Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adjust the discovery uri logging to show the full dsn used (less pass… #1272

Merged
merged 2 commits into from
Nov 20, 2020
Merged

Adjust the discovery uri logging to show the full dsn used (less pass… #1272

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e89e934
Adjust the discovery uri logging to show the full dsn used (less pass…
sjmudd Nov 19, 2020
490099c
Merge branch 'master' into smudd/improve_dsn_safe_logging
sjmudd Nov 19, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
52 changes: 46 additions & 6 deletions go/db/db.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,9 @@ package db

import (
"database/sql"
"errors"
"fmt"
"regexp"
"strings"
"sync"
"time"
Expand All @@ -28,8 +30,11 @@ import (
"github.com/openark/orchestrator/go/config"
)

const dsnRegexp = `^([^:]+)(:.*)?(@(socket|tcp)\(.+\)/.*)$`

var (
EmptyArgs []interface{}
EmptyArgs []interface{}
ErrNoMatch = errors.New("no match")
)

var mysqlURI string
Expand Down Expand Up @@ -129,6 +134,42 @@ func isInMemorySQLite() bool {
return config.Config.IsSQLite() && strings.Contains(config.Config.SQLite3DataFile, ":memory:")
}

// matchDSN tries to match the DSN or returns an error
func matchDSN(dsn string) (string, error) {
re := regexp.MustCompile(dsnRegexp)

matches := re.FindStringSubmatch(dsn)
if matches == nil {
return "", ErrNoMatch
}

// matching dsn so printout excluding the password
// - if no password is provided the lack of a password will be visible!
maskedPass := ""
if len(matches[2]) > 0 {
maskedPass = `:?`
}

return matches[1] + maskedPass + matches[3], nil
}

// safeMySQLURI returns a version of the dsn without showing the password so it can be logged safely.
// - if we are unable to correctly match the provided dsn we build an incomplete one based on some of the settings.
func safeMySQLURI(dsn string) string {
if safeDSN, err := matchDSN(dsn); err == nil {
return safeDSN
}

// Fallback to use an incomplete dsn which may be good enough.
// Do not show the password but do show what we connect to.
return fmt.Sprintf("%s:?@tcp(%s:%d)/%s?timeout=%ds (incomplete dsn!)",
config.Config.MySQLOrchestratorUser,
config.Config.MySQLOrchestratorHost,
config.Config.MySQLOrchestratorPort,
config.Config.MySQLOrchestratorDatabase,
config.Config.MySQLConnectTimeoutSeconds)
}

// OpenTopology returns the DB instance for the orchestrator backed database
func OpenOrchestrator() (db *sql.DB, err error) {
var fromCache bool
Expand All @@ -149,12 +190,11 @@ func OpenOrchestrator() (db *sql.DB, err error) {
return db, log.Errore(err)
}
}
db, fromCache, err = sqlutils.GetDB(getMySQLURI())
dsn := getMySQLURI()
db, fromCache, err = sqlutils.GetDB(dsn)
if err == nil && !fromCache {
// do not show the password but do show what we connect to.
safeMySQLURI := fmt.Sprintf("%s:?@tcp(%s:%d)/%s?timeout=%ds", config.Config.MySQLOrchestratorUser,
config.Config.MySQLOrchestratorHost, config.Config.MySQLOrchestratorPort, config.Config.MySQLOrchestratorDatabase, config.Config.MySQLConnectTimeoutSeconds)
log.Debugf("Connected to orchestrator backend: %v", safeMySQLURI)
log.Debugf("Connected to orchestrator backend: %v", safeMySQLURI(dsn))

if config.Config.MySQLOrchestratorMaxPoolConnections > 0 {
log.Debugf("Orchestrator pool SetMaxOpenConns: %d", config.Config.MySQLOrchestratorMaxPoolConnections)
db.SetMaxOpenConns(config.Config.MySQLOrchestratorMaxPoolConnections)
Expand Down
32 changes: 32 additions & 0 deletions go/db/db_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
package db

import (
"testing"
)

// TestMatchDSN tests that the dsns we match don't expose the password
func TestMatchDSN(t *testing.T) {
var tests = []struct {
dsn string
output string
err error
}{
{"user@tcp(host:3306)/", "user@tcp(host:3306)/", nil},
{"user:pass@tcp(host:3306)/", "user:?@tcp(host:3306)/", nil},
{"user@tcp(host:3306)/db", "user@tcp(host:3306)/db", nil},
{"user:pass@tcp(host:3306)/db", "user:?@tcp(host:3306)/db", nil},
{"user:pass@tcp(host:3306)/db?param1=true", "user:?@tcp(host:3306)/db?param1=true", nil},
{"user:pass@tcp(host:3306)/db?param1=true&param2=10", "user:?@tcp(host:3306)/db?param1=true&param2=10", nil},
// tricky ones
{"user:user:pass@tcp(host:3306)/db?param1=true&param2=10", "user:?@tcp(host:3306)/db?param1=true&param2=10", nil},
{"user:pass@pass@tcp(host:3306)/db?param1=true&param2=10", "user:?@tcp(host:3306)/db?param1=true&param2=10", nil},
}

for i := range tests {
match, err := matchDSN(tests[i].dsn)
if match != tests[i].output || err != tests[i].err {
t.Errorf("Failed to match %q: expected(%q,%v), got(%q,%v)",
tests[i].dsn, tests[i].output, tests[i].err, match, err)
}
}
}