fix(keycloak): don't log sensitive authentication data (#938)

fix(keycloak): don't log sensitive internal data Signed-off-by: Christoph Jerolimov <[email protected]>
janus-idp · Nov 20, 2023 · 63d0678 · 63d0678
1 parent dacd46d
commit 63d0678
Show file tree

Hide file tree

Showing 6 changed files with 705 additions and 21 deletions.
diff --git a/plugins/keycloak-backend/__fixtures__/helpers.ts b/plugins/keycloak-backend/__fixtures__/helpers.ts
@@ -1,3 +1,5 @@
+import { getVoidLogger } from '@backstage/backend-common';
+import { TaskInvocationDefinition, TaskRunner } from '@backstage/backend-tasks';
 import { EntityProviderConnection } from '@backstage/plugin-catalog-node';
 
 import { groupMembers, groups, users } from './data';
@@ -14,6 +16,30 @@ export const BASIC_VALID_CONFIG = {
   },
 } as const;
 
+export const logMock = jest.fn();
+
+export const createLogger = () => {
+  const logger = getVoidLogger();
+  logger.child = () => logger;
+  ['log', ...Object.keys(logger.levels)].forEach(logFunctionName => {
+    (logger as any)[logFunctionName] = function LogMock() {
+      logMock(logFunctionName, ...arguments);
+    };
+  });
+  return logger;
+};
+
+export const assertLogMustNotInclude = (secrets: string[]) => {
+  const json = JSON.stringify(logMock.mock.calls);
+  secrets.forEach(secret => {
+    if (json.includes(secret)) {
+      throw new Error(`Log must not include secret "${secret}"`);
+    }
+  });
+};
+
+export const authMock = jest.fn();
+
 export class KeycloakAdminClientMock {
   public constructor() {
     return;
@@ -35,7 +61,38 @@ export class KeycloakAdminClientMock {
       .mockResolvedValueOnce(groupMembers[3].map(username => ({ username }))),
   };
 
-  auth = jest.fn().mockResolvedValue({});
+  auth = authMock;
+}
+
+class FakeAbortSignal implements AbortSignal {
+  readonly aborted = false;
+  readonly reason = undefined;
+  onabort() {}
+  throwIfAborted() {}
+  addEventListener() {}
+  removeEventListener() {}
+  dispatchEvent() {
+    return true;
+  }
+}
+
+export class ManualTaskRunner implements TaskRunner {
+  private tasks: TaskInvocationDefinition[] = [];
+
+  async run(task: TaskInvocationDefinition) {
+    this.tasks.push(task);
+  }
+
+  async runAll() {
+    const abortSignal = new FakeAbortSignal();
+    for await (const task of this.tasks) {
+      await task.fn(abortSignal);
+    }
+  }
+
+  clear() {
+    this.tasks = [];
+  }
 }
 
 export const connection = {

diff --git a/plugins/keycloak-backend/dev/index.ts b/plugins/keycloak-backend/dev/index.ts
@@ -127,7 +127,7 @@ export async function startStandaloneServer(
     .addRouter('/catalog', await catalog(catalogEnv));
 
   return await service.start().catch(err => {
-    logger.error(err);
+    logger.error('Dev server failed:', err);
     process.exit(1);
   });
 }