chore: add redact package to not print sensitive data (#270)

Author: leoparente

agent/agent.go

@@ -14,6 +14,7 @@ import (
 	"github.com/netboxlabs/orb-agent/agent/config"
 	"github.com/netboxlabs/orb-agent/agent/configmgr"
 	"github.com/netboxlabs/orb-agent/agent/policymgr"
+	"github.com/netboxlabs/orb-agent/agent/redact"
 	"github.com/netboxlabs/orb-agent/agent/secretsmgr"
 	"github.com/netboxlabs/orb-agent/agent/telemetry"
 	"github.com/netboxlabs/orb-agent/agent/version"
@@ -183,7 +184,7 @@ func (a *orbAgent) Start(ctx context.Context, cancelFunc context.CancelFunc) err
 	agentCtx := context.WithValue(ctx, routineKey, "agentRoutine")
 	a.cancelFunction = cancelFunc
 	a.logger.Info("agent started", "version", version.GetBuildVersion(), "routine", agentCtx.Value(routineKey))
-	a.logger.Info("requested backends", "values", a.config.OrbAgent.Backends)
+	a.logger.Info("requested backends", "values", redact.SensitiveData(a.config.OrbAgent.Backends))
 
 	if err := a.secretsManager.Start(ctx); err != nil {
 		a.logger.Error("error during start secrets manager", "error", err)

agent/backend/devicediscovery/device_discovery.go

@@ -15,6 +15,7 @@ import (
 	"github.com/netboxlabs/orb-agent/agent/backend"
 	"github.com/netboxlabs/orb-agent/agent/config"
 	"github.com/netboxlabs/orb-agent/agent/policies"
+	"github.com/netboxlabs/orb-agent/agent/redact"
 )
 
 var _ backend.Backend = (*deviceDiscoveryBackend)(nil)
@@ -29,7 +30,6 @@ const (
 	defaultExec         = "device-discovery"
 	defaultAPIHost      = "localhost"
 	defaultAPIPort      = "8072"
-	maskedSecret        = "********"
 )
 
 type deviceDiscoveryBackend struct {
@@ -160,7 +160,7 @@ func (d *deviceDiscoveryBackend) Start(ctx context.Context, cancelFunc context.C
 		if !d.diodeTargetFromOtel {
 			opts = append(opts,
 				"--diode-client-id", d.diodeClientID,
-				"--diode-client-secret", maskedSecret,
+				"--diode-client-secret", d.diodeClientSecret,
 			)
 		}
 		dOptions = append(opts, dOptions...)
@@ -170,16 +170,7 @@ func (d *deviceDiscoveryBackend) Start(ctx context.Context, cancelFunc context.C
 		dOptions = append(dOptions, "--otel-endpoint", d.diodeOtelEndpoint)
 	}
 
-	d.logger.Info("device-discovery startup", "arguments", dOptions)
-
-	if !d.diodeDryRun {
-		for i, arg := range dOptions {
-			if arg == maskedSecret {
-				dOptions[i] = d.diodeClientSecret
-				break
-			}
-		}
-	}
+	d.logger.Info("device-discovery startup", "arguments", redact.Args(dOptions))
 
 	d.proc = backend.NewCmdOptions(backend.CmdOptions{
 		Buffered:  false,

agent/backend/networkdiscovery/network_discovery.go

@@ -16,6 +16,7 @@ import (
 	"github.com/netboxlabs/orb-agent/agent/backend"
 	"github.com/netboxlabs/orb-agent/agent/config"
 	"github.com/netboxlabs/orb-agent/agent/policies"
+	"github.com/netboxlabs/orb-agent/agent/redact"
 )
 
 var _ backend.Backend = (*networkDiscoveryBackend)(nil)
@@ -30,7 +31,6 @@ const (
 	defaultExec         = "network-discovery"
 	defaultAPIHost      = "localhost"
 	defaultAPIPort      = "8073"
-	maskedSecret        = "********"
 )
 
 type networkDiscoveryBackend struct {
@@ -169,7 +169,7 @@ func (d *networkDiscoveryBackend) Start(ctx context.Context, cancelFunc context.
 		if !d.diodeTargetFromOtel {
 			opts = append(opts,
 				"--diode-client-id", d.diodeClientID,
-				"--diode-client-secret", maskedSecret,
+				"--diode-client-secret", d.diodeClientSecret,
 			)
 		}
 		dOptions = append(opts, dOptions...)
@@ -187,16 +187,7 @@ func (d *networkDiscoveryBackend) Start(ctx context.Context, cancelFunc context.
 			"endpoint", d.diodeOtelEndpoint)
 	}
 
