Skip to content

Commit 60561f3

Browse files
KeerthanaAPKeerthanaAP
committed
Replace RunHostCmd with Exec function to censor bearer token being exposed
1 parent c09e6f1 commit 60561f3

File tree

4 files changed

+32
-26
lines changed

4 files changed

+32
-26
lines changed

test/extended/prometheus/prometheus.go

Lines changed: 2 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -29,7 +29,6 @@ import (
2929
kapi "k8s.io/kubernetes/pkg/apis/core"
3030
"k8s.io/kubernetes/test/e2e/framework"
3131
e2e "k8s.io/kubernetes/test/e2e/framework"
32-
e2eoutput "k8s.io/kubernetes/test/e2e/framework/pod/output"
3332
e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper"
3433
admissionapi "k8s.io/pod-security-admission/api"
3534
"sigs.k8s.io/yaml"
@@ -343,7 +342,7 @@ var _ = g.Describe("[sig-instrumentation] Prometheus [apigroup:image.openshift.i
343342
err := helper.RunQueries(context.TODO(), oc.NewPrometheusClient(context.TODO()), tests, oc)
344343
o.Expect(err).NotTo(o.HaveOccurred())
345344

346-
e2e.Logf("Telemetry is enabled: %s", bearerToken)
345+
e2e.Logf("Telemetry is enabled")
347346

348347
if err != nil {
349348
// Making the test flaky until monitoring team fixes the rate limit issue.
@@ -361,7 +360,7 @@ var _ = g.Describe("[sig-instrumentation] Prometheus [apigroup:image.openshift.i
361360
g.By("checking the prometheus metrics path")
362361
var metrics map[string]*dto.MetricFamily
363362
o.Expect(wait.PollImmediate(10*time.Second, 2*time.Minute, func() (bool, error) {
364-
results, err := getBearerTokenURLViaPod(ns, execPod.Name, fmt.Sprintf("%s/metrics", prometheusSvcURL), bearerToken)
363+
results, err := helper.GetBearerTokenURLViaPod(oc, execPod.Name, fmt.Sprintf("%s/metrics", prometheusSvcURL), bearerToken)
365364
if err != nil {
366365
e2e.Logf("unable to get metrics: %v", err)
367366
return false, nil
@@ -769,15 +768,6 @@ func getBearerTokenURL(url, bearer string) (string, error) {
769768
return string(output), nil
770769
}
771770

772-
func getBearerTokenURLViaPod(ns, execPodName, url, bearer string) (string, error) {
773-
cmd := fmt.Sprintf("curl -s -k -H 'Authorization: Bearer %s' %q", bearer, url)
774-
output, err := e2eoutput.RunHostCmd(ns, execPodName, cmd)
775-
if err != nil {
776-
return "", fmt.Errorf("host command failed: %v\n%s", err, output)
777-
}
778-
return output, nil
779-
}
780-
781771
// telemetryIsEnabled returns (nil, nil) if Telemetry is enabled,
782772
// (error, nil) if Telemetry is not enabled, and (_, error) if it fails
783773
// to determine whether or not Telemetry is enabled.

test/extended/router/metrics.go

Lines changed: 4 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -30,6 +30,7 @@ import (
3030
admissionapi "k8s.io/pod-security-admission/api"
3131

3232
exutil "github.com/openshift/origin/test/extended/util"
33+
"github.com/openshift/origin/test/extended/util/prometheus"
3334

3435
configv1 "github.com/openshift/api/config/v1"
3536
routev1 "github.com/openshift/api/route/v1"
@@ -152,7 +153,7 @@ var _ = g.Describe("[sig-network][Feature:Router]", func() {
152153
p := expfmt.TextParser{}
153154

154155
err = wait.PollImmediate(2*time.Second, 240*time.Second, func() (bool, error) {
155-
results, err = getBearerTokenURLViaPod(ns, execPodName, fmt.Sprintf("http://%s/metrics", net.JoinHostPort(host, strconv.Itoa(int(metricsPort)))), bearerToken)
156+
results, err = prometheus.GetBearerTokenURLViaPod(oc, execPodName, fmt.Sprintf("http://%s/metrics", net.JoinHostPort(host, strconv.Itoa(int(metricsPort)))), bearerToken)
156157
o.Expect(err).NotTo(o.HaveOccurred())
157158

158159
metrics, err = p.TextToMetricFamilies(bytes.NewBufferString(results))
@@ -225,7 +226,7 @@ var _ = g.Describe("[sig-network][Feature:Router]", func() {
225226
time.Sleep(15 * time.Second)
226227

