diff --git a/internal/httpconfig/httpconfig.go b/internal/httpconfig/httpconfig.go index af6cd2b9..e24ccbc4 100644 --- a/internal/httpconfig/httpconfig.go +++ b/internal/httpconfig/httpconfig.go @@ -44,7 +44,7 @@ func NewHTTPConfig(proxyConfig config.ProxyConfig, authKey credential.SDKCredent return ret, errProxyAuthWithoutProxyURL } if proxyConfig.URL.IsDefined() { - loggers.Infof("Using proxy server at %s", proxyConfig.URL) + loggers.Infof("Using proxy server at %s", proxyConfig.URL.Get().Redacted()) } caCertFiles := proxyConfig.CACertFiles.Values() diff --git a/internal/httpconfig/httpconfig_test.go b/internal/httpconfig/httpconfig_test.go index cf720768..f2c6619e 100644 --- a/internal/httpconfig/httpconfig_test.go +++ b/internal/httpconfig/httpconfig_test.go @@ -4,6 +4,7 @@ import ( "crypto/x509" "net/http" "net/http/httptest" + "net/url" "os" "testing" @@ -137,3 +138,22 @@ func TestNTLMProxyInvalidConfigs(t *testing.T) { } }) } + +func TestLogsRedactConnectionPassword(t *testing.T) { + // Username and password are specified separately in NTLM auth won't show in logs as they're not part of server name + url1, _ := configtypes.NewOptURLAbsoluteFromString("http://my-proxy") + proxyConfig1 := config.ProxyConfig{NTLMAuth: true, URL: url1, User: "my-user", Password: "my-pass"} + mockLog1 := ldlogtest.NewMockLog() + _, err := NewHTTPConfig(proxyConfig1, nil, "", mockLog1.Loggers) + assert.NoError(t, err) + mockLog1.AssertMessageMatch(t, true, ldlog.Info, "Using proxy server at http://my-proxy$") + + // When username and password are configured as part of server name, verify the password is redacted + url2, _ := url.Parse("http://my-user:my-password@my-proxy") + url2Absolute, _ := configtypes.NewOptURLAbsolute(url2) + proxyConfig2 := config.ProxyConfig{URL: url2Absolute} + mockLog2 := ldlogtest.NewMockLog() + _, err = NewHTTPConfig(proxyConfig2, nil, "", mockLog2.Loggers) + assert.NoError(t, err) + mockLog2.AssertMessageMatch(t, true, ldlog.Info, "Using proxy server at http://my-user:xxxxx@my-proxy$") +}