Redact passwords from connection strings in error logs

Add redactConnectionString() to scrub credentials before logging,
handling both MySQL DSN (user:pass@tcp) and PostgreSQL URL
(postgres://user:pass@host) formats.

Author: jgowdy

internal/asherah/asherah.go

@@ -133,7 +133,7 @@ func NewMetastore(opts *Options) appencryption.Metastore {
 		}
 		db, err := newConnection(dbType, opts.ConnectionString)
 		if err != nil {
-			log.ErrorLogf("PANIC: Failed to connect to %s database with connection string: %v", dbType, err.Error())
+			log.ErrorLogf("PANIC: Failed to connect to %s database (connection: %s): %v", dbType, redactConnectionString(opts.ConnectionString), err.Error())
 			panic(fmt.Errorf("failed to connect to %s database: %w", dbType, err))
 		}
 

internal/asherah/database.go

@@ -2,11 +2,15 @@ package asherah
 
 import (
 	"database/sql"
+	"regexp"
+	"strings"
 
 	_ "github.com/go-sql-driver/mysql"
 	_ "github.com/lib/pq"
 )
 
+var mysqlDSNPasswordRegexp = regexp.MustCompile(`^([^:]+):[^@]+@`)
+
 const (
 	ReplicaReadConsistencyQuery         = "SET aurora_replica_read_consistency = ?"
 	ReplicaReadConsistencyValueEventual = "eventual"
@@ -30,6 +34,22 @@ func newConnection(dbdriver string, connStr string) (*sql.DB, error) {
 	return dbconnection, nil
 }
 
+func redactConnectionString(connStr string) string {
+	// URL-style: scheme://user:pass@host/db
+	if idx := strings.Index(connStr, "://"); idx >= 0 {
+		rest := connStr[idx+3:]
+		if atIdx := strings.Index(rest, "@"); atIdx >= 0 {
+			userInfo := rest[:atIdx]
+			if colonIdx := strings.Index(userInfo, ":"); colonIdx >= 0 {
+				return connStr[:idx+3] + userInfo[:colonIdx] + ":***@" + rest[atIdx+1:]
+			}
+		}
+		return connStr
+	}
+	// MySQL DSN-style: user:pass@tcp(host)/db
+	return mysqlDSNPasswordRegexp.ReplaceAllString(connStr, "${1}:***@")
+}
+
 func setRdbmsReplicaReadConsistencyValue(value string) (err error) {
 	if dbconnection != nil {
 		switch value {

internal/asherah/database_test.go

@@ -0,0 +1,42 @@
+package asherah
+
+import "testing"
+
+func TestRedactConnectionStringMysqlWithPassword(t *testing.T) {
+	result := redactConnectionString("user:secret@tcp(localhost:3306)/db")
+	expected := "user:***@tcp(localhost:3306)/db"
+	if result != expected {
+		t.Errorf("Expected %q, got %q", expected, result)
+	}
+}
+
+func TestRedactConnectionStringMysqlWithoutPassword(t *testing.T) {
+	result := redactConnectionString("user@tcp(localhost:3306)/db")
+	expected := "user@tcp(localhost:3306)/db"
+	if result != expected {
+		t.Errorf("Expected %q, got %q", expected, result)
+	}
+}
+
+func TestRedactConnectionStringPostgresWithPassword(t *testing.T) {
+	result := redactConnectionString("postgres://user:secret@localhost:5432/db")
+	expected := "postgres://user:***@localhost:5432/db"
+	if result != expected {
+		t.Errorf("Expected %q, got %q", expected, result)
+	}
+}
+
+func TestRedactConnectionStringPostgresWithoutPassword(t *testing.T) {
+	result := redactConnectionString("postgres://user@localhost:5432/db")
+	expected := "postgres://user@localhost:5432/db"
+	if result != expected {
+		t.Errorf("Expected %q, got %q", expected, result)
+	}
+}
+
+func TestRedactConnectionStringEmpty(t *testing.T) {
+	result := redactConnectionString("")
+	if result != "" {
+		t.Errorf("Expected empty string, got %q", result)
+	}
+}