fix(core): RequestToCurl will strip any auth headers from logs.

Author: spbsoluble

auth_providers/auth_core.go

@@ -800,19 +800,56 @@ func RequestToCurl(req *http.Request) (string, error) {
 	// Add headers
 	for name, values := range req.Header {
 		for _, value := range values {
+			// check if is Authorization header and skip it
+			if strings.EqualFold(name, "Authorization") {
+				// check if basic auth and skip it
+				if strings.HasPrefix(value, "Basic ") {
+					// Remove credentials and put in env variables as placeholder
+					log.Printf(
+						"[DEBUG] Found Basic auth in Authorization header, " +
+							"replacing with env variable references",
+					)
+					curlCommand.WriteString(
+						fmt.Sprintf(
+							"-H %q ", fmt.Sprintf(
+								"%s: Basic $(echo -n $\"%s,$%s\" | base64)", name,
+								EnvKeyfactorUsername, EnvKeyfactorPassword,
+							),
+						),
+					)
+					continue
+				} else if strings.HasPrefix(value, "Bearer ") {
+					// Remove credentials and put in env variables as placeholder
+					log.Printf("[DEBUG] Found Bearer token in Authorization header, replacing with kfutil command to fetch token")
+					curlCommand.WriteString(
+						fmt.Sprintf(
+							"-H %q ", fmt.Sprintf(
+								"%s: Bearer $(kfutil auth fetch-oauth-token)", name,
+							),
+						),
+					)
+					continue
+				} else {
+					// Skip other Authorization headers
+					log.Printf("[ERROR] Skipping unhandled Authorization header: %s", name)
+					continue
+				}
+			}
 			curlCommand.WriteString(fmt.Sprintf("-H %q ", fmt.Sprintf("%s: %s", name, value)))
 		}
 	}
 
 	// Add the body if it exists
 	if req.Method == http.MethodPost || req.Method == http.MethodPut {
-		body, err := io.ReadAll(req.Body)
-		if err != nil {
-			return "", err
-		}
-		req.Body = io.NopCloser(bytes.NewBuffer(body)) // Restore the request body
+		if req.Body != nil {
+			body, err := io.ReadAll(req.Body)
+			if err != nil {
+				return "", err
+			}
+			req.Body = io.NopCloser(bytes.NewBuffer(body)) // Restore the request body
 
-		curlCommand.WriteString(fmt.Sprintf("--data %q ", string(body)))
+			curlCommand.WriteString(fmt.Sprintf("--data %q ", string(body)))
+		}
 	}
 
 	return curlCommand.String(), nil

auth_providers/auth_core_test.go

@@ -16,6 +16,7 @@ package auth_providers_test
 
 import (
 	"net/http"
+	"strings"
 	"testing"
 
 	"github.com/Keyfactor/keyfactor-auth-client-go/auth_providers"
@@ -102,3 +103,75 @@ MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7Q2+1+2+1+2+1+2+1+2+
 		t.Fatalf("expected non-zero blocks")
 	}
 }
+
+func TestRequestToCurl(t *testing.T) {
+	tests := []struct {
+		name          string
+		method        string
+		url           string
+		headers       map[string]string
+		wantInCurl    []string
+		notWantInCurl []string
+	}{
+		{
+			name:   "Basic Auth",
+			method: "GET",
+			url:    "https://example.com/api",
+			headers: map[string]string{
+				"Authorization": "Basic dXNlcjpwYXNz",
+			},
+			wantInCurl: []string{
+				"curl", "-X", "GET", "https://example.com/api",
+				"-H", "Authorization: Basic",
+			},
+			notWantInCurl: []string{
+				"Authorization: Basic dXNlcjpwYXNz",
+			},
+		},
+		{
+			name:   "Bearer Auth",
+			method: "POST",
+			url:    "https://example.com/token",
+			headers: map[string]string{
+				"Authorization": "Bearer testtoken",
+				"Content-Type":  "application/json",
+			},
+			wantInCurl: []string{
+				"curl", "-X", "POST", "https://example.com/token",
+				"-H", "Authorization: Bearer",
+				"-H", "Content-Type: application/json",
+			},
+			notWantInCurl: []string{
+				"Authorization: Bearer testtoken",
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		req, err := http.NewRequest(tt.method, tt.url, nil)
+		if err != nil {
+			t.Fatalf("failed to create request: %v", err)
+		}
+		for k, v := range tt.headers {
+			req.Header.Set(k, v)
+		}
+
+		curlStr, err := auth_providers.RequestToCurl(req)
+		if err != nil {
+			t.Errorf("%s: RequestToCurl returned error: %v", tt.name, err)
+			continue
+		}
+		for _, want := range tt.wantInCurl {
+			if !strings.Contains(curlStr, want) {
+				t.Errorf("%s: curl string missing %q\nGot: %s", tt.name, want, curlStr)
+			}
+		}
+
+		for _, notWant := range tt.notWantInCurl {
+			if strings.Contains(curlStr, notWant) {
+				t.Errorf("%s: curl string contains unwanted %q\nGot: %s", tt.name, notWant, curlStr)
+			}
+		}
+		t.Logf("%s: curl command: %s", tt.name, curlStr)
+	}
+}