redact secret_paths from elastic-agent inspect output

elastic · Oct 1, 2024 · 4397d53 · 4397d53
1 parent 0ebadad
commit 4397d53
Show file tree

Hide file tree

Showing 3 changed files with 276 additions and 1 deletion.
diff --git a/changelog/fragments/1727453779-inspect-command-will-redact-secret_paths-in-policy.yaml b/changelog/fragments/1727453779-inspect-command-will-redact-secret_paths-in-policy.yaml
@@ -0,0 +1,34 @@
+# Kind can be one of:
+# - breaking-change: a change to previously-documented behavior
+# - deprecation: functionality that is being removed in a later release
+# - bug-fix: fixes a problem in a previous version
+# - enhancement: extends functionality but does not break or fix existing behavior
+# - feature: new functionality
+# - known-issue: problems that we are aware of in a given version
+# - security: impacts on the security of a product or a user’s deployment.
+# - upgrade: important information for someone upgrading from a prior version
+# - other: does not fit into any of the other categories
+kind: enhancement
+
+# Change summary; a 80ish characters long description of the change.
+summary: inspect command will redact secret_paths in policy
+
+# Long description; in case the summary is not enough to describe the change
+# this field accommodate a description without length limits.
+# NOTE: This field will be rendered only for breaking-change and known-issue kinds at the moment.
+description: |
+  The elastic-agent inspect command will now redact any secret values when displaying output.
+  The keys that are redacted are expected to be defined in the "secret_paths" attribute.
+
+# Affected component; usually one of "elastic-agent", "fleet-server", "filebeat", "metricbeat", "auditbeat", "all", etc.
+component:
+
+# PR URL; optional; the PR number that added the changeset.
+# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added.
+# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number.
+# Please provide it if you are adding a fragment for a different PR.
+#pr: https://github.com/owner/repo/1234
+
+# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of).
+# If not present is automatically filled by the tooling with the issue linked to the PR number.
+#issue: https://github.com/owner/repo/1234
diff --git a/internal/pkg/agent/cmd/inspect.go b/internal/pkg/agent/cmd/inspect.go
@@ -7,6 +7,7 @@ package cmd
 import (
 	"context"
 	"fmt"
+	"io"
 	"os"
 	"strings"
 	"time"
@@ -16,6 +17,7 @@ import (
 
 	"github.com/elastic/elastic-agent-libs/logp"
 	"github.com/elastic/elastic-agent-libs/service"
+	"github.com/elastic/go-ucfg"
 
 	"github.com/elastic/elastic-agent/internal/pkg/agent/application/info"
 	"github.com/elastic/elastic-agent/internal/pkg/agent/application/monitoring"
@@ -234,7 +236,7 @@ func inspectConfig(ctx context.Context, cfgPath string, opts inspectConfigOpts,
 }
 
 func printMapStringConfig(mapStr map[string]interface{}, streams *cli.IOStreams) error {
-	data, err := yaml.Marshal(mapStr)
+	data, err := yaml.Marshal(redactSecretPaths(mapStr, streams.Err))
 	if err != nil {
 		return errors.New(err, "could not marshal to YAML")
 	}
@@ -243,6 +245,39 @@ func printMapStringConfig(mapStr map[string]interface{}, streams *cli.IOStreams)
 	return err
 }
 
+func redactSecretPaths(mapStr map[string]interface{}, errOut io.Writer) map[string]interface{} {
+	v, ok := mapStr["secret_paths"]
+	if !ok {
+		fmt.Fprintln(errOut, "No output redaction: secret_paths attribute not found.")
+		return mapStr
+	}
+	arr, ok := v.([]interface{})
+	if !ok {
+		fmt.Fprintln(errOut, "No output redaction: secret_paths attribute is not a list.")
+		return mapStr
+	}
+	cfg := ucfg.MustNewFrom(mapStr)
+	for _, v := range arr {
+		key, ok := v.(string)
+		if !ok {
+			fmt.Fprintf(errOut, "No output redaction for %q: expected type string, is type %T.\n", v, v)
+			continue
+		}
+
+		if ok, _ := cfg.Has(key, -1, ucfg.PathSep(".")); ok {
+			err := cfg.SetString(key, -1, "[REDACTED]", ucfg.PathSep("."))
+			if err != nil {
+				fmt.Fprintf(errOut, "No output redaction for %q: %v.\n", key, err)
+			}
+		}
+	}
+	result, err := config.MustNewConfigFrom(cfg).ToMapStr()
+	if err != nil {
+		return mapStr
+	}
+	return result
+}
+
 // convert the config object to a mapstr and print to the stream specified in in streams.Out
 func printConfig(cfg *config.Config, streams *cli.IOStreams) error {
 	mapStr, err := cfg.ToMapStr()

