Merge pull request #866 from Jrank2013/masking_api_token

The API token outputted during verbose will now be masked by default

Author: Katrina Owen

cmd/root.go

@@ -24,6 +24,9 @@ Download exercises and submit your solutions.`,
 		if verbose, _ := cmd.Flags().GetBool("verbose"); verbose {
 			debug.Verbose = verbose
 		}
+		if unmask, _ := cmd.Flags().GetBool("unmask-token"); unmask {
+			debug.UnmaskAPIKey = unmask
+		}
 		if timeout, _ := cmd.Flags().GetInt("timeout"); timeout > 0 {
 			cli.TimeoutInSeconds = timeout
 			api.TimeoutInSeconds = timeout
@@ -46,4 +49,5 @@ func init() {
 	api.UserAgent = fmt.Sprintf("github.com/exercism/cli v%s (%s/%s)", Version, runtime.GOOS, runtime.GOARCH)
 	RootCmd.PersistentFlags().BoolP("verbose", "v", false, "verbose output")
 	RootCmd.PersistentFlags().IntP("timeout", "", 0, "override the default HTTP timeout (seconds)")
+	RootCmd.PersistentFlags().BoolP("unmask-token", "", false, "will unmask the API during a request/response dump")
 }

cmd/troubleshoot.go

@@ -5,12 +5,12 @@ import (
 	"fmt"
 	"html/template"
 	"runtime"
-	"strings"
 	"sync"
 	"time"
 
 	"github.com/exercism/cli/cli"
 	"github.com/exercism/cli/config"
+	"github.com/exercism/cli/debug"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 )
@@ -192,7 +192,7 @@ func newConfigurationStatus(status *Status) configurationStatus {
 		TokenURL:  config.SettingsURL(v.GetString("apibaseurl")),
 	}
 	if status.Censor && cs.Token != "" {
-		cs.Token = redact(cs.Token)
+		cs.Token = debug.Redact(cs.Token)
 	}
 	return cs
 }
@@ -212,12 +212,6 @@ func (ping *apiPing) Call(wg *sync.WaitGroup) {
 	ping.Status = "connected"
 }
 
-func redact(token string) string {
-	str := token[4 : len(token)-3]
-	redaction := strings.Repeat("*", len(str))
-	return string(token[:4]) + redaction + string(token[len(token)-3:])
-}
-
 const tmplSelfTest = `
 Troubleshooting Information
 ===========================

cmd/troubleshoot_test.go

@@ -9,12 +9,15 @@ import (
 	"net/http"
 	"net/http/httputil"
 	"os"
+	"strings"
 )
 
 var (
 	// Verbose determines if debugging output is displayed to the user
 	Verbose bool
 	output  io.Writer = os.Stderr
+	// UnmaskAPIKey determines if the API key should de displayed during a dump
+	UnmaskAPIKey bool
 )
 
 // Println conditionally outputs a message to Stderr
@@ -41,6 +44,14 @@ func DumpRequest(req *http.Request) {
 	body := io.TeeReader(req.Body, &bodyCopy)
 	req.Body = ioutil.NopCloser(body)
 
+	temp := req.Header.Get("Authorization")
+
+	if !UnmaskAPIKey {
+		if token := strings.Split(temp, " ")[1]; token != "" {
+			req.Header.Set("Authorization", "Bearer "+Redact(token))
+		}
+	}
+
 	dump, err := httputil.DumpRequest(req, req.ContentLength > 0)
 	if err != nil {
 		log.Fatal(err)
@@ -51,6 +62,7 @@ func DumpRequest(req *http.Request) {
 	Println("========================= END DumpRequest =========================")
 	Println("")
 
+	req.Header.Set("Authorization", temp)
 	req.Body = ioutil.NopCloser(&bodyCopy)
 }
 
@@ -76,3 +88,10 @@ func DumpResponse(res *http.Response) {
 
 	res.Body = ioutil.NopCloser(body)
 }
+
+// Redact masks the given token by replacing part of the string with *
+func Redact(token string) string {
+	str := token[4 : len(token)-3]
+	redaction := strings.Repeat("*", len(str))
+	return string(token[:4]) + redaction + string(token[len(token)-3:])
+}

debug/debug.go

@@ -3,6 +3,8 @@ package debug
 import (
 	"bytes"
 	"testing"
+
+	"github.com/stretchr/testify/assert"
 )
 
 func TestVerboseEnabled(t *testing.T) {
@@ -26,3 +28,10 @@ func TestVerboseDisabled(t *testing.T) {
 		t.Error("expected '' got", b.String())
 	}
 }
+
+func TestRedact(t *testing.T) {
+	fakeToken := "1a11111aaaa111aa1a11111a11111aa1"
+	expected := "1a11*************************aa1"
+
+	assert.Equal(t, expected, Redact(fakeToken))
+}