filter out vault secrets from template errors

Template execute errors would return the values related to the error in certain cases and these could end up in the logs. This makes sure that if those values are vault secrets they are redacted.
hashicorp · Aug 18, 2022 · 56e7293 · 56e7293
1 parent 0400fa2
commit 56e7293
Show file tree

Hide file tree

Showing 2 changed files with 117 additions and 57 deletions.
diff --git a/template/template.go b/template/template.go
@@ -4,7 +4,9 @@ import (
 	"bytes"
 	"crypto/md5"
 	"encoding/hex"
+	"fmt"
 	"io/ioutil"
+	"strings"
 	"text/template"
 
 	"github.com/pkg/errors"
@@ -198,7 +200,7 @@ func (t *Template) Execute(i *ExecuteInput) (*ExecuteResult, error) {
 	// Execute the template into the writer
 	var b bytes.Buffer
 	if err := tmpl.Execute(&b, nil); err != nil {
-		return nil, errors.Wrap(err, "execute")
+		return nil, errors.Wrap(redactinator(&used, i.Brain, err), "execute")
 	}
 
 	return &ExecuteResult{
@@ -208,6 +210,20 @@ func (t *Template) Execute(i *ExecuteInput) (*ExecuteResult, error) {
 	}, nil
 }
 
+func redactinator(used *dep.Set, b *Brain, err error) error {
+	pairs := make([]string, 0, used.Len())
+	for _, d := range used.List() {
+		if data, ok := b.Recall(d); ok {
+			if vd, ok := data.(*dep.Secret); ok {
+				for _, v := range vd.Data {
+					pairs = append(pairs, fmt.Sprintf("%v", v), "[redacted]")
+				}
+			}
+		}
+	}
+	return fmt.Errorf(strings.NewReplacer(pairs...).Replace(err.Error()))
+}
+
 // funcMapInput is input to the funcMap, which builds the template functions.
 type funcMapInput struct {
 	t                *template.Template