Mask Sentry auth token
This makes it so we mask Sentry's auth token. This mask only occurs in the UI.
This commit is contained in:
parent
7e2b100854
commit
576818b578
|
@ -32,7 +32,7 @@ module ErrorTracking
|
||||||
project_slug: 'proj'
|
project_slug: 'proj'
|
||||||
)
|
)
|
||||||
|
|
||||||
setting.token = params[:token]
|
setting.token = token(setting)
|
||||||
setting.enabled = true
|
setting.enabled = true
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
@ -40,5 +40,12 @@ module ErrorTracking
|
||||||
def can_read?
|
def can_read?
|
||||||
can?(current_user, :read_sentry_issue, project)
|
can?(current_user, :read_sentry_issue, project)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def token(setting)
|
||||||
|
# Use param token if not masked, otherwise use database token
|
||||||
|
return params[:token] unless /\A\*+\z/.match?(params[:token])
|
||||||
|
|
||||||
|
setting.token
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -36,15 +36,17 @@ module Projects
|
||||||
organization_slug: settings.dig(:project, :organization_slug)
|
organization_slug: settings.dig(:project, :organization_slug)
|
||||||
)
|
)
|
||||||
|
|
||||||
{
|
params = {
|
||||||
error_tracking_setting_attributes: {
|
error_tracking_setting_attributes: {
|
||||||
api_url: api_url,
|
api_url: api_url,
|
||||||
token: settings[:token],
|
|
||||||
enabled: settings[:enabled],
|
enabled: settings[:enabled],
|
||||||
project_name: settings.dig(:project, :name),
|
project_name: settings.dig(:project, :name),
|
||||||
organization_name: settings.dig(:project, :organization_name)
|
organization_name: settings.dig(:project, :organization_name)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
params[:error_tracking_setting_attributes][:token] = settings[:token] unless /\A\*+\z/.match?(settings[:token]) # Don't update token if we receive masked value
|
||||||
|
|
||||||
|
params
|
||||||
end
|
end
|
||||||
|
|
||||||
def grafana_integration_params
|
def grafana_integration_params
|
||||||
|
|
|
@ -17,4 +17,4 @@
|
||||||
project: error_tracking_setting_project_json,
|
project: error_tracking_setting_project_json,
|
||||||
api_host: setting.api_host,
|
api_host: setting.api_host,
|
||||||
enabled: setting.enabled.to_json,
|
enabled: setting.enabled.to_json,
|
||||||
token: setting.token } }
|
token: setting.token.present? ? '*' * 12 : nil } }
|
||||||
|
|
|
@ -0,0 +1,4 @@
|
||||||
|
---
|
||||||
|
title: Mask sentry auth token in Error Tracking dashboard
|
||||||
|
author:
|
||||||
|
type: security
|
|
@ -50,6 +50,19 @@ describe ErrorTracking::ListProjectsService do
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
context 'masked param token' do
|
||||||
|
let(:params) { ActionController::Parameters.new(token: "*********", api_host: new_api_host) }
|
||||||
|
|
||||||
|
before do
|
||||||
|
expect(error_tracking_setting).to receive(:list_sentry_projects)
|
||||||
|
.and_return({ projects: [] })
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'uses database token' do
|
||||||
|
expect { subject.execute }.not_to change { error_tracking_setting.token }
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
context 'sentry client raises exception' do
|
context 'sentry client raises exception' do
|
||||||
context 'Sentry::Client::Error' do
|
context 'Sentry::Client::Error' do
|
||||||
before do
|
before do
|
||||||
|
|
|
@ -145,6 +145,27 @@ describe Projects::Operations::UpdateService do
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
context 'with masked param token' do
|
||||||
|
let(:params) do
|
||||||
|
{
|
||||||
|
error_tracking_setting_attributes: {
|
||||||
|
enabled: false,
|
||||||
|
token: '*' * 8
|
||||||
|
}
|
||||||
|
}
|
||||||
|
end
|
||||||
|
|
||||||
|
before do
|
||||||
|
create(:project_error_tracking_setting, project: project, token: 'token')
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'does not update token' do
|
||||||
|
expect(result[:status]).to eq(:success)
|
||||||
|
|
||||||
|
expect(project.error_tracking_setting.token).to eq('token')
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
context 'with invalid parameters' do
|
context 'with invalid parameters' do
|
||||||
let(:params) { {} }
|
let(:params) { {} }
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue