-
Notifications
You must be signed in to change notification settings - Fork 219
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Redact sensative information in Trident logs for Sofidfire and E-Series
This PR addresses the issue of sensitive information exposure in the Trident logs. By implementing the stringer interface for the drivers in a manner that is developer-friendly and easy to maintain provides an easy solution to hide any sensitive information in the Trident logs and other places where backend are printed.
- Loading branch information
1 parent
e6c0251
commit 4da6ca9
Showing
6 changed files
with
334 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,120 @@ | ||
// Copyright 2020 NetApp, Inc. All Rights Reserved. | ||
|
||
package eseries | ||
|
||
import ( | ||
"testing" | ||
|
||
"github.com/stretchr/testify/assert" | ||
|
||
drivers "github.com/netapp/trident/storage_drivers" | ||
"github.com/netapp/trident/storage_drivers/eseries/api" | ||
) | ||
|
||
const ( | ||
Username = "tester" | ||
Password = "password" | ||
PasswordArray = "Passwords" | ||
) | ||
|
||
func newTestEseriesSANDriver(showSensitive *bool) *SANStorageDriver { | ||
config := &drivers.ESeriesStorageDriverConfig{} | ||
sp := func(s string) *string { return &s } | ||
|
||
config.CommonStorageDriverConfig = &drivers.CommonStorageDriverConfig{} | ||
config.CommonStorageDriverConfig.DebugTraceFlags = make(map[string]bool) | ||
config.CommonStorageDriverConfig.DebugTraceFlags["method"] = true | ||
|
||
if showSensitive != nil { | ||
config.CommonStorageDriverConfig.DebugTraceFlags["sensitive"] = *showSensitive | ||
} | ||
|
||
config.Username = Username | ||
config.Password = Password | ||
config.PasswordArray = PasswordArray | ||
config.WebProxyHostname = "10.0.0.1" | ||
config.WebProxyPort = "2222" | ||
config.WebProxyUseHTTP = false | ||
config.WebProxyVerifyTLS = false | ||
config.ControllerA = "10.0.0.2" | ||
config.ControllerB = "10.0.0.3" | ||
config.HostDataIP = "10.0.0.4" | ||
config.StorageDriverName = "eseries-san" | ||
config.StoragePrefix = sp("test_") | ||
|
||
telemetry := make(map[string]string) | ||
telemetry["version"] = "20.07.0" | ||
telemetry["plugin"] = "eseries" | ||
telemetry["storagePrefix"] = *config.StoragePrefix | ||
|
||
API := api.NewAPIClient(api.ClientConfig{ | ||
WebProxyHostname: config.WebProxyHostname, | ||
WebProxyPort: config.WebProxyPort, | ||
WebProxyUseHTTP: config.WebProxyUseHTTP, | ||
WebProxyVerifyTLS: config.WebProxyVerifyTLS, | ||
Username: config.Username, | ||
Password: config.Password, | ||
ControllerA: config.ControllerA, | ||
ControllerB: config.ControllerB, | ||
PasswordArray: config.PasswordArray, | ||
PoolNameSearchPattern: config.PoolNameSearchPattern, | ||
HostDataIP: config.HostDataIP, | ||
Protocol: "iscsi", | ||
AccessGroup: config.AccessGroup, | ||
HostType: config.HostType, | ||
DriverName: "eseries-iscsi", | ||
Telemetry: telemetry, | ||
}) | ||
|
||
sanDriver := &SANStorageDriver{} | ||
sanDriver.Config = *config | ||
sanDriver.API = API | ||
|
||
return sanDriver | ||
} | ||
|
||
func TestEseriesSANStorageDriverConfigString(t *testing.T) { | ||
|
||
var EseriesSANDrivers = []SANStorageDriver{ | ||
*newTestEseriesSANDriver(&[]bool{true}[0]), | ||
*newTestEseriesSANDriver(&[]bool{false}[0]), | ||
*newTestEseriesSANDriver(nil), | ||