-	d.logger.Info("network-discovery startup", "arguments", dOptions)
-
-	if !d.diodeDryRun {
-		for i, arg := range dOptions {
-			if arg == maskedSecret {
-				dOptions[i] = d.diodeClientSecret
-				break
-			}
-		}
-	}
+	d.logger.Info("network-discovery startup", "arguments", redact.Args(dOptions))
 
 	d.proc = backend.NewCmdOptions(backend.CmdOptions{
 		Buffered:  false,

agent/backend/snmpdiscovery/snmp_discovery.go

@@ -16,6 +16,7 @@ import (
 	"github.com/netboxlabs/orb-agent/agent/backend"
 	"github.com/netboxlabs/orb-agent/agent/config"
 	"github.com/netboxlabs/orb-agent/agent/policies"
+	"github.com/netboxlabs/orb-agent/agent/redact"
 )
 
 var _ backend.Backend = (*snmpDiscoveryBackend)(nil)
@@ -30,7 +31,6 @@ const (
 	defaultExec         = "snmp-discovery"
 	defaultAPIHost      = "localhost"
 	defaultAPIPort      = "8070"
-	maskedSecret        = "********"
 )
 
 type snmpDiscoveryBackend struct {
@@ -169,7 +169,7 @@ func (d *snmpDiscoveryBackend) Start(ctx context.Context, cancelFunc context.Can
 		if !d.diodeTargetFromOtel {
 			opts = append(opts,
 				"--diode-client-id", d.diodeClientID,
-				"--diode-client-secret", maskedSecret,
+				"--diode-client-secret", d.diodeClientSecret,
 			)
 		}
 		dOptions = append(opts, dOptions...)
@@ -187,17 +187,7 @@ func (d *snmpDiscoveryBackend) Start(ctx context.Context, cancelFunc context.Can
 			"endpoint", d.diodeOtelEndpoint)
 	}
 
-	d.logger.Info("snmp-discovery startup", "arguments", dOptions)
-
-	if !d.diodeDryRun {
-		// Swap the masked secret used for logging with the real value before execution
-		for i, arg := range dOptions {
-			if arg == maskedSecret {
-				dOptions[i] = d.diodeClientSecret
-				break
-			}
-		}
-	}
+	d.logger.Info("snmp-discovery startup", "arguments", redact.Args(dOptions))
 
 	d.proc = backend.NewCmdOptions(backend.CmdOptions{
 		Buffered:  false,

agent/backend/worker/worker.go

@@ -15,6 +15,7 @@ import (
 	"github.com/netboxlabs/orb-agent/agent/backend"
 	"github.com/netboxlabs/orb-agent/agent/config"
 	"github.com/netboxlabs/orb-agent/agent/policies"
+	"github.com/netboxlabs/orb-agent/agent/redact"
 )
 
 var _ backend.Backend = (*workerBackend)(nil)
@@ -29,7 +30,6 @@ const (
 	defaultExec         = "orb-worker"
 	defaultAPIHost      = "localhost"
 	defaultAPIPort      = "8071"
-	maskedSecret        = "********"
 )
 
 type workerBackend struct {
@@ -160,7 +160,7 @@ func (d *workerBackend) Start(ctx context.Context, cancelFunc context.CancelFunc
 		if !d.diodeTargetFromOtel {
 			opts = append(opts,
 				"--diode-client-id", d.diodeClientID,
-				"--diode-client-secret", maskedSecret,
+				"--diode-client-secret", d.diodeClientSecret,
 			)
 		}
 		dOptions = append(opts, dOptions...)
@@ -170,17 +170,7 @@ func (d *workerBackend) Start(ctx context.Context, cancelFunc context.CancelFunc
 		dOptions = append(dOptions, "--otel-endpoint", d.diodeOtelEndpoint)
 	}
 
