Configurable masking and hiding for the env endpoint #6711
Conversation
- Changes the env endpoint to be disabled by default (requires user to enable in config) - If enabled, all env endpoint values are masked with ***** - Allow user to add a bean implementing EnvironmentEndpointFilter which: - allows legacy operation to be allowed so it behaves as before - can be set to mask or reveal all - allows patterns for masking to be defined if reveal all is set - allows patterns for plain-text values if mask all is set The call to the filter also contains the Principal if there is one, so the user can choose to alter visibility of items based on the currently logged in user
|
|
timyates
changed the title
management/src/main/java/io/micronaut/management/endpoint/env/EnvironmentEndpoint.java
Show resolved
Hide resolved
...ement/src/main/java/io/micronaut/management/endpoint/env/EnvironmentFilterSpecification.java
Outdated
Show resolved
Hide resolved
management/src/main/java/io/micronaut/management/endpoint/env/EnvironmentEndpoint.java
Show resolved
Hide resolved
management/src/main/java/io/micronaut/management/endpoint/env/EnvironmentEndpointFilter.java
Outdated
Show resolved
Hide resolved
...ement/src/main/java/io/micronaut/management/endpoint/env/EnvironmentFilterSpecification.java
Outdated
Show resolved
Hide resolved
...ement/src/main/java/io/micronaut/management/endpoint/env/EnvironmentFilterSpecification.java
Outdated
Show resolved
Hide resolved
...ement/src/main/java/io/micronaut/management/endpoint/env/EnvironmentFilterSpecification.java
Outdated
Show resolved
Hide resolved
...ement/src/main/java/io/micronaut/management/endpoint/env/EnvironmentFilterSpecification.java
Outdated
Show resolved
Hide resolved
...ement/src/main/java/io/micronaut/management/endpoint/env/EnvironmentFilterSpecification.java
Outdated
Show resolved
Hide resolved
src/main/docs/guide/management/providedEndpoints/environmentEndpoint.adoc
Outdated
Show resolved
Hide resolved
src/main/docs/guide/management/providedEndpoints/environmentEndpoint.adoc
Outdated
Show resolved
Hide resolved
src/main/docs/guide/management/providedEndpoints/environmentEndpoint.adoc
Outdated
Show resolved
Hide resolved
management/src/main/java/io/micronaut/management/endpoint/env/EnvironmentEndpointFilter.java
Outdated
Show resolved
Hide resolved
For binary compatibility. And annotate new constructor with Inject so it is used
|
@graemerocher Hope I addressed all your feedback 🤞 |
|
@timyates from my side yeah, @jameskleeh needs to review next |
| * @return itself for chaining calls. | ||
| */ | ||
| public @NotNull EnvironmentFilterSpecification maskPatterns(Pattern... propertySourceNameMask) { | ||
| maskedPatterns.addAll(Arrays.asList(propertySourceNameMask)); |
There was a problem hiding this comment.
This would have no effect without allMasked = false; so that should probably be set here
There was a problem hiding this comment.
If allMasked = true, then this sets the patterns that are allowed to be in the clear
maskPatterns is probably a rubbish name... But toggleMask was wrong too, as it's not a toggle, it's additive
There was a problem hiding this comment.
I think maskPatterns should define the patterns that are masked, thus only making it useful if not all keys are masked
There was a problem hiding this comment.
With a separate list for unmasked patterns, that only come into play if allMasked is true?
Or we could name it "excludedPatterns" which are excluded from whichever mode you're in... And change the method to exclude() ?
There was a problem hiding this comment.
That sounds OK to me. Need to support static keys as well
There was a problem hiding this comment.
Also the ability to supply predicates. Everything could be converted to predicates
There was a problem hiding this comment.
Switch to using Predicate<String> for all exclusions
To avoid unchecked generic array creation for varargs parameter warnings in user code (due to the Predicate<String> varargs), introduced EnvironmentFilterNamePredicate as a typealias
Also added a factory method to generate a predicate from a pattern and optional flags
...ement/src/main/java/io/micronaut/management/endpoint/env/EnvironmentFilterSpecification.java
Outdated
Show resolved
Hide resolved
management/src/main/java/io/micronaut/management/endpoint/env/EnvironmentEndpoint.java
Outdated
Show resolved
Hide resolved
management/src/main/java/io/micronaut/management/endpoint/env/EnvironmentEndpoint.java
Outdated
Show resolved
Hide resolved
...ement/src/main/java/io/micronaut/management/endpoint/env/EnvironmentFilterSpecification.java
Outdated
Show resolved
Hide resolved
| public static EnvironmentFilterNamePredicate regularExpressionPredicate(String pattern) { | ||
| return regularExpressionPredicate(pattern, 0); | ||
| } | ||
|
|
||
| public static EnvironmentFilterNamePredicate regularExpressionPredicate(String pattern, int flags) { | ||
| return s -> Pattern.compile(pattern, flags).matcher(s).matches(); | ||
| } |
There was a problem hiding this comment.
These appear now to be part of the public API? if it is the case they need javadoc
There was a problem hiding this comment.
Done. Would you say they were necessary? I added them to make it simpler to create the Predicates, but can see that they may add noise 🤔
|
Also, having the |
|
After a sync up with James, we have a better API... Incoming asap |
|
@graemerocher Can you please give this a final look? |
* Configurable masking and hiding for the env endpoint - Changes the env endpoint to be disabled by default (requires user to enable in config) - If enabled, all env endpoint values are masked with ***** - Allow user to add a bean implementing EnvironmentEndpointFilter which: - allows legacy operation to be allowed so it behaves as before - can be set to mask or reveal all - allows patterns for masking to be defined if reveal all is set - allows patterns for plain-text values if mask all is set The call to the filter also contains the Principal if there is one, so the user can choose to alter visibility of items based on the currently logged in user * Address first round of feedback * Fix tests * Fix since tag * Add single arg constructor For binary compatibility. And annotate new constructor with Inject so it is used * Switch to Predicate<String> in place of Patterns * Checkstyle fixes * Move env endpoint into disabled section of doc * Add deprecated methods and JavaDoc * Remove principal and simplify API * Cleanup Co-authored-by: jameskleeh <james.kleeh@gmail.com>
The call to the filter also contains the Principal if there is one, so the user can choose
to alter visibility of items based on the currently logged in user