Skip to content

chore: add redact package to not print sensitive data #270

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
leoparente merged 4 commits into from
Jan 28, 2026
Merged

chore: add redact package to not print sensitive data #270

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
ab088e8
chore: add redact package to not print sensitive data
leoparente Jan 28, 2026
6481624
small fixes
leoparente Jan 28, 2026
ecf5a0c
fix empty string
leoparente Jan 28, 2026
c715393
fix security
leoparente Jan 28, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion agent/agent.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ import (
"github.com/netboxlabs/orb-agent/agent/config"
"github.com/netboxlabs/orb-agent/agent/configmgr"
"github.com/netboxlabs/orb-agent/agent/policymgr"
"github.com/netboxlabs/orb-agent/agent/redact"
"github.com/netboxlabs/orb-agent/agent/secretsmgr"
"github.com/netboxlabs/orb-agent/agent/telemetry"
"github.com/netboxlabs/orb-agent/agent/version"
Expand Down Expand Up @@ -183,7 +184,7 @@ func (a *orbAgent) Start(ctx context.Context, cancelFunc context.CancelFunc) err
agentCtx := context.WithValue(ctx, routineKey, "agentRoutine")
a.cancelFunction = cancelFunc
a.logger.Info("agent started", "version", version.GetBuildVersion(), "routine", agentCtx.Value(routineKey))
a.logger.Info("requested backends", "values", a.config.OrbAgent.Backends)
a.logger.Info("requested backends", "values", redact.SensitiveData(a.config.OrbAgent.Backends))

if err := a.secretsManager.Start(ctx); err != nil {
a.logger.Error("error during start secrets manager", "error", err)
Expand Down
15 changes: 3 additions & 12 deletions agent/backend/devicediscovery/device_discovery.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ import (
"github.com/netboxlabs/orb-agent/agent/backend"
"github.com/netboxlabs/orb-agent/agent/config"
"github.com/netboxlabs/orb-agent/agent/policies"
"github.com/netboxlabs/orb-agent/agent/redact"
)

var _ backend.Backend = (*deviceDiscoveryBackend)(nil)
Expand All @@ -29,7 +30,6 @@ const (
defaultExec = "device-discovery"
defaultAPIHost = "localhost"
defaultAPIPort = "8072"
maskedSecret = "********"
)

type deviceDiscoveryBackend struct {
Expand Down Expand Up @@ -160,7 +160,7 @@ func (d *deviceDiscoveryBackend) Start(ctx context.Context, cancelFunc context.C
if !d.diodeTargetFromOtel {
opts = append(opts,
"--diode-client-id", d.diodeClientID,
"--diode-client-secret", maskedSecret,
"--diode-client-secret", d.diodeClientSecret,
)
}
dOptions = append(opts, dOptions...)
Expand All @@ -170,16 +170,7 @@ func (d *deviceDiscoveryBackend) Start(ctx context.Context, cancelFunc context.C
dOptions = append(dOptions, "--otel-endpoint", d.diodeOtelEndpoint)
}

d.logger.Info("device-discovery startup", "arguments", dOptions)

if !d.diodeDryRun {
for i, arg := range dOptions {
if arg == maskedSecret {
dOptions[i] = d.diodeClientSecret
break
}
}
}
d.logger.Info("device-discovery startup", "arguments", redact.Args(dOptions))

d.proc = backend.NewCmdOptions(backend.CmdOptions{
Buffered: false,
Expand Down
15 changes: 3 additions & 12 deletions agent/backend/networkdiscovery/network_discovery.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ import (
"github.com/netboxlabs/orb-agent/agent/backend"
"github.com/netboxlabs/orb-agent/agent/config"
"github.com/netboxlabs/orb-agent/agent/policies"
"github.com/netboxlabs/orb-agent/agent/redact"
)

