chore(cmd): Introduce option for safe verbosness, and sanitation func…

…tion
argoproj-labs · Dec 2, 2024 · 3fdaf86 · 3fdaf86
1 parent b046a7d
commit 3fdaf86
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 3 deletions.
diff --git a/cmd/generate.go b/cmd/generate.go
@@ -21,6 +21,7 @@ func NewGenerateCommand() *cobra.Command {
 	const StdIn = "-"
 	var configPath, secretName string
 	var verboseOutput bool
+	var verboseUnsafe bool
 	var disableCache bool
 
 	var command = &cobra.Command{
@@ -64,6 +65,7 @@ func NewGenerateCommand() *cobra.Command {
 
 			v := viper.New()
 			viper.Set("verboseOutput", verboseOutput)
+			viper.Set("verboseUnsafe", verboseUnsafe)
 			viper.Set("disableCache", disableCache)
 			cmdConfig, err := config.New(v, &config.Options{
 				SecretName: secretName,
@@ -117,7 +119,8 @@ func NewGenerateCommand() *cobra.Command {
 
 	command.Flags().StringVarP(&configPath, "config-path", "c", "", "path to a file containing Vault configuration (YAML, JSON, envfile) to use")
 	command.Flags().StringVarP(&secretName, "secret-name", "s", "", "name of a Kubernetes Secret in the argocd namespace containing Vault configuration data in the argocd namespace of your ArgoCD host (Only available when used in ArgoCD). The namespace can be overridden by using the format <namespace>:<name>")
-	command.Flags().BoolVar(&verboseOutput, "verbose-sensitive-output", false, "enable verbose mode for detailed info to help with debugging. Includes sensitive data (credentials), logged to stderr")
+	command.Flags().BoolVar(&verboseOutput, "verboseOutput", false, "enable verboseOutput mode for detailed info to help with debugging. Omits sensitive data (credentials), logged to stderr")
+	command.Flags().BoolVar(&verboseUnsafe, "verboseOutput-sensitive-output", false, "enable verboseOutput mode for detailed info to help with debugging. Includes sensitive data (credentials), logged to stderr")
 	command.Flags().BoolVar(&disableCache, "disable-token-cache", false, "disable the automatic token cache feature that store tokens locally")
 	return command
 }
diff --git a/pkg/utils/util.go b/pkg/utils/util.go
@@ -63,7 +63,7 @@ func ReadExistingToken(identifier string) ([]byte, error) {
 func LoginWithCachedToken(vaultClient *api.Client, identifier string) error {
 	if viper.GetBool("disableCache") {
 		return fmt.Errorf("Token cache feature is disabled")
-	}	else {
+	} else {
 		byteValue, err := ReadExistingToken(identifier)
 		if err != nil {
 			return err
@@ -94,7 +94,7 @@ func SetToken(vaultClient *api.Client, identifier string, token string) error {
 
 	if viper.GetBool("disableCache") {
 		return fmt.Errorf("Token cache feature is disabled")
-	}	else {
+	} else {
 		home, err := os.UserHomeDir()
 		if err != nil {
 			return fmt.Errorf("Could not access home directory: %s", err.Error())
@@ -147,3 +147,13 @@ func VerboseToStdErr(format string, message ...interface{}) {
 		log.Printf(fmt.Sprintf("%s\n", format), message...)
 	}
 }
+
+// SanitizeUnsafe replaces the message data with redacted literal unless `--verbose-sensitive-output` was passed
+func SanitizeUnsafe(message interface{}) interface{} {
+	if viper.GetBool("verboseOutput") && !viper.GetBool("verboseUnsafe") {
+		messageLen := len(fmt.Sprintf("%s", message))
+		return fmt.Sprintf("***REDACTED(%v characters)***", messageLen)
+	} else {
+		return message
+	}
+}