-	d.logger.Info("worker startup", "arguments", dOptions)
-
-	if !d.diodeDryRun {
-		// Swap the masked secret used for logging with the real value before execution
-		for i, arg := range dOptions {
-			if arg == maskedSecret {
-				dOptions[i] = d.diodeClientSecret
-				break
-			}
-		}
-	}
+	d.logger.Info("worker startup", "arguments", redact.Args(dOptions))
 
 	d.proc = backend.NewCmdOptions(backend.CmdOptions{
 		Buffered:  false,

agent/configmgr/fleet.go

@@ -14,6 +14,7 @@ import (
 	"github.com/netboxlabs/orb-agent/agent/configmgr/fleet"
 	"github.com/netboxlabs/orb-agent/agent/otlpbridge"
 	"github.com/netboxlabs/orb-agent/agent/policymgr"
+	"github.com/netboxlabs/orb-agent/agent/redact"
 )
 
 // Compile-time check to ensure fleetConfigManager implements Manager interface
@@ -271,11 +272,8 @@ func (fleetManager *fleetConfigManager) refreshAndReconnect(ctx context.Context,
 }
 
 func (fleetManager *fleetConfigManager) configToSafeString(cfg config.Config) (string, error) {
-	if cfg.OrbAgent.ConfigManager.Sources.Fleet.ClientSecret != "" {
-		cfg.OrbAgent.ConfigManager.Sources.Fleet.ClientSecret = "******"
-	}
-
-	configYaml, err := yaml.Marshal(cfg)
+	redacted := redact.SensitiveData(cfg)
+	configYaml, err := yaml.Marshal(redacted)
 	if err != nil {
 		return "", fmt.Errorf("failed to marshal agent config: %w", err)
 	}

agent/configmgr/fleet/auth.go

@@ -15,6 +15,8 @@ import (
 
 	"github.com/go-jose/go-jose/v4"
 	"github.com/go-jose/go-jose/v4/jwt"
+
+	"github.com/netboxlabs/orb-agent/agent/redact"
 )
 
 // AuthTokenManager manages auth tokens
@@ -92,7 +94,7 @@ func (fleetManager *AuthTokenManager) GetToken(ctx context.Context, tokenURL str
 		},
 	}
 
-	fleetManager.logger.Debug("sending token request", "url", tokenURL, "data", data, "client_id", clientID)
+	fleetManager.logger.Debug("sending token request", "url", tokenURL, "data", redact.SensitiveData(data), "client_id", clientID)
 
 	resp, err := httpClient.Do(req.WithContext(ctx))
 	if err != nil {

agent/configmgr/fleet_test.go

@@ -279,7 +279,7 @@ func TestFleetConfigManager_configToSafeString(t *testing.T) {
 		{
 			name:         "sanitizes non-empty client secret",
 			clientSecret: "my-super-secret-password",
-			wantSecret:   "******",
+			wantSecret:   "********",
 			wantErr:      false,
 			checkInYAML:  true,
 		},
@@ -334,9 +334,9 @@ func TestFleetConfigManager_configToSafeString(t *testing.T) {
 				assert.Contains(t, result, tt.wantSecret, "sanitized secret should be in output")
 				// YAML can use either single or double quotes, so check for either
 				assert.True(t,
-					strings.Contains(result, "client_secret: '******'") ||
-						strings.Contains(result, "client_secret: \"******\"") ||
-						strings.Contains(result, "client_secret: ******"),
+					strings.Contains(result, "client_secret: '********'") ||
+						strings.Contains(result, "client_secret: \"********\"") ||
+						strings.Contains(result, "client_secret: ********"),
 					"client_secret should be masked in YAML output")
 			}
 		})