Feature: Hide confidential values in output (#58)

* Config: Introducing confidential value handling

Wraps config values that may potentially contain secrets to be hidden.

* Integrated confidential values to env and cli

* Added test for fmt.Sprintf() not leaking info

Author: jkellerer

command_error.go

@@ -26,8 +26,9 @@ func (c *commandError) Error() string {
 
 func (c *commandError) Commandline() string {
 	args := ""
-	if c.scd.args != nil && len(c.scd.args) > 0 {
-		args = fmt.Sprintf(" \"%s\"", strings.Join(c.scd.args, "\" \""))
+	argsList := c.scd.publicArgs
+	if argsList != nil && len(argsList) > 0 {
+		args = fmt.Sprintf(" \"%s\"", strings.Join(argsList, "\" \""))
 	}
 	return fmt.Sprintf("\"%s\"%s", c.scd.command, args)
 }

config/confidential.go

@@ -0,0 +1,132 @@
+package config
+
+import (
+	"reflect"
+	"regexp"
+)
+
+const ConfidentialReplacement = "***"
+
+// ConfidentialValue is a string value with a public and a confidential representation
+type ConfidentialValue struct {
+	public, confidential string
+}
+
+func (c ConfidentialValue) Value() string {
+	return c.confidential
+}
+
+func (c ConfidentialValue) String() string {
+	return c.public
+}
+
+func (c *ConfidentialValue) IsConfidential() bool {
+	return c.public != c.confidential
+}
+
+// hideValue hides the entire value in the public representation
+func (c *ConfidentialValue) hideValue() {
+	if c.IsConfidential() {
+		return
+	}
+	c.public = ConfidentialReplacement
+}
+
+// hideSubmatches hides all occurrences of submatches in the public representation
+func (c *ConfidentialValue) hideSubmatches(pattern *regexp.Regexp) {
+	if c.IsConfidential() {
+		return
+	}
+
+	if matches := pattern.FindStringSubmatchIndex(c.confidential); matches != nil && len(matches) > 2 {
+		c.public = c.confidential
+
+		for i := len(matches) - 2; i > 1; i -= 2 {
+			start := matches[i]
+			end := matches[i+1]
+
+			c.public = c.public[0:start] + ConfidentialReplacement + c.public[end:]
+		}
+	}
+}
+
+func NewConfidentialValue(value string) ConfidentialValue {
+	return ConfidentialValue{public: value, confidential: value}
+}
+
+// confidentialValueDecoder implements parsing config parsing for ConfidentialValue
+func confidentialValueDecoder() func(from reflect.Type, to reflect.Type, data interface{}) (interface{}, error) {
+	confidentialValueType := reflect.TypeOf(ConfidentialValue{})
+
+	return func(from reflect.Type, to reflect.Type, data interface{}) (interface{}, error) {
+		if to != confidentialValueType {
+			return data, nil
+		}
+
+		// Source type may be boolean, numeric or string
+		values, isset := stringifyValue(reflect.ValueOf(data))
+		if len(values) == 0 {
+			if isset {
+				values = []string{"1"}
+			} else {
+				values = []string{"0"}
+			}
+		}
+
+		return NewConfidentialValue(values[0]), nil
+	}
+}
+
+// See https://restic.readthedocs.io/en/latest/030_preparing_a_new_repo.html
+var (
+	urlConfidentialPart = regexp.MustCompile("[:/][^:/@]+?:([^:@]+?)@[^:/@]+?") // user:pass@host
+	urlEnvKeys          = regexp.MustCompile("(?i)^.+(_AUTH|_URL)$")
+	hiddenEnvKeys       = regexp.MustCompile("(?i)^(.+_KEY|.+_TOKEN|.*PASSWORD.*|.*SECRET.*)$")
+)
+
+// ProcessConfidentialValues hides confidential parts inside the specified Profile.
+func ProcessConfidentialValues(profile *Profile) {
+	if profile == nil {
+		return
+	}
+
+	// Handle the repo URL
+	profile.Repository.hideSubmatches(urlConfidentialPart)
+
+	// Handle env variables
+	for name, value := range profile.Environment {
+		if hiddenEnvKeys.MatchString(name) {
+			value.hideValue()
+			profile.Environment[name] = value
+		} else if urlEnvKeys.MatchString(name) {
+			value.hideSubmatches(urlConfidentialPart)
+			profile.Environment[name] = value
+		}
+	}
+}
+
+// GetNonConfidentialValues returns a new list with confidential values being replaced with their public representation
+func GetNonConfidentialValues(profile *Profile, values []string) []string {
+	if profile == nil {
+		return values
+	}
+
+	confidentials := []*ConfidentialValue{&profile.Repository}
+	for _, value := range profile.Environment {
+		confidentials = append(confidentials, &value)
+	}
+
+	target := make([]string, len(values))
+
+	for i := len(values) - 1; i >= 0; i-- {
+		target[i] = values[i]
+
+		for _, c := range confidentials {
+			if c.IsConfidential() && target[i] == c.Value() {
+				target[i] = c.String()
+			}
+		}
+	}
+
+	return target
+}