diff --git a/internal/pkg/agent/cmd/inspect_test.go b/internal/pkg/agent/cmd/inspect_test.go
@@ -0,0 +1,206 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0;
+// you may not use this file except in compliance with the Elastic License 2.0.
+
+package cmd
+
+import (
+	"io"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestRedactSecretPaths(t *testing.T) {
+	tests := []struct {
+		name   string
+		input  map[string]interface{}
+		expect map[string]interface{}
+	}{{
+		name: "no secret_paths",
+		input: map[string]interface{}{
+			"outputs": map[string]interface{}{
+				"default": map[string]interface{}{
+					"type":    "elasticsearch",
+					"api_key": "apikeyvalue",
+				},
+			},
+			"inputs": []interface{}{
+				map[string]interface{}{
+					"type":   "example",
+					"secret": "secretvalue",
+				},
+			},
+		},
+		expect: map[string]interface{}{
+			"outputs": map[string]interface{}{
+				"default": map[string]interface{}{
+					"type":    "elasticsearch",
+					"api_key": "apikeyvalue",
+				},
+			},
+			"inputs": []interface{}{
+				map[string]interface{}{
+					"type":   "example",
+					"secret": "secretvalue",
+				},
+			},
+		},
+	}, {
+		name: "secret paths is not an array",
+		input: map[string]interface{}{
+			"secret_paths": "inputs.0.secret,outputs.default.api_key",
+			"outputs": map[string]interface{}{
+				"default": map[string]interface{}{
+					"type":    "elasticsearch",
+					"api_key": "apikeyvalue",
+				},
+			},
+			"inputs": []interface{}{
+				map[string]interface{}{
+					"type":   "example",
+					"secret": "secretvalue",
+				},
+			},
+		},
+		expect: map[string]interface{}{
+			"secret_paths": "inputs.0.secret,outputs.default.api_key",
+			"outputs": map[string]interface{}{
+				"default": map[string]interface{}{
+					"type":    "elasticsearch",
+					"api_key": "apikeyvalue",
+				},
+			},
+			"inputs": []interface{}{
+				map[string]interface{}{
+					"type":   "example",
+					"secret": "secretvalue",
+				},
+			},
+		},
+	}, {
+		name: "secret_paths are redacted",
+		input: map[string]interface{}{
+			"secret_paths": []interface{}{
+				"inputs.0.secret",
+				"outputs.default.api_key",
+			},
+			"outputs": map[string]interface{}{
+				"default": map[string]interface{}{
+					"type":    "elasticsearch",
+					"api_key": "apikeyvalue",
+				},
+			},
+			"inputs": []interface{}{
+				map[string]interface{}{
+					"type":   "example",
+					"secret": "secretvalue",
+				},
+			},
+		},
+		expect: map[string]interface{}{
+			"secret_paths": []interface{}{
+				"inputs.0.secret",
+				"outputs.default.api_key",
+			},
+			"outputs": map[string]interface{}{
+				"default": map[string]interface{}{
+					"type":    "elasticsearch",
+					"api_key": "[REDACTED]",
+				},
+			},
+			"inputs": []interface{}{
+				map[string]interface{}{
+					"type":   "example",
+					"secret": "[REDACTED]",
+				},
+			},
+		},
+	}, {
+		name: "secret_paths contains extra keys",
+		input: map[string]interface{}{
+			"secret_paths": []interface{}{
+				"inputs.0.secret",
+				"outputs.default.api_key",
+				"inputs.1.secret",
+			},
+			"outputs": map[string]interface{}{
+				"default": map[string]interface{}{
+					"type":    "elasticsearch",
+					"api_key": "apikeyvalue",
+				},
+			},
+			"inputs": []interface{}{
+				map[string]interface{}{
+					"type":   "example",
+					"secret": "secretvalue",
+				},
+			},
+		},
+		expect: map[string]interface{}{
+			"secret_paths": []interface{}{
+				"inputs.0.secret",
+				"outputs.default.api_key",
+				"inputs.1.secret",
+			},
+			"outputs": map[string]interface{}{
+				"default": map[string]interface{}{
+					"type":    "elasticsearch",
+					"api_key": "[REDACTED]",
+				},
+			},
+			"inputs": []interface{}{
+				map[string]interface{}{
+					"type":   "example",
+					"secret": "[REDACTED]",
+				},
+			},
+		},
+	}, {
+		name: "secret_paths contains non string key",
+		input: map[string]interface{}{
+			"secret_paths": []interface{}{
+				"inputs.0.secret",
+				"outputs.default.api_key",
+				2,
+			},
+			"outputs": map[string]interface{}{
+				"default": map[string]interface{}{
+					"type":    "elasticsearch",
+					"api_key": "apikeyvalue",
+				},
+			},
+			"inputs": []interface{}{
+				map[string]interface{}{
+					"type":   "example",
+					"secret": "secretvalue",
+				},
+			},
+		},
+		expect: map[string]interface{}{
+			"secret_paths": []interface{}{
+				"inputs.0.secret",
+				"outputs.default.api_key",
+				uint64(2), // go-ucfg serializing/deserializing flattens types
+			},
+			"outputs": map[string]interface{}{
+				"default": map[string]interface{}{
+					"type":    "elasticsearch",
+					"api_key": "[REDACTED]",
+				},
+			},
+			"inputs": []interface{}{
+				map[string]interface{}{
+					"type":   "example",
+					"secret": "[REDACTED]",
+				},
+			},
+		},
+	}}
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			result := redactSecretPaths(tc.input, io.Discard)
+			assert.Equal(t, tc.expect, result)
+		})
+	}
+}