fix(#8564): mask more credentials

medic · Sep 20, 2023 · 63e5b84 · 63e5b84
1 parent bee783b
commit 63e5b84
Show file tree

Hide file tree

Showing 4 changed files with 69 additions and 5 deletions.
diff --git a/haproxy/scripts/replace_password.lua b/haproxy/scripts/replace_password.lua
@@ -2,7 +2,10 @@ core.Alert("replacePassword loaded")
 
 function replacePassword(body)
     if body then
-        local result = (body):gsub("(password[^:]*:%s*\")[^\"]*", "%1***")
+        local result = (body)
+            :gsub("(password[^:]*:%s*\")[^\"]*", "%1***")
+            :gsub("(password=)[^&]*", "%1***")
+            :gsub("(\"Basic )[^\"]*", "%1***")
         return result
     end
 end

diff --git a/tests/e2e/default/logging/logging.wdio-spec.js b/tests/e2e/default/logging/logging.wdio-spec.js
@@ -0,0 +1,57 @@
+const { expect } = require('chai');
+const utils = require('@utils');
+const loginPage = require('@page-objects/default/login/login.wdio.page');
+const constants = require('@constants');
+
+const auth = {
+  username: constants.USERNAME,
+  password: constants.PASSWORD
+};
+
+describe('audit log', () => {
+
+  it('should mask password on login', async () => {
+    const collectAuditLogs = await utils.collectHaproxyLogs(/POST,\/_session/);
+    await loginPage.login(auth);
+    const auditLogs = (await collectAuditLogs()).filter(log => log.length);
+    expect(auditLogs.length).to.equal(1);
+    expect(auditLogs[0]).to.contain(`{"name":"${constants.USERNAME}","password":"***"}`);
+  });
+
+  it('should mask password on replication request', async () => {
+    const collectAuditLogs = await utils.collectHaproxyLogs(/POST,\/_session/);
+    const requestOptions = {
+      path: '/_session',
+      method: 'POST',
+      body: `name=${constants.USERNAME}&password=${constants.PASSWORD}`,
+      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+      noAuth: true
+    };
+    await utils.request(requestOptions);
+    const auditLogs = (await collectAuditLogs()).filter(log => log.length);
+    expect(auditLogs.length).to.equal(1);
+    expect(auditLogs[0]).to.contain('name=admin&password=***');
+  });
+
+  it('should mask password basic auth header', async () => {
+    const collectAuditLogs = await utils.collectHaproxyLogs(/POST,\/_replicator/);
+    const body = {
+      user_ctx: { name: 'medic', roles: [ '_admin', '_reader', '_writer' ]},
+      source: { url: 'https://localhost/source', headers: { Authorization: 'Basic bWVkaWM6cGFzc3dvcmQ=' } },
+      target: { url: 'https://localhost/target', headers: { Authorization: 'Basic bWVkaWM6cGFzc3dvcmQ=' } },
+      create_target: false,
+      continuous: false
+    };
+    const requestOptions = {
+      resolveWithFullResponse: true,
+      path: '/_replicator',
+      method: 'POST',
+      body
+    };
+    await utils.request(requestOptions);
+    const auditLogs = (await collectAuditLogs()).filter(log => log.length);
+    expect(auditLogs.length).to.equal(1);
+    expect(auditLogs[0]).to.contain('{"Authorization":"Basic ***"}');
+  });
+
+});
diff --git a/tests/e2e/default/suites.js b/tests/e2e/default/suites.js
@@ -25,7 +25,8 @@ const SUITES = {
   lowLevel: [
     './pwa/**/*.wdio-spec.js',
     './service-worker/**/*.wdio-spec.js',
-    './transitions/**/*.wdio-spec.js'
+    './transitions/**/*.wdio-spec.js',
+    './logging/**/*.wdio-spec.js'
   ],  
   enketo: [
     './enketo/**/*.wdio-spec.js',

diff --git a/tests/utils/index.js b/tests/utils/index.js
@@ -172,7 +172,7 @@ const requestOnTestDb = (options, debug) => {
   if (pathAndReqType !== '/GET') {
     options.path = '/' + constants.DB_NAME + (options.path || '');
   }
-  return request(options, { debug });
+  return request(options, debug);
 };
 
 const requestOnTestMetaDb = (options, debug) => {
@@ -182,15 +182,15 @@ const requestOnTestMetaDb = (options, debug) => {
     };
   }
   options.path = `/${constants.DB_NAME}-user-${options.userName}-meta${options.path || ''}`;
-  return request(options, { debug: debug });
+  return request(options, debug);
 };
 
 const requestOnMedicDb = (options, debug) => {
   if (typeof options === 'string') {
     options = { path: options };
   }
   options.path = `/medic${options.path || ''}`;
-  return request(options, { debug: debug });
+  return request(options, debug);
 };
 
 const formDocProcessing = async (docs) => {
@@ -1166,6 +1166,8 @@ const collectSentinelLogs = (...regex) => collectLogs('sentinel', ...regex);
 
 const collectApiLogs = (...regex) => collectLogs('api', ...regex);
 
+const collectHaproxyLogs = (...regex) => collectLogs('haproxy', ...regex);
+
 const normalizeTestName = name => name.replace(/\s/g, '_');
 
 const apiLogTestStart = (name) => {
@@ -1277,6 +1279,7 @@ module.exports = {
   waitForApiLogs,
   collectSentinelLogs,
   collectApiLogs,
+  collectHaproxyLogs,
   apiLogTestStart,
   apiLogTestEnd,
   updateContainerNames,