227228
g.By("checking that some metrics are not reset to 0 after router restart")
228-
updatedResults, err := getBearerTokenURLViaPod(ns, execPodName, fmt.Sprintf("http://%s/metrics", net.JoinHostPort(host, strconv.Itoa(int(metricsPort)))), bearerToken)
229+
updatedResults, err := prometheus.GetBearerTokenURLViaPod(oc, execPodName, fmt.Sprintf("http://%s/metrics", net.JoinHostPort(host, strconv.Itoa(int(metricsPort)))), bearerToken)
229230
o.Expect(err).NotTo(o.HaveOccurred())
230231
defer func() { e2e.Logf("final metrics:\n%s", updatedResults) }()
231232

@@ -267,7 +268,7 @@ var _ = g.Describe("[sig-network][Feature:Router]", func() {
267268
}()
268269

269270
o.Expect(wait.PollImmediate(10*time.Second, 5*time.Minute, func() (bool, error) {
270-
contents, err := getBearerTokenURLViaPod(ns, execPod.Name, fmt.Sprintf("%s/api/v1/targets?state=active", prometheusURL), token)
271+
contents, err := prometheus.GetBearerTokenURLViaPod(oc, execPod.Name, fmt.Sprintf("%s/api/v1/targets?state=active", prometheusURL), token)
271272
o.Expect(err).NotTo(o.HaveOccurred())
272273

273274
targets := &promTargets{}
@@ -448,15 +449,6 @@ func getAuthenticatedURLViaPod(ns, execPodName, url, user, pass string) (string,
448449
return output, nil
449450
}
450451

451-
func getBearerTokenURLViaPod(ns, execPodName, url, bearer string) (string, error) {
452-
cmd := fmt.Sprintf("curl -s -k -H 'Authorization: Bearer %s' %q", bearer, url)
453-
output, err := e2eoutput.RunHostCmd(ns, execPodName, cmd)
454-
if err != nil {
455-
return "", fmt.Errorf("host command failed: %v\n%s", err, output)
456-
}
457-
return output, nil
458-
}
459-
460452
func waitForAdmittedRoute(maxInterval time.Duration, client routev1client.RouteV1Interface, ns, name, ingressName string, errorOnRejection bool) (string, error) {
461453
var routeHost string
462454
err := wait.PollImmediate(time.Second, maxInterval, func() (bool, error) {

test/extended/util/client.go

Lines changed: 13 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,7 @@ import (
1616
"os"
1717
"os/exec"
1818
"path/filepath"
19+
"regexp"
1920
"runtime/debug"
2021
"strings"
2122
"time"
@@ -907,15 +908,25 @@ func (c *CLI) start(stdOutBuff, stdErrBuff *bytes.Buffer) (*exec.Cmd, error) {
907908
}
908909
cmd := exec.Command(c.execPath, c.finalArgs...)
909910
cmd.Stdin = c.stdin
910-
framework.Logf("Running '%s %s'", c.execPath, strings.Join(c.finalArgs, " "))
911-
911+
// Redact any bearer token information from the log.
912+
framework.Logf("Running '%s %s'", c.execPath, redactBearerToken(c.finalArgs))
912913
cmd.Stdout = stdOutBuff
913914
cmd.Stderr = stdErrBuff
914915
err := cmd.Start()
915916

916917
return cmd, err
917918
}
918919

920+
func redactBearerToken(finalArgs []string) string {
921+
args := strings.Join(finalArgs, " ")
922+
if strings.Contains(args, "Authorization: Bearer") {
923+
// redact bearer token
924+
re := regexp.MustCompile(`Authorization:\s+Bearer.*\s+`)
925+
args = re.ReplaceAllString(args, "Authorization: Bearer <redacted> ")
926+
}
927+
return args
928+
}
929+
919930
// getStartingIndexForLastN calculates a byte offset in a byte slice such that when using
920931
// that offset, we get the last N (size) bytes.
921932
func getStartingIndexForLastN(byteString []byte, size int) int {

test/extended/util/prometheus/helpers.go

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -430,3 +430,16 @@ func ForEachAlertingRule(rules map[string][]promv1.AlertingRule, f func(a promv1
430430

431431
return fmt.Errorf("Incompliant rules detected:\n\n%s", strings.Join(allViolations.List(), "\n"))
432432
}
433+
434+
func GetBearerTokenURLViaPod(oc *exutil.CLI, execPodName, url, bearer string) (string, error) {
435+
auth := fmt.Sprintf("Authorization: Bearer %s", bearer)
436+
stdout, stderr, err := oc.AsAdmin().Run("exec").Args(execPodName, "--", "curl", "-s", "-k", "-H", auth, url).Outputs()
437+
if err != nil {
438+
return "", fmt.Errorf("command failed: %v\nstderr: %s\nstdout:%s", err, stderr, stdout)
439+
}
440+
// Terminate stdout with a newline to avoid an unexpected end of stream error.
441+
if len(stdout) > 0 {
442+
stdout = stdout + "\n"
443+
}
444+
return stdout, err
445+
}

0 commit comments

Comments
 (0)