config/confidential_test.go

@@ -0,0 +1,213 @@
+package config
+
+import (
+	"bytes"
+	"fmt"
+	"reflect"
+	"regexp"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+var defaultUrl = "local:user:pass@host"
+var defaultUrlReplaced = fmt.Sprintf("local:user:%s@host", ConfidentialReplacement)
+
+func TestConfidentialHideAll(t *testing.T) {
+	value := NewConfidentialValue("val")
+
+	assert.Equal(t, value.String(), value.Value())
+	assert.Equal(t, "val", value.String())
+
+	value.hideValue()
+	assert.Equal(t, "val", value.Value())
+	assert.Equal(t, ConfidentialReplacement, value.String())
+}
+
+func TestConfidentialHideSubmatch(t *testing.T) {
+	value := NewConfidentialValue("some-vAl-with-sEcRet-parts")
+
+	assert.Equal(t, value.String(), value.Value())
+	assert.Equal(t, "some-vAl-with-sEcRet-parts", value.String())
+
+	value.hideSubmatches(regexp.MustCompile("(?i).+(val).+(secret).+"))
+	assert.Equal(t, "some-vAl-with-sEcRet-parts", value.Value())
+
+	expected := fmt.Sprintf("some-%s-with-%s-parts", ConfidentialReplacement, ConfidentialReplacement)
+	assert.Equal(t, expected, value.String())
+}
+
+func TestFmtStringDoesntLeakConfidentialValues(t *testing.T) {
+	value := NewConfidentialValue("secret")
+	value.hideValue()
+
+	assert.Equal(t, ConfidentialReplacement, fmt.Sprintf("%s", value))
+	assert.Equal(t, ConfidentialReplacement, fmt.Sprintf("%v", value))
+	assert.Equal(t, ConfidentialReplacement, value.String())
+	assert.Equal(t, "secret", value.Value())
+}
+
+func TestStringifyPassesConfidentialValues(t *testing.T) {
+	value := NewConfidentialValue("secret")
+	value.hideValue()
+
+	v1, _ := stringifyValue(reflect.ValueOf(value))
+	v2, _ := stringifyConfidentialValue(reflect.ValueOf(value))
+	assert.Equal(t, []string{ConfidentialReplacement}, v1)
+	assert.Equal(t, []string{"secret"}, v2)
+}
+
+func TestConfidentialURLs(t *testing.T) {
+	// https://restic.readthedocs.io/en/latest/030_preparing_a_new_repo.html
+	urls := map[string]string{
+		"local:some/path":                                      "-",
+		"sftp:user@host:/srv/restic-repo":                      "-",
+		"sftp://user@[::1]:2222//srv/restic-repo":              "-",
+		"sftp:restic-backup-host:/srv/restic-repo":             "-",
+		"rest:http://host:8000/":                               "-",
+		"rest:https://user:1234fdfASDasfwY.-+;@host:8000/":     fmt.Sprintf("rest:https://user:%s@host:8000/", ConfidentialReplacement),
+		"rest:https://user:35%3Asad%C3%B6p%C3%9F@host:8000/":   fmt.Sprintf("rest:https://user:%s@host:8000/", ConfidentialReplacement),
+		"rest:https://user:pass@host:8000/f/":                  fmt.Sprintf("rest:https://user:%s@host:8000/f/", ConfidentialReplacement),
