FAB-5794 Mask credentials in debug messages

(backport for 1.0.2) While this would not normally have been an issue, there are several cases where 3rd party operators are hosting/running fabric-ca. In those cases, the people who monitor the service should not be able to see any credentials in the logs if they need to turn on debug logging to troubleshoot. Change-Id: I51aa67a80094278e53481a91b8a9252655bd603e Signed-off-by: Gari Singh <[email protected]>
hyperledger · Aug 25, 2017 · 3066136 · 3066136
1 parent 00700da
commit 3066136
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 4 deletions.
diff --git a/lib/ca.go b/lib/ca.go
@@ -29,6 +29,7 @@ import (
 	"path"
 	"path/filepath"
 	"strconv"
+	"strings"
 	"time"
 
 	"github.com/cloudflare/cfssl/config"
@@ -485,7 +486,12 @@ func (ca *CA) initDB() error {
 		}
 	}
 
-	log.Debugf("Initializing '%s' database at '%s'", db.Type, db.Datasource)
+	// Strip out user:pass from datasource for logging
+	ds := db.Datasource
+	dsParts := strings.Split(ds, "@")
+	if len(dsParts) > 1 {
+		ds = fmt.Sprintf("*****:*****@%s", dsParts[len(dsParts)-1])
+	}
 
 	switch db.Type {
 	case defaultDatabaseType:

diff --git a/lib/dbutil/dbutil.go b/lib/dbutil/dbutil.go
@@ -131,8 +131,6 @@ func NewUserRegistryPostgres(datasource string, clientTLSConfig *tls.ClientTLSCo
 		connStr = fmt.Sprintf("%s sslcert=%s sslkey=%s", connStr, cert, key)
 	}
 
-	log.Debug("Connection String: ", connStr)
-
 	db, err := sqlx.Open("postgres", connStr)
 	if err != nil {
 		return nil, false, fmt.Errorf("Failed to open Postgres database: %s", err)
@@ -221,7 +219,6 @@ func NewUserRegistryMySQL(datasource string, clientTLSConfig *tls.ClientTLSConfi
 		mysql.RegisterTLSConfig("custom", tlsConfig)
 	}
 
-	log.Debug("Connection String: ", connStr)
 	db, err := sqlx.Open("mysql", connStr)
 	if err != nil {
 		return nil, false, fmt.Errorf("Failed to open MySQL database: %s", err)