} | ||
|
||
for _, EseriesSANDriver := range EseriesSANDrivers { | ||
sensitive, ok := EseriesSANDriver.Config.DebugTraceFlags["sensitive"] | ||
|
||
switch { | ||
|
||
case !ok: | ||
assert.Contains(t, EseriesSANDriver.String(), "<REDACTED>", | ||
"Eseries driver does not contain <REDACTED>") | ||
assert.Contains(t, EseriesSANDriver.String(), "API:<REDACTED>", | ||
"Eseries driver does not redact API information") | ||
assert.NotContains(t, EseriesSANDriver.String(), Username, | ||
"Eseries driver contains username") | ||
assert.NotContains(t, EseriesSANDriver.String(), Password, | ||
"Eseries driver contains password") | ||
assert.NotContains(t, EseriesSANDriver.String(), PasswordArray, | ||
"Eseries driver contains password array") | ||
case ok && sensitive: | ||
assert.Contains(t, EseriesSANDriver.String(), Username, | ||
"Eseries driver does not contain username") | ||
assert.Contains(t, EseriesSANDriver.String(), Password, | ||
"Eseries driver does not contain password") | ||
assert.Contains(t, EseriesSANDriver.String(), PasswordArray, | ||
"Eseries driver does not contain password array") | ||
case ok && !sensitive: | ||
assert.Contains(t, EseriesSANDriver.String(), "<REDACTED>", | ||
"Eseries driver does not contain <REDACTED>") | ||
assert.Contains(t, EseriesSANDriver.String(), "API:<REDACTED>", | ||
"Eseries driver does not redact API information") | ||
assert.NotContains(t, EseriesSANDriver.String(), Username, | ||
"Eseries driver contains username") | ||
assert.NotContains(t, EseriesSANDriver.String(), Password, | ||
"Eseries driver contains password") | ||
assert.NotContains(t, EseriesSANDriver.String(), PasswordArray, | ||
"Eseries driver contains password array") | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,135 @@ | ||
// Copyright 2020 NetApp, Inc. All Rights Reserved. | ||
|
||
package solidfire | ||
|
||
import ( | ||
"testing" | ||
|
||
"github.com/stretchr/testify/assert" | ||
|
||
drivers "github.com/netapp/trident/storage_drivers" | ||
"github.com/netapp/trident/storage_drivers/solidfire/api" | ||
) | ||
|
||
const ( | ||
TenantName = "tester" | ||
AdminPass = "admin:password" | ||
Endpoint = "https://" + AdminPass + "@10.0.0.1/json-rpc/7.0" | ||
) | ||
|
||
func newTestSolidfireSANDriver(showSensitive *bool) *SANStorageDriver { | ||
config := &drivers.SolidfireStorageDriverConfig{} | ||
sp := func(s string) *string { return &s } | ||
|
||
config.CommonStorageDriverConfig = &drivers.CommonStorageDriverConfig{} | ||
config.CommonStorageDriverConfig.DebugTraceFlags = make(map[string]bool) | ||
config.CommonStorageDriverConfig.DebugTraceFlags["method"] = true | ||
|
||
if showSensitive != nil { | ||
config.CommonStorageDriverConfig.DebugTraceFlags["sensitive"] = *showSensitive | ||
} | ||
|
||
config.TenantName = TenantName | ||
config.EndPoint = Endpoint | ||
config.SVIP = "10.0.0.1:1000" | ||
config.InitiatorIFace = "default" | ||
config.Types = &[]api.VolType{ | ||
{ | ||
Type: "Gold", | ||
QOS: api.QoS{ | ||
BurstIOPS: 10000, | ||
MaxIOPS: 8000, | ||
MinIOPS: 6000, | ||
}, | ||
}, | ||
{ | ||
Type: "Bronze", | ||
QOS: api.QoS{ | ||
BurstIOPS: 4000, | ||
MaxIOPS: 2000, | ||
MinIOPS: 1000, | ||
}, | ||
}, | ||
} | ||
config.AccessGroups = []int64{} | ||
config.UseCHAP = true | ||
config.DefaultBlockSize = 4096 | ||
