Merge pull request #3266 from lejeunen/master

* pull3266: Polish Better sanitizer default for sensitive keys
2015-06-18 08:52:59 +02:00 · 2015-06-18 08:52:59 +02:00 · 8230d2cb8f
parent c3b344fdc2 fd5d6ef303
commit 8230d2cb8f
3 changed files with 36 additions and 4 deletions
--- a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/Sanitizer.java
+++ b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/Sanitizer.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2014 the original author or authors.
+ * Copyright 2012-2015 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -26,6 +26,7 @@ import org.springframework.util.Assert;
 * @author Christian Dupuis
 * @author Toshiaki Maki
 * @author Phillip Webb
+ * @author Nicolas Lejeune
 */
 class Sanitizer {

@ -34,7 +35,7 @@ class Sanitizer {
 	private Pattern[] keysToSanitize;

 	public Sanitizer() {
-		setKeysToSanitize(new String[] { "password", "secret", "key" });
+		setKeysToSanitize("password", "secret", "key", ".*credentials.*", "vcap_services");
 	}

 	/**
--- a/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/EnvironmentEndpointTests.java
+++ b/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/EnvironmentEndpointTests.java
@ -37,6 +37,8 @@ import static org.junit.Assert.assertThat;
 *
 * @author Phillip Webb
 * @author Christian Dupuis
+ * @author Nicolas Lejeune
+ * @author Stephane Nicoll
 */
 public class EnvironmentEndpointTests extends AbstractEndpointTests<EnvironmentEndpoint> {

@ -68,12 +70,41 @@ public class EnvironmentEndpointTests extends AbstractEndpointTests<EnvironmentE
 	public void testKeySanitization() throws Exception {
 		System.setProperty("dbPassword", "123456");
 		System.setProperty("apiKey", "123456");
+		System.setProperty("mySecret", "123456");
+		System.setProperty("myCredentials", "123456");
+		System.setProperty("VCAP_SERVICES", "123456");
 		EnvironmentEndpoint report = getEndpointBean();
 		Map<String, Object> env = report.invoke();
 		assertEquals("******",
 				((Map<String, Object>) env.get("systemProperties")).get("dbPassword"));
 		assertEquals("******",
 				((Map<String, Object>) env.get("systemProperties")).get("apiKey"));
+		assertEquals("******",
+				((Map<String, Object>) env.get("systemProperties")).get("mySecret"));
+		assertEquals("******",
+				((Map<String, Object>) env.get("systemProperties")).get("myCredentials"));
+		assertEquals("******",
+				((Map<String, Object>) env.get("systemProperties")).get("VCAP_SERVICES"));
+	}
+
+	@SuppressWarnings("unchecked")
+	@Test
+	public void testKeySanitizationCredentialsPattern() throws Exception {
+		System.setProperty("my.services.amqp-free.credentials.uri", "123456");
+		System.setProperty("credentials.http_api_uri", "123456");
+		System.setProperty("my.services.cleardb-free.credentials", "123456");
+		System.setProperty("foo.mycredentials.uri", "123456");
+		EnvironmentEndpoint report = getEndpointBean();
+		Map<String, Object> env = report.invoke();
+		assertEquals("******",
+				((Map<String, Object>) env.get("systemProperties")).get("my.services.amqp-free.credentials.uri"));
+		assertEquals("******",
+				((Map<String, Object>) env.get("systemProperties")).get("credentials.http_api_uri"));
+		assertEquals("******",
+				((Map<String, Object>) env.get("systemProperties")).get("my.services.cleardb-free.credentials"));
+		assertEquals("******",
+				((Map<String, Object>) env.get("systemProperties")).get("foo.mycredentials.uri"));
+
 	}

 	@SuppressWarnings("unchecked")
--- a/spring-boot-docs/src/main/asciidoc/appendix-application-properties.adoc
+++ b/spring-boot-docs/src/main/asciidoc/appendix-application-properties.adoc
@ -607,7 +607,7 @@ content into your application; rather pick only the properties that you need.
 	endpoints.configprops.id=configprops
 	endpoints.configprops.sensitive=true
 	endpoints.configprops.enabled=true
-	endpoints.configprops.keys-to-sanitize=password,secret,key # suffix or regex
+	endpoints.configprops.keys-to-sanitize=password,secret,key,.*credentials.*,vcap_services # suffix or regex
 	endpoints.dump.id=dump
 	endpoints.dump.sensitive=true
 	endpoints.dump.enabled=true
@ -615,7 +615,7 @@ content into your application; rather pick only the properties that you need.
 	endpoints.env.id=env
 	endpoints.env.sensitive=true
 	endpoints.env.enabled=true
-	endpoints.env.keys-to-sanitize=password,secret,key # suffix or regex
+	endpoints.env.keys-to-sanitize=password,secret,key,.*credentials.*,vcap_services # suffix or regex
 	endpoints.health.id=health
 	endpoints.health.sensitive=true
 	endpoints.health.enabled=true