fix(api) obfuscates sensitive settings from the / route

kong/api/routes/kong.lua

@@ -1,5 +1,6 @@
 local utils = require "kong.tools.utils"
 local singletons = require "kong.singletons"
+local conf_loader = require "kong.conf_loader"
 
 local find = string.find
 local pairs = pairs
@@ -42,7 +43,7 @@ return {
           enabled_in_cluster = distinct_plugins
         },
         lua_version = lua_version,
-        configuration = singletons.configuration
+        configuration = conf_loader.remove_sensitive(singletons.configuration)
       }
     end
   },

kong/conf_loader.lua

@@ -99,6 +99,8 @@ local CONF_SENSITIVE = {
   cluster_encrypt_key = true
 }
 
+local CONF_SENSITIVE_PLACEHOLDER = "******"
+
 local typ_checks = {
   array = function(v) return type(v) == "table" end,
   string = function(v) return type(v) == "string" end,
@@ -219,7 +221,7 @@ local function overrides(k, default_v, file_conf, arg_conf)
   if env ~= nil then
     local to_print = env
     if CONF_SENSITIVE[k] then
-      to_print = "******"
+      to_print = CONF_SENSITIVE_PLACEHOLDER
     end
     log.debug('%s ENV found with "%s"', env_name, to_print)
     value = env
@@ -372,4 +374,19 @@ local function load(path, custom_conf)
   return setmetatable(conf, nil) -- remove Map mt
 end
 
-return load
+return setmetatable({
+  load = load,
+  remove_sensitive = function(conf)
+    local purged_conf = tablex.deepcopy(conf)
+    for k in pairs(CONF_SENSITIVE) do
+      if purged_conf[k] then
+        purged_conf[k] = CONF_SENSITIVE_PLACEHOLDER
+      end
+    end
+    return purged_conf
+  end
+}, {
+  __call = function(_, ...)
+    return load(...)
+  end
+})

spec/01-unit/02-conf_loader_spec.lua

@@ -331,4 +331,26 @@ describe("Configuration loader", function()
       assert.contains("ssl_cert must be specified", errors)
     end)
   end)
+
+  describe("remove_sensitive()", function()
+    it("replaces sensitive settings", function()
+      local conf = assert(conf_loader(nil, {
+        pg_password = "hide_me",
+        cassandra_password = "hide_me",
+        cluster_encrypt_key = "hide_me"
+      }))
+
+      local purged_conf = conf_loader.remove_sensitive(conf)
+      assert.not_equal("hide_me", purged_conf.pg_password)
+      assert.not_equal("hide_me", purged_conf.cassandra_password)
+      assert.not_equal("hide_me", purged_conf.cluster_encrypt_key)
+    end)
+    it("does not insert placeholder if no value", function()
+      local conf = assert(conf_loader())
+      local purged_conf = conf_loader.remove_sensitive(conf)
+      assert.is_nil(purged_conf.pg_password)
+      assert.is_nil(purged_conf.cassandra_password)
+      assert.is_nil(purged_conf.cluster_encrypt_key)
+    end)
+  end)
 end)

spec/02-integration/03-admin_api/01-kong_routes_spec.lua

@@ -4,7 +4,9 @@ local cjson = require "cjson"
 describe("Admin API", function()
   local client
   setup(function()
-    assert(helpers.start_kong())
+    assert(helpers.start_kong {
+      pg_password = "hide_me"
+    })
     client = helpers.admin_client(10000)
   end)
   teardown(function()
@@ -48,6 +50,25 @@ describe("Admin API", function()
           assert.equal([[{"message":"Method not allowed"}]], body)
         end
       end)
+      it("exposes the node's configuration", function()
+        local res = assert(client:send {
+          method = "GET",
+          path = "/"
+        })
+        local body = assert.res_status(200, res)
+        local json = cjson.decode(body)
+        assert.is_table(json.configuration)
+      end)
+      it("obfuscates sensitive settings from the configuration", function()
+        local res = assert(client:send {
+          method = "GET",
+          path = "/"
+        })
+        local body = assert.res_status(200, res)
+        local json = cjson.decode(body)
+        assert.is_string(json.configuration.pg_password)
+        assert.not_equal("hide_me", json.configuration.pg_password)
+      end)
     end)
   end)