config.StorageDriverName = "solidfire-san" | ||
config.StoragePrefix = sp("test_") | ||
|
||
cfg := api.Config{ | ||
TenantName: config.TenantName, | ||
EndPoint: Endpoint, | ||
SVIP: config.SVIP, | ||
InitiatorIFace: config.InitiatorIFace, | ||
Types: config.Types, | ||
LegacyNamePrefix: config.LegacyNamePrefix, | ||
AccessGroups: config.AccessGroups, | ||
DefaultBlockSize: 4096, | ||
DebugTraceFlags: config.DebugTraceFlags, | ||
} | ||
|
||
client, _ := api.NewFromParameters(Endpoint, config.SVIP, cfg) | ||
|
||
sanDriver := &SANStorageDriver{} | ||
sanDriver.Config = *config | ||
sanDriver.Client = client | ||
sanDriver.AccountID = 2222 | ||
sanDriver.AccessGroups = []int64{} | ||
sanDriver.LegacyNamePrefix = "oldtest_" | ||
sanDriver.InitiatorIFace = "default" | ||
sanDriver.DefaultMaxIOPS = 20000 | ||
sanDriver.DefaultMinIOPS = 1000 | ||
|
||
return sanDriver | ||
} | ||
|
||
func TestSolidfireSANStorageDriverConfigString(t *testing.T) { | ||
|
||
var solidfireSANDrivers = []SANStorageDriver{ | ||
*newTestSolidfireSANDriver(&[]bool{true}[0]), | ||
*newTestSolidfireSANDriver(&[]bool{false}[0]), | ||
*newTestSolidfireSANDriver(nil), | ||
} | ||
|
||
for _, solidfireSANDriver := range solidfireSANDrivers { | ||
sensitive, ok := solidfireSANDriver.Config.DebugTraceFlags["sensitive"] | ||
|
||
switch { | ||
|
||
case !ok: | ||
assert.Contains(t, solidfireSANDriver.String(), "<REDACTED>", | ||
"Solidfire driver does not contain <REDACTED>") | ||
assert.Contains(t, solidfireSANDriver.String(), "Client:<REDACTED>", | ||
"Solidfire driver does not redact client API information") | ||
assert.Contains(t, solidfireSANDriver.String(), "AccountID:<REDACTED>", | ||
"Solidfire driver does not redact Account ID information") | ||
assert.NotContains(t, solidfireSANDriver.String(), TenantName, | ||
"Solidfire driver contains tenant name") | ||
assert.NotContains(t, solidfireSANDriver.String(), AdminPass, | ||
"Solidfire driver contains endpoint's admin and password") | ||
assert.NotContains(t, solidfireSANDriver.String(), "2222", | ||
"Solidfire driver contains Account ID") | ||
case ok && sensitive: | ||
assert.Contains(t, solidfireSANDriver.String(), TenantName, | ||
"Solidfire driver does not contain tenant name") | ||
assert.Contains(t, solidfireSANDriver.String(), AdminPass, | ||
"Solidfire driver does not contain endpoint's admin and password") | ||
assert.Contains(t, solidfireSANDriver.String(), "2222", | ||
"Solidfire driver does not contain Account ID") | ||
case ok && !sensitive: | ||
assert.Contains(t, solidfireSANDriver.String(), "<REDACTED>", | ||
"Solidfire driver does not contain <REDACTED>") | ||
assert.Contains(t, solidfireSANDriver.String(), "Client:<REDACTED>", | ||
"Solidfire driver does not redact client API information") | ||
assert.Contains(t, solidfireSANDriver.String(), "AccountID:<REDACTED>", | ||
"Solidfire driver does not redact Account ID information") | ||
assert.NotContains(t, solidfireSANDriver.String(), TenantName, | ||
"Solidfire driver contains tenant name") | ||
assert.NotContains(t, solidfireSANDriver.String(), AdminPass, | ||
"Solidfire driver contains endpoint's admin and password") | ||
assert.NotContains(t, solidfireSANDriver.String(), "2222", | ||
"Solidfire driver contains Account ID") | ||
} | ||
} | ||
} |
Oops, something went wrong.