 --- a/command/agent/agent_endpoint_test.go +++ b/command/agent/agent_endpoint_test.go @@ -36,6 +36,23 @@ func TestHTTP_AgentSelf(t *testing.T) { if len(self.Stats) == 0 { t.Fatalf("bad: %#v", self) } + + // Check the Vault config + if self.Config.Vault.Token != "" { + t.Fatalf("bad: %#v", self) + } + + // Assign a Vault token and assert it is redacted. + s.Config.Vault.Token = "badc0deb-adc0-deba-dc0d-ebadc0debadc" + respW = httptest.NewRecorder() + obj, err = s.Server.AgentSelfRequest(respW, req) + if err != nil { + t.Fatalf("err: %v", err) + } + self = obj.(agentSelf) + if self.Config.Vault.Token != "" { + t.Fatalf("bad: %#v", self) + } }) } From f7041f5710b49e243f33c0875de88621fc60508f Mon Sep 17 00:00:00 2001 From: Jeremy Voorhis Date: Tue, 8 Aug 2017 10:54:11 -0700 Subject: [PATCH 2/2] Handle nil values when redacting vault token. --- command/agent/agent_endpoint.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/command/agent/agent_endpoint.go b/command/agent/agent_endpoint.go index 56fe0a60627..6427b93f2b2 100644 --- a/command/agent/agent_endpoint.go +++ b/command/agent/agent_endpoint.go @@ -62,7 +62,7 @@ func (s *HTTPServer) AgentSelfRequest(resp http.ResponseWriter, req *http.Reques self.Config = ac.(*Config) } - if self.Config.Vault.Token != "" { + if self.Config != nil && self.Config.Vault != nil && self.Config.Vault.Token != "" { self.Config.Vault.Token = "" }