+		"s3:s3.amazonaws.com/bucket_name":                      "-",
+		"s3:https://<WASABI-SERVICE-URL>/<WASABI-BUCKET-NAME>": "-",
+		"swift:container_name:/path":                           "-",
+		"azure:foo:/":                                          "-",
+		"gs:foo:/":                                             "-",
+		"rclone:b2prod:yggdrasil/foo/bar/baz":                  "-",
+	}
+
+	for url, expected := range urls {
+		testConfig := fmt.Sprintf(`
+[profile]
+repository = "%s"
+`, url)
+
+		profile, err := getProfile("toml", testConfig, "profile")
+		assert.Nil(t, err)
+		assert.NotNil(t, profile)
+
+		if expected == "-" {
+			expected = url
+		}
+		assert.Equal(t, expected, profile.Repository.String())
+		assert.Equal(t, url, profile.Repository.Value())
+	}
+}
+
+func TestConfidentialEnvironment(t *testing.T) {
+	// https://restic.readthedocs.io/en/latest/030_preparing_a_new_repo.html
+	vars := map[string]string{
+		"MY_VALUE": "-",
+		"MY_KEY":   "*",
+		"PASSWORD": "*",
+		"MY_URL":   "<url>",
+		// AWS, MinIO, Wasabi, Alibaba Cloud
+		"AWS_ACCESS_KEY_ID":     "-",
+		"AWS_SECRET_ACCESS_KEY": "*",
+		"AWS_DEFAULT_REGION":    "-",
+		// OpenStack Swift
+		"ST_AUTH":                          "<url>",
+		"ST_USER":                          "-",
+		"ST_KEY":                           "*",
+		"OS_AUTH_URL":                      "<url>",
+		"OS_REGION_NAME":                   "-",
+		"OS_USERNAME":                      "-",
+		"OS_PASSWORD":                      "*",
+		"OS_TENANT_ID":                     "-",
+		"OS_TENANT_NAME":                   "-",
+		"OS_USER_ID":                       "-",
+		"OS_USER_DOMAIN_NAME":              "-",
+		"OS_USER_DOMAIN_ID":                "-",
+		"OS_PROJECT_NAME":                  "-",
+		"OS_PROJECT_DOMAIN_NAME":           "-",
+		"OS_PROJECT_DOMAIN_ID":             "-",
+		"OS_TRUST_ID":                      "-",
+		"OS_APPLICATION_CREDENTIAL_ID":     "-",
+		"OS_APPLICATION_CREDENTIAL_NAME":   "-",
+		"OS_APPLICATION_CREDENTIAL_SECRET": "*",
+		"OS_STORAGE_URL":                   "<url>",
+		"OS_AUTH_TOKEN":                    "*",
+		"SWIFT_DEFAULT_CONTAINER_POLICY":   "-",
+		// Backblaze B2
+		"B2_ACCOUNT_ID":  "-",
+		"B2_ACCOUNT_KEY": "*",
+		// Microsoft Azure Blob Storage
+		"AZURE_ACCOUNT_NAME": "-",
+		"AZURE_ACCOUNT_KEY":  "*",
+		// Google Cloud Storage
+		"GOOGLE_PROJECT_ID":              "-",
+		"GOOGLE_APPLICATION_CREDENTIALS": "-",
+		"GOOGLE_ACCESS_TOKEN":            "*",
+	}
+
+	for name, expected := range vars {
+		testConfig := fmt.Sprintf(`
+[profile.env]
+%s = "%s"
+`, name, defaultUrl)
+
+		profile, err := getProfile("toml", testConfig, "profile")
+		assert.Nil(t, err)
+		assert.NotNil(t, profile)
