diff --git a/cmd/batch-expire.go b/cmd/batch-expire.go index 619b3b5ec..07f56a79d 100644 --- a/cmd/batch-expire.go +++ b/cmd/batch-expire.go @@ -289,6 +289,16 @@ type BatchJobExpire struct { var _ yaml.Unmarshaler = &BatchJobExpire{} +// RedactSensitive will redact any sensitive information in b. +func (r *BatchJobExpire) RedactSensitive() { + if r == nil { + return + } + if r.NotificationCfg.Token != "" { + r.NotificationCfg.Token = redactedText + } +} + // UnmarshalYAML - BatchJobExpire extends default unmarshal to extract line, col information. func (r *BatchJobExpire) UnmarshalYAML(val *yaml.Node) error { type expireJob BatchJobExpire diff --git a/cmd/batch-handlers.go b/cmd/batch-handlers.go index e21460584..853fe34cd 100644 --- a/cmd/batch-handlers.go +++ b/cmd/batch-handlers.go @@ -61,6 +61,8 @@ var globalBatchConfig batch.Config const ( // Keep the completed/failed job stats 3 days before removing it oldJobsExpiration = 3 * 24 * time.Hour + + redactedText = "**REDACTED**" ) // BatchJobRequest this is an internal data structure not for external consumption. @@ -74,6 +76,29 @@ type BatchJobRequest struct { ctx context.Context `msg:"-"` } +// RedactSensitive will redact any sensitive information in b. +func (j *BatchJobRequest) RedactSensitive() { + j.Replicate.RedactSensitive() + j.Expire.RedactSensitive() + j.KeyRotate.RedactSensitive() +} + +// RedactSensitive will redact any sensitive information in b. +func (r *BatchJobReplicateV1) RedactSensitive() { + if r == nil { + return + } + if r.Target.Creds.SecretKey != "" { + r.Target.Creds.SecretKey = redactedText + } + if r.Target.Creds.SessionToken != "" { + r.Target.Creds.SessionToken = redactedText + } +} + +// RedactSensitive will redact any sensitive information in b. +func (r *BatchJobKeyRotateV1) RedactSensitive() {} + func notifyEndpoint(ctx context.Context, ri *batchJobInfo, endpoint, token string) error { if endpoint == "" { return nil @@ -1695,6 +1720,8 @@ func (a adminAPIHandlers) DescribeBatchJob(w http.ResponseWriter, r *http.Reques return } + // Remove sensitive fields. + req.RedactSensitive() buf, err := yaml.Marshal(req) if err != nil { batchLogIf(ctx, err)