From 3959d7afff8bb3c3b8da9eb7d178919275180f2a Mon Sep 17 00:00:00 2001 From: radhika Date: Fri, 7 Aug 2015 11:25:51 -0400 Subject: [PATCH] 6827: log only valid token and only the first 10 characters. --- services/arv-git-httpd/auth_handler.go | 12 +++++++++++- services/arv-git-httpd/server_test.go | 15 +++++++++++++++ 2 files changed, 26 insertions(+), 1 deletion(-) diff --git a/services/arv-git-httpd/auth_handler.go b/services/arv-git-httpd/auth_handler.go index 6313d50d68..74635488f2 100644 --- a/services/arv-git-httpd/auth_handler.go +++ b/services/arv-git-httpd/auth_handler.go @@ -52,7 +52,17 @@ func (h *authHandler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { w.WriteHeader(statusCode) w.Write([]byte(statusText)) } - log.Println(quoteStrings(r.RemoteAddr, username, password, wroteStatus, statusText, repoName, r.Method, r.URL.Path)...) + + passwordToLog := "" + if statusCode == 401 || strings.Contains(statusText, "Unauthorized") { + if len(password) > 0 { + passwordToLog = "" + } + } else { + passwordToLog = password[0:10] + } + + log.Println(quoteStrings(r.RemoteAddr, username, passwordToLog, wroteStatus, statusText, repoName, r.Method, r.URL.Path)...) }() // HTTP request username is logged, but unused. Password is an diff --git a/services/arv-git-httpd/server_test.go b/services/arv-git-httpd/server_test.go index e5ddc29dec..77c4d3bb3b 100644 --- a/services/arv-git-httpd/server_test.go +++ b/services/arv-git-httpd/server_test.go @@ -18,6 +18,7 @@ const ( spectatorToken = "zw2f4gwx8hw8cjre7yp6v1zylhrhn3m5gvjq73rtpwhmknrybu" activeToken = "3kg6k6lzmp9kj5cpkcoxie963cmvjahbt2fod9zru30k1jqdmi" anonymousToken = "4kg6k6lzmp9kj4cpkcoxie964cmvjahbt4fod9zru44k4jqdmi" + expiredToken = "2ym314ysp27sk7h943q6vtc378srb06se3pq6ghurylyf3pdmx" ) // IntegrationSuite tests need an API server and an arv-git-httpd server @@ -70,6 +71,20 @@ func (s *IntegrationSuite) TestNoPermission(c *check.C) { } } +func (s *IntegrationSuite) TestExpiredToken(c *check.C) { + for _, repo := range []string{"active/foo.git", "active/foo/.git"} { + err := s.runGit(c, expiredToken, "fetch", repo) + c.Assert(err, check.ErrorMatches, `.* 500 while accessing.*`) + } +} + +func (s *IntegrationSuite) TestInvalidToken(c *check.C) { + for _, repo := range []string{"active/foo.git", "active/foo/.git"} { + err := s.runGit(c, "no-such-token-in-the-system", "fetch", repo) + c.Assert(err, check.ErrorMatches, `.* 500 while accessing.*`) + } +} + func (s *IntegrationSuite) SetUpSuite(c *check.C) { arvadostest.StartAPI() } -- 2.30.2