From c843aa62b53adf9c8119d485b33c87d8e46fb185 Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Thu, 19 Nov 2020 10:58:55 +0000 Subject: [PATCH] Sanitize private_key from returned db plugin config (#10416) --- builtin/logical/database/backend_test.go | 11 ++++++++++- builtin/logical/database/path_config_connection.go | 1 + 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/builtin/logical/database/backend_test.go b/builtin/logical/database/backend_test.go index 74085372179a..371d08adc453 100644 --- a/builtin/logical/database/backend_test.go +++ b/builtin/logical/database/backend_test.go @@ -649,6 +649,7 @@ func TestBackend_connectionCrud(t *testing.T) { "allowed_roles": []string{"plugin-role-test"}, "username": "postgres", "password": "secret", + "private_key": "PRIVATE_KEY", } req = &logical.Request{ Operation: logical.UpdateOperation, @@ -669,9 +670,17 @@ func TestBackend_connectionCrud(t *testing.T) { if err != nil || (resp != nil && resp.IsError()) { t.Fatalf("err:%s resp:%#v\n", err, resp) } - if strings.Contains(resp.Data["connection_details"].(map[string]interface{})["connection_url"].(string), "secret") { + returnedConnectionDetails := resp.Data["connection_details"].(map[string]interface{}) + if strings.Contains(returnedConnectionDetails["connection_url"].(string), "secret") { t.Fatal("password should not be found in the connection url") } + // Covered by the filled out `expected` value below, but be explicit about this requirement. + if _, exists := returnedConnectionDetails["password"]; exists { + t.Fatal("password should NOT be found in the returned config") + } + if _, exists := returnedConnectionDetails["private_key"]; exists { + t.Fatal("private_key should NOT be found in the returned config") + } // Replace connection url with templated version req.Operation = logical.UpdateOperation diff --git a/builtin/logical/database/path_config_connection.go b/builtin/logical/database/path_config_connection.go index 377d7d288b82..31eacf0a5f60 100644 --- a/builtin/logical/database/path_config_connection.go +++ b/builtin/logical/database/path_config_connection.go @@ -207,6 +207,7 @@ func (b *databaseBackend) connectionReadHandler() framework.OperationFunc { } delete(config.ConnectionDetails, "password") + delete(config.ConnectionDetails, "private_key") return &logical.Response{ Data: structs.New(config).Map(),