var _ backend.Backend = (*networkDiscoveryBackend)(nil)
Expand All @@ -30,7 +31,6 @@ const (
defaultExec = "network-discovery"
defaultAPIHost = "localhost"
defaultAPIPort = "8073"
maskedSecret = "********"
)

type networkDiscoveryBackend struct {
Expand Down Expand Up @@ -169,7 +169,7 @@ func (d *networkDiscoveryBackend) Start(ctx context.Context, cancelFunc context.
if !d.diodeTargetFromOtel {
opts = append(opts,
"--diode-client-id", d.diodeClientID,
"--diode-client-secret", maskedSecret,
"--diode-client-secret", d.diodeClientSecret,
)
}
dOptions = append(opts, dOptions...)
Expand All @@ -187,16 +187,7 @@ func (d *networkDiscoveryBackend) Start(ctx context.Context, cancelFunc context.
"endpoint", d.diodeOtelEndpoint)
}

d.logger.Info("network-discovery startup", "arguments", dOptions)

if !d.diodeDryRun {
for i, arg := range dOptions {
if arg == maskedSecret {
dOptions[i] = d.diodeClientSecret
break
}
}
}
d.logger.Info("network-discovery startup", "arguments", redact.Args(dOptions))

d.proc = backend.NewCmdOptions(backend.CmdOptions{
Buffered: false,
Expand Down
16 changes: 3 additions & 13 deletions agent/backend/snmpdiscovery/snmp_discovery.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ import (
"github.com/netboxlabs/orb-agent/agent/backend"
"github.com/netboxlabs/orb-agent/agent/config"
"github.com/netboxlabs/orb-agent/agent/policies"
"github.com/netboxlabs/orb-agent/agent/redact"
)

var _ backend.Backend = (*snmpDiscoveryBackend)(nil)
Expand All @@ -30,7 +31,6 @@ const (
defaultExec = "snmp-discovery"
defaultAPIHost = "localhost"
defaultAPIPort = "8070"
maskedSecret = "********"
)

type snmpDiscoveryBackend struct {
Expand Down Expand Up @@ -169,7 +169,7 @@ func (d *snmpDiscoveryBackend) Start(ctx context.Context, cancelFunc context.Can
if !d.diodeTargetFromOtel {
opts = append(opts,
"--diode-client-id", d.diodeClientID,
"--diode-client-secret", maskedSecret,
"--diode-client-secret", d.diodeClientSecret,
)
}
dOptions = append(opts, dOptions...)
Expand All @@ -187,17 +187,7 @@ func (d *snmpDiscoveryBackend) Start(ctx context.Context, cancelFunc context.Can
"endpoint", d.diodeOtelEndpoint)
}

d.logger.Info("snmp-discovery startup", "arguments", dOptions)

if !d.diodeDryRun {
// Swap the masked secret used for logging with the real value before execution
for i, arg := range dOptions {
if arg == maskedSecret {
dOptions[i] = d.diodeClientSecret
break
}
}
}
d.logger.Info("snmp-discovery startup", "arguments", redact.Args(dOptions))

d.proc = backend.NewCmdOptions(backend.CmdOptions{
Buffered: false,
Expand Down
16 changes: 3 additions & 13 deletions agent/backend/worker/worker.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ import (
"github.com/netboxlabs/orb-agent/agent/backend"
"github.com/netboxlabs/orb-agent/agent/config"
"github.com/netboxlabs/orb-agent/agent/policies"
"github.com/netboxlabs/orb-agent/agent/redact"
)

var _ backend.Backend = (*workerBackend)(nil)
Expand All @@ -29,7 +30,6 @@ const (
defaultExec = "orb-worker"
defaultAPIHost = "localhost"
defaultAPIPort = "8071"
maskedSecret = "********"
)

