From 9d5c16f6232f1ea0ed8ba85a87aa5af650cbdf55 Mon Sep 17 00:00:00 2001
From: sanne <sanne.raymaekers@gmail.com>
Date: Fri, 8 Oct 2021 11:58:03 +0200
Subject: [PATCH] composer: Don't dump sensitive fields from config

---
 cmd/osbuild-composer/config.go      |  4 +++-
 cmd/osbuild-composer/config_test.go | 16 ++++++++++++++++
 cmd/osbuild-composer/main.go        |  2 +-
 3 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/cmd/osbuild-composer/config.go b/cmd/osbuild-composer/config.go
index faa9ab7e6..1b1b955cd 100644
--- a/cmd/osbuild-composer/config.go
+++ b/cmd/osbuild-composer/config.go
@@ -148,6 +148,8 @@ func loadConfigFromEnv(intf interface{}) error {
 	return nil
 }
 
-func DumpConfig(c *ComposerConfigFile, w io.Writer) error {
+func DumpConfig(c ComposerConfigFile, w io.Writer) error {
+	// sensor sensitive fields
+	c.Worker.PGPassword = ""
 	return toml.NewEncoder(w).Encode(c)
 }
diff --git a/cmd/osbuild-composer/config_test.go b/cmd/osbuild-composer/config_test.go
index 5e1be1887..5f4c9dc1a 100644
--- a/cmd/osbuild-composer/config_test.go
+++ b/cmd/osbuild-composer/config_test.go
@@ -1,6 +1,7 @@
 package main
 
 import (
+	"bytes"
 	"os"
 	"testing"
 
@@ -94,3 +95,18 @@ func TestWeldrDistrosImageTypeDenyList(t *testing.T) {
 
 	require.Equal(t, expectedWeldrDistrosImageTypeDenyList, config.weldrDistrosImageTypeDenyList())
 }
+
+func TestDumpConfig(t *testing.T) {
+	config := &ComposerConfigFile{
+		Worker: WorkerAPIConfig{
+			PGPassword: "sensitive",
+		},
+	}
+
+	var buf bytes.Buffer
+	require.NoError(t, DumpConfig(*config, &buf))
+	require.Contains(t, buf.String(), "pg_password = \"\"")
+	require.NotContains(t, buf.String(), "sensitive")
+	// DumpConfig takes a copy
+	require.Equal(t, "sensitive", config.Worker.PGPassword)
+}
diff --git a/cmd/osbuild-composer/main.go b/cmd/osbuild-composer/main.go
index 69c34bdfa..53eb8b425 100644
--- a/cmd/osbuild-composer/main.go
+++ b/cmd/osbuild-composer/main.go
@@ -43,7 +43,7 @@ func main() {
 	}
 
 	logrus.Info("Loaded configuration:")
-	err = DumpConfig(config, logrus.StandardLogger().WriterLevel(logrus.InfoLevel))
+	err = DumpConfig(*config, logrus.StandardLogger().WriterLevel(logrus.InfoLevel))
 	if err != nil {
 		logrus.Fatalf("Error printing configuration: %v", err)
 	}