+
+		switch expected {
+		case "<url>":
+			expected = defaultUrlReplaced
+		case "*":
+			expected = ConfidentialReplacement
+		default:
+			expected = defaultUrl
+		}
+
+		name = strings.ToLower(name)
+		env := profile.Environment[name]
+		assert.Equal(t, expected, env.String())
+		assert.Equal(t, defaultUrl, env.Value())
+	}
+}
+
+func TestShowConfigHidesConfidentialValues(t *testing.T) {
+	testConfig := `
+profile:
+  repository: "local:user:pass@host"
+  env:
+    MY_VALUE: "val"
+    MY_URL: "local:user:pass@host"
+    MY_KEY: 1234
+    MY_TOKEN: false
+    MY_PASSWORD: "otherval"
+`
+	profile, err := getProfile("yaml", testConfig, "profile")
+	assert.Nil(t, err)
+	assert.NotNil(t, profile)
+
+	buffer := &bytes.Buffer{}
+	assert.Nil(t, ShowStruct(buffer, profile, "p"))
+
+	result := regexp.MustCompile("\\s+").ReplaceAllString(buffer.String(), " ")
+	result = strings.TrimSpace(result)
+
+	assert.Contains(t, result, "my_value: val")
+	assert.Contains(t, result, "my_url: "+defaultUrlReplaced)
+	assert.Contains(t, result, "my_key: "+ConfidentialReplacement)
+	assert.Contains(t, result, "my_token: "+ConfidentialReplacement)
+	assert.Contains(t, result, "my_password: "+ConfidentialReplacement)
+	assert.Contains(t, result, "repository: "+defaultUrlReplaced)
+}
+
+func TestGetNonConfidentialValues(t *testing.T) {
+	testConfig := `
+profile:
+  verbose: false
+  repository: "local:user:pass@host"
+  env:
+    MY_PASSWORD: "otherval"
+`
+	profile, err := getProfile("yaml", testConfig, "profile")
+	assert.Nil(t, err)
+	assert.NotNil(t, profile)
+
+	result := GetNonConfidentialValues(profile, []string{"a", defaultUrl, "b", "otherval", "c"})
+	assert.Equal(t, []string{"a", defaultUrlReplaced, "b", ConfidentialReplacement, "c"}, result)
+}

config/config.go

@@ -45,10 +45,12 @@ type Config struct {
 var (
 	configOption = viper.DecodeHook(mapstructure.ComposeDecodeHookFunc(
 		mapstructure.StringToTimeDurationHookFunc(),
+		confidentialValueDecoder(),
 	))
 
 	configOptionHCL = viper.DecodeHook(mapstructure.ComposeDecodeHookFunc(
 		mapstructure.StringToTimeDurationHookFunc(),
+		confidentialValueDecoder(),
 		sliceOfMapsToMapHookFunc(),
 	))
 )
@@ -305,6 +307,7 @@ func (c *Config) getProfile(profileKey string) (*Profile, error) {
 	if err != nil {
 		return nil, err
 	}
+
 	if profile.Inherit != "" {
 		inherit := profile.Inherit
 		// Load inherited profile
@@ -323,6 +326,10 @@ func (c *Config) getProfile(profileKey string) (*Profile, error) {
 		// make sure it has the right name
 		profile.Name = profileKey
 	}
+
+	// Hide confidential values (keys, passwords) from the public representation
+	ProcessConfidentialValues(profile)
+
 	return profile, nil
 }