[Core] Update the Main Credential regex to support #3509
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
multiple types of API input in datadog.conf
masci
reviewed
Sep 7, 2017
| @@ -94,11 +94,11 @@ class Flare(object): | |||
| ] | |||
| MAIN_CREDENTIALS = [ | |||
| CredentialPattern( | |||
| re.compile('^\s*api_key:( *\w+(\w{5}) ?,?)+$'), | |||
| re.compile('^\s*api_key\s*[=, :]( *\w+(\w{5}) ?,?)+$'), | |||
There was a problem hiding this comment.
I think this piece of code is overly complex, your patch is good but I'd make it a little bit simpler.
- we can change the regex to only capture in a group the last 5 digits of the api key
- instead of nesting maps and lambdas, proceed with a string replace using a backreference to the group from above
the following piece of code should do the same thing (untested):
CredentialPattern(
re.compile(r'^\s*api_key\s*[=, :]\s*\w{27}(\w{5})$'),
r'api_key: ***************************\1',
'api_key'
)
There was a problem hiding this comment.
I definitely agree here. Removing the lambdas and just replacing everything but the last 5 chars does indeed do the trick. Thanks!
There was a problem hiding this comment.
Looks like it doesn't work for comma separated API keys, left more details in the notes based on our discussions
|
Thanks @nmuesch, that new format is introduced in |
nmuesch
changed the title
olivielpeau
approved these changes
Sep 8, 2017
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
multiple types of API input in datadog.conf
Note: Please remember to review the Datadog Contribution Guidelines
if you have not yet done so.
What does this PR do?
Modified the regex used when checking for the API Key in datadog.conf or other locations. Currently we only support the syntax
api_key: <KEY>However, this doesn't allow for a space before the:or usingapi_key = <KEY>Motivation
Currently the API key isn't being fully redacted in the flare if it doesn't use the aforementioned format. It seems like K8s Agents use the
=syntax by default.Testing Guidelines
An overview on testing
is available in our contribution guidelines.
Performed a series of manual tests locally based on the above syntaxes.
Additional Notes
Anything else we should know when reviewing?
With this PR, the flare will be unsuccessful if the key is <YOUR_API_KEY_HERE> with a seemingly helpful message saying the API key is invalid. So the flare will not be sent at all, but the user sees this message.
Initially attempted to remove lambdas to make it a bit cleaner, however this doesn't work for the case where there are multiple API keys, comma delimited. We would need another function to be called in the replacement piece that split the matched group into segments.