projects / arvados.git / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: bdb8505)
6827: log only valid token and only the first 10 characters.
authorradhika <radhika@curoverse.com>
Fri, 7 Aug 2015 15:25:51 +0000 (11:25 -0400)
committerradhika <radhika@curoverse.com>
Fri, 7 Aug 2015 15:25:51 +0000 (11:25 -0400)
services/arv-git-httpd/auth_handler.go patch | blob | history
services/arv-git-httpd/server_test.go patch | blob | history

diff --git a/services/arv-git-httpd/auth_handler.go b/services/arv-git-httpd/auth_handler.go
index 6313d50d685e7a17c4854cbb5c62305c905bcb72..74635488f27be4c146dc3cfac19a2b8f0946e442 100644 (file)
--- a/services/arv-git-httpd/auth_handler.go
+++ b/services/arv-git-httpd/auth_handler.go
@@ -52,7 +52,17 @@ func (h *authHandler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) {
                        w.WriteHeader(statusCode)
                        w.Write([]byte(statusText))
                }
-               log.Println(quoteStrings(r.RemoteAddr, username, password, wroteStatus, statusText, repoName, r.Method, r.URL.Path)...)
+
+               passwordToLog := ""
+               if statusCode == 401 || strings.Contains(statusText, "Unauthorized") {
+                       if len(password) > 0 {
+                               passwordToLog = "<invalid>"
+                       }
+               } else {
+                       passwordToLog = password[0:10]
+               }
+
+               log.Println(quoteStrings(r.RemoteAddr, username, passwordToLog, wroteStatus, statusText, repoName, r.Method, r.URL.Path)...)
        }()
 
        // HTTP request username is logged, but unused. Password is an
diff --git a/services/arv-git-httpd/server_test.go b/services/arv-git-httpd/server_test.go
index e5ddc29dec93b2a9a2f08fef9d7f31b9706da2dc..77c4d3bb3ba190b5235a897d39cfc7b91442a514 100644 (file)
--- a/services/arv-git-httpd/server_test.go
+++ b/services/arv-git-httpd/server_test.go
@@ -18,6 +18,7 @@ const (
        spectatorToken = "zw2f4gwx8hw8cjre7yp6v1zylhrhn3m5gvjq73rtpwhmknrybu"
        activeToken    = "3kg6k6lzmp9kj5cpkcoxie963cmvjahbt2fod9zru30k1jqdmi"
        anonymousToken = "4kg6k6lzmp9kj4cpkcoxie964cmvjahbt4fod9zru44k4jqdmi"
+       expiredToken   = "2ym314ysp27sk7h943q6vtc378srb06se3pq6ghurylyf3pdmx"
 )
 
 // IntegrationSuite tests need an API server and an arv-git-httpd server
@@ -70,6 +71,20 @@ func (s *IntegrationSuite) TestNoPermission(c *check.C) {
        }
 }
 
+func (s *IntegrationSuite) TestExpiredToken(c *check.C) {
+       for _, repo := range []string{"active/foo.git", "active/foo/.git"} {
+               err := s.runGit(c, expiredToken, "fetch", repo)
+               c.Assert(err, check.ErrorMatches, `.* 500 while accessing.*`)
+       }
+}
+
+func (s *IntegrationSuite) TestInvalidToken(c *check.C) {
+       for _, repo := range []string{"active/foo.git", "active/foo/.git"} {
+               err := s.runGit(c, "no-such-token-in-the-system", "fetch", repo)
+               c.Assert(err, check.ErrorMatches, `.* 500 while accessing.*`)
+       }
+}
+
 func (s *IntegrationSuite) SetUpSuite(c *check.C) {
        arvadostest.StartAPI()
 }