type workerBackend struct {
Expand Down Expand Up @@ -160,7 +160,7 @@ func (d *workerBackend) Start(ctx context.Context, cancelFunc context.CancelFunc
if !d.diodeTargetFromOtel {
opts = append(opts,
"--diode-client-id", d.diodeClientID,
"--diode-client-secret", maskedSecret,
"--diode-client-secret", d.diodeClientSecret,
)
}
dOptions = append(opts, dOptions...)
Expand All @@ -170,17 +170,7 @@ func (d *workerBackend) Start(ctx context.Context, cancelFunc context.CancelFunc
dOptions = append(dOptions, "--otel-endpoint", d.diodeOtelEndpoint)
}

d.logger.Info("worker startup", "arguments", dOptions)

if !d.diodeDryRun {
// Swap the masked secret used for logging with the real value before execution
for i, arg := range dOptions {
if arg == maskedSecret {
dOptions[i] = d.diodeClientSecret
break
}
}
}
d.logger.Info("worker startup", "arguments", redact.Args(dOptions))

d.proc = backend.NewCmdOptions(backend.CmdOptions{
Buffered: false,
Expand Down
8 changes: 3 additions & 5 deletions agent/configmgr/fleet.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ import (
"github.com/netboxlabs/orb-agent/agent/configmgr/fleet"
"github.com/netboxlabs/orb-agent/agent/otlpbridge"
"github.com/netboxlabs/orb-agent/agent/policymgr"
"github.com/netboxlabs/orb-agent/agent/redact"
)

// Compile-time check to ensure fleetConfigManager implements Manager interface
Expand Down Expand Up @@ -271,11 +272,8 @@ func (fleetManager *fleetConfigManager) refreshAndReconnect(ctx context.Context,
}

func (fleetManager *fleetConfigManager) configToSafeString(cfg config.Config) (string, error) {
if cfg.OrbAgent.ConfigManager.Sources.Fleet.ClientSecret != "" {
cfg.OrbAgent.ConfigManager.Sources.Fleet.ClientSecret = "******"
}

configYaml, err := yaml.Marshal(cfg)
redacted := redact.SensitiveData(cfg)
configYaml, err := yaml.Marshal(redacted)
if err != nil {
return "", fmt.Errorf("failed to marshal agent config: %w", err)
}
Expand Down
4 changes: 3 additions & 1 deletion agent/configmgr/fleet/auth.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,8 @@ import (

"github.com/go-jose/go-jose/v4"
"github.com/go-jose/go-jose/v4/jwt"

"github.com/netboxlabs/orb-agent/agent/redact"
)

// AuthTokenManager manages auth tokens
Expand Down Expand Up @@ -92,7 +94,7 @@ func (fleetManager *AuthTokenManager) GetToken(ctx context.Context, tokenURL str
},
}

fleetManager.logger.Debug("sending token request", "url", tokenURL, "data", data, "client_id", clientID)
fleetManager.logger.Debug("sending token request", "url", tokenURL, "data", redact.SensitiveData(data), "client_id", clientID)

resp, err := httpClient.Do(req.WithContext(ctx))
if err != nil {
Expand Down
8 changes: 4 additions & 4 deletions agent/configmgr/fleet_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -279,7 +279,7 @@ func TestFleetConfigManager_configToSafeString(t *testing.T) {
{
name: "sanitizes non-empty client secret",
clientSecret: "my-super-secret-password",
wantSecret: "******",
wantSecret: "********",
wantErr: false,
checkInYAML: true,
},
Expand Down Expand Up @@ -334,9 +334,9 @@ func TestFleetConfigManager_configToSafeString(t *testing.T) {
assert.Contains(t, result, tt.wantSecret, "sanitized secret should be in output")
// YAML can use either single or double quotes, so check for either
assert.True(t,
strings.Contains(result, "client_secret: '******'") ||
strings.Contains(result, "client_secret: \"******\"") ||
strings.Contains(result, "client_secret: ******"),
strings.Contains(result, "client_secret: '********'") ||
strings.Contains(result, "client_secret: \"********\"") ||
strings.Contains(result, "client_secret: ********"),
"client_secret should be masked in YAML output")
}
})
Expand Down
Loading
Loading