curben
/
cloudflared-mirror
mirror of https://github.com/cloudflare/cloudflared.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

TUN-5960: Do not log the tunnel token or json credentials

This commit is contained in:
Nuno Diegues 2022-03-28 10:53:22 +01:00
parent 8fd6074d67
commit c5d1662244
2 changed files with 39 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
CHANGES.md
View File

@ -1,3 +1,8 @@
## 2022.4.0
### Bug Fixes
- `cloudflared tunnel run` no longer logs the Tunnel token or JSON credentials in clear text as those are the secret
that allows to run the Tunnel.
## 2022.3.4 ## 2022.3.4
### New Features ### New Features
- It is now possible to retrieve the credentials that allow to run a Tunnel in case you forgot/lost them. This is - It is now possible to retrieve the credentials that allow to run a Tunnel in case you forgot/lost them. This is

33
cmd/cloudflared/tunnel/configuration.go
View File

@ -14,6 +14,7 @@ import (
"github.com/pkg/errors" "github.com/pkg/errors"
"github.com/rs/zerolog" "github.com/rs/zerolog"
"github.com/urfave/cli/v2" "github.com/urfave/cli/v2"
"github.com/urfave/cli/v2/altsrc"
"golang.org/x/crypto/ssh/terminal" "golang.org/x/crypto/ssh/terminal"
"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil" "github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
@ -31,14 +32,16 @@ import (
) )
const LogFieldOriginCertPath = "originCertPath" const LogFieldOriginCertPath = "originCertPath"
const secretValue = "*****"
var ( var (
developerPortal = "https://developers.cloudflare.com/argo-tunnel" developerPortal = "https://developers.cloudflare.com/argo-tunnel"
quickStartUrl = developerPortal + "/quickstart/quickstart/"
serviceUrl = developerPortal + "/reference/service/" serviceUrl = developerPortal + "/reference/service/"
argumentsUrl = developerPortal + "/reference/arguments/" argumentsUrl = developerPortal + "/reference/arguments/"
LogFieldHostname = "hostname" LogFieldHostname = "hostname"
secretFlags = [2]*altsrc.StringFlag{credentialsContentsFlag, tunnelTokenFlag}
) )
// returns the first path that contains a cert.pem file. If none of the DefaultConfigSearchDirectories // returns the first path that contains a cert.pem file. If none of the DefaultConfigSearchDirectories
@ -65,8 +68,12 @@ func generateRandomClientID(log *zerolog.Logger) (string, error) {
func logClientOptions(c *cli.Context, log *zerolog.Logger) { func logClientOptions(c *cli.Context, log *zerolog.Logger) {
flags := make(map[string]interface{}) flags := make(map[string]interface{})
for _, flag := range c.FlagNames() { for _, flag := range c.FlagNames() {
if isSecretFlag(flag) {
flags[flag] = secretValue
} else {
flags[flag] = c.Generic(flag) flags[flag] = c.Generic(flag)
} }
}
if len(flags) > 0 { if len(flags) > 0 {
log.Info().Msgf("Settings: %v", flags) log.Info().Msgf("Settings: %v", flags)
@ -79,15 +86,39 @@ func logClientOptions(c *cli.Context, log *zerolog.Logger) {
if strings.Contains(env, "TUNNEL_") { if strings.Contains(env, "TUNNEL_") {
vars := strings.Split(env, "=") vars := strings.Split(env, "=")
if len(vars) == 2 { if len(vars) == 2 {
if isSecretEnvVar(vars[0]) {
envs[vars[0]] = secretValue
} else {
envs[vars[0]] = vars[1] envs[vars[0]] = vars[1]
} }
} }
} }
}
if len(envs) > 0 { if len(envs) > 0 {
log.Info().Msgf("Environmental variables %v", envs) log.Info().Msgf("Environmental variables %v", envs)
} }
} }
func isSecretFlag(key string) bool {
for _, flag := range secretFlags {
if flag.Name == key {
return true
}
}
return false
}
func isSecretEnvVar(key string) bool {
for _, flag := range secretFlags {
for _, secretEnvVar := range flag.EnvVars {
if secretEnvVar == key {
return true
}
}
}
return false
}
func dnsProxyStandAlone(c *cli.Context, namedTunnel *connection.NamedTunnelProperties) bool { func dnsProxyStandAlone(c *cli.Context, namedTunnel *connection.NamedTunnelProperties) bool {
return c.IsSet("proxy-dns") && (!c.IsSet("hostname") && !c.IsSet("tag") && !c.IsSet("hello-world") && namedTunnel == nil) return c.IsSet("proxy-dns") && (!c.IsSet("hostname") && !c.IsSet("tag") && !c.IsSet("hello-world") && namedTunnel == nil)
} }