fix(conf) remove sensitive turns resolved configuration values back t…

…o references ### Summary When Vault references are used in `kong.conf` settings, these may be displayed in plain in Kong Admin API, e.g. in `http :8001` (except the `pg_password, `cassandra_password`, and `pg_ro_password` which were masked properly). This commit turns configuration values back to references as part of removing sensitive values (`conf_loader.remove_sensitive`).
Kong · May 4, 2022 · bc2879d · bc2879d
1 parent 9fa4647
commit bc2879d
Show file tree

Hide file tree

Showing 4 changed files with 56 additions and 2 deletions.
diff --git a/kong/conf_loader/init.lua b/kong/conf_loader/init.lua
@@ -1915,6 +1915,16 @@ return setmetatable({
   remove_sensitive = function(conf)
     local purged_conf = tablex.deepcopy(conf)
 
+    local refs = purged_conf["$refs"]
+    if type(refs) == "table" then
+      for k, v in pairs(refs) do
+        if not CONF_SENSITIVE[k] then
+          purged_conf[k] = v
+        end
+      end
+      purged_conf["$refs"] = nil
+    end
+
     for k in pairs(CONF_SENSITIVE) do
       if purged_conf[k] then
         purged_conf[k] = CONF_SENSITIVE_PLACEHOLDER

diff --git a/spec/01-unit/03-conf_loader_spec.lua b/spec/01-unit/03-conf_loader_spec.lua
@@ -1461,6 +1461,36 @@ describe("Configuration loader", function()
       assert.not_equal("hide_me", purged_conf.pg_password)
       assert.not_equal("hide_me", purged_conf.cassandra_password)
     end)
+
+    it("replaces sensitive vault resolved settings", function()
+      finally(function()
+        helpers.unsetenv("PG_PASSWORD")
+        helpers.unsetenv("PG_DATABASE")
+        helpers.unsetenv("CASSANDRA_PASSWORD")
+        helpers.unsetenv("CASSANDRA_KEYSPACE")
+      end)
+
+      helpers.setenv("PG_PASSWORD", "pg-password")
+      helpers.setenv("PG_DATABASE", "pg-database")
+      helpers.setenv("CASSANDRA_PASSWORD", "cassandra-password")
+      helpers.setenv("CASSANDRA_KEYSPACE", "cassandra-keyspace")
+
+      local conf = assert(conf_loader(nil, {
+        pg_password = "{vault://env/pg-password}",
+        pg_database = "{vault://env/pg-database}",
+        cassandra_password = "{vault://env/cassandra-password}",
+        cassandra_keyspace = "{vault://env/cassandra-keyspace}",
+        vaults = "env",
+      }))
+
+      local purged_conf = conf_loader.remove_sensitive(conf)
+      assert.equal("******", purged_conf.pg_password)
+      assert.equal("{vault://env/pg-database}", purged_conf.pg_database)
+      assert.equal("******", purged_conf.cassandra_password)
+      assert.equal("{vault://env/cassandra-keyspace}", purged_conf.cassandra_keyspace)
+      assert.is_nil(purged_conf["$refs"])
+    end)
+
     it("does not insert placeholder if no value", function()
       local conf = assert(conf_loader())
       local purged_conf = conf_loader.remove_sensitive(conf)

diff --git a/spec/02-integration/13-vaults/03-mock_spec.lua b/spec/02-integration/13-vaults/03-mock_spec.lua
@@ -113,25 +113,38 @@ for _, strategy in helpers.each_strategy() do
         local body = assert.res_status(200, res)
         local json = cjson.decode(body)
         assert.equal(meta._VERSION, json.version)
+        assert.equal("{vault://mock/admin-listen}", json.configuration.admin_listen)
         assert.falsy(exists(join(helpers.test_conf.prefix, ".kong_process_secrets")))
       end)
     end)
 
     describe("Kong Reload", function()
       it("can use co-sockets and resolved referenced are passed to Kong server", function()
+        finally(function()
+          helpers.unsetenv("KONG_ADMIN_LISTEN")
+        end)
+
+        helpers.setenv("KONG_ADMIN_LISTEN", "{vault://mock/listen?prefix=admin_}")
+
         local workers = get_kong_workers()
 
         assert(helpers.kong_exec("reload --conf " .. helpers.test_conf_path ..
-                                 " --nginx-conf spec/fixtures/custom_nginx.template"))
+                                 " --nginx-conf spec/fixtures/custom_nginx.template", {
+          vaults = "env,mock"
+        }))
 
         wait_until_no_common_workers(workers, 1)
 
         assert.falsy(exists(join(helpers.test_conf.prefix, ".kong_process_secrets")))
 
-        local res = client:get("/")
+        ngx.sleep(0.1)
+
+        local http = assert(helpers.admin_client(10000))
+        local res = http:get("/")
         local body = assert.res_status(200, res)
         local json = cjson.decode(body)
         assert.equal(meta._VERSION, json.version)
+        assert.equal("{vault://mock/listen?prefix=admin_}", json.configuration.admin_listen)
       end)
     end)
   end)

diff --git a/spec/fixtures/custom_vaults/kong/vaults/mock/schema.lua b/spec/fixtures/custom_vaults/kong/vaults/mock/schema.lua
@@ -5,6 +5,7 @@ return {
       config = {
         type = "record",
         fields = {
+          { prefix = { type = "string", match = [[^[%a_][%a%d_]*$]] } },
         },
       },
     },