config
config copied to clipboard
Support naive masking of config values
You can supply a regex pattern to match against Config key names that it will mask it corresponding config value. If the config value is a config reference, it will keep the config reference.
This is a naive approach, and secrets will not be masked if the config reference key is also not matching the maskRegex.
This is useful for printing configuration "safely" (read: best effort) without exposing secrets.
First version for feature: https://github.com/lightbend/config/issues/145
Hi @norrs,
Thank you for your contribution! We really value the time you've taken to put this together.
Before we proceed with reviewing this pull request, please sign the Lightbend Contributors License Agreement:
This comes rather late (only ~7 years) according to #145 , but would this be good enough for first iteration? @gregsymons @havocp
It would be nice if we could plug a sanitizer that takes a key/value and returns the masked value.
This would let us use something similar to the Spring Boot Sanitizer: https://github.com/spring-projects/spring-boot/blob/v2.5.0-M3/spring-boot-project/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/Sanitizer.java
I really like that it can also mask passwords inside URLs, like http://user:******@localhost:8080
or amqp://username:******@host/
@eneveu : Shouldn't be harder than adding the logic of the following lines:
if (keyIsUriWithUserInfo(pattern)) {
return sanitizeUris(value.toString());
}
return "******";
But I'd first like to see if upstream even cares about this feature or not, and if they do, we can follow up with a version 2. The joy of software development, we can always improve step by step ;-)
What I meant is that, instead of an API that exposes a specific implementation detail (a masking Regex), it would be cool if the API allowed the end-user to customise the way values are sanitized.
So, instead of passing a "Pattern maskRegex" to the "ConfigRenderOptions", we could pass a "ValueRenderer":
trait ValueRenderer {
def render(key: String, value: ConfigValue): ConfigValue
}
And then provide a simple ValueRenderer that masks values when the key matches a regex. And then end-users can pass their own ValueRenderer with more complex masking behaviour.
Maybe "ValueRenderer" is not the best name. It could be "ValuePrinter" or "ValueSanitizer" if we want to make it explicit that the goal is to sanitize values.
Also, the "key" should probably be the full path, to let people match against the full path in their regex.
Another option would be to add a way to create a ConfigValue
while passing the origin and comments of a previous value.
If we do this, we can create an external Sanitizer
that walks the Config tree and sanitizes values as needed.
More info here: https://github.com/lightbend/config/issues/145#issuecomment-827059275
We do not intend to extend the functionality of "Typesafe Config" further. See https://github.com/lightbend/config#maintained-by