Introduce paramater for sensitive mount options.

Introduce optional sensitiveOptions parameter to allow sensitive mount options to be passed in a separate parameter from the normal mount options and ensures the sensitiveOptions are never logged.
2025-12-09 17:45:35 +00:00 · 2020-02-07 17:43:22 -08:00
parent 5d34e5006a
commit 8dd4fc79dc
8 changed files with 433 additions and 53 deletions
--- a/mount_test.go
+++ b/mount_test.go
@@ -18,6 +18,7 @@ package mount

 import (
 	"reflect"
+	"strings"
 	"testing"
 )

@@ -58,3 +59,126 @@ func TestMakeBindOpts(t *testing.T) {

 	}
 }
+
+func TestMakeBindOptsSensitive(t *testing.T) {
+	tests := []struct {
+		mountOptions                 []string
+		sensitiveMountOptions        []string
+		isBind                       bool
+		expectedBindOpts             []string
+		expectedRemountOpts          []string
+		expectedSensitiveRemountOpts []string
+	}{
+		{
+			mountOptions:                 []string{"vers=2", "ro", "_netdev"},
+			sensitiveMountOptions:        []string{"user=foo", "pass=bar"},
+			isBind:                       false,
+			expectedBindOpts:             []string{},
+			expectedRemountOpts:          []string{},
+			expectedSensitiveRemountOpts: []string{"user=foo", "pass=bar"},
+		},
+		{
+
+			mountOptions:                 []string{"vers=2", "ro", "_netdev"},
+			sensitiveMountOptions:        []string{"user=foo", "pass=bar", "bind"},
+			isBind:                       true,
+			expectedBindOpts:             []string{"bind", "_netdev"},
+			expectedRemountOpts:          []string{"bind", "remount", "vers=2", "ro", "_netdev"},
+			expectedSensitiveRemountOpts: []string{"user=foo", "pass=bar"},
+		},
+		{
+			mountOptions:                 []string{"vers=2", "remount", "ro", "_netdev"},
+			sensitiveMountOptions:        []string{"user=foo", "pass=bar"},
+			isBind:                       false,
+			expectedBindOpts:             []string{},
+			expectedRemountOpts:          []string{},
+			expectedSensitiveRemountOpts: []string{"user=foo", "pass=bar"},
+		},
+		{
+			mountOptions:                 []string{"vers=2", "ro", "_netdev"},
+			sensitiveMountOptions:        []string{"user=foo", "pass=bar", "remount"},
+			isBind:                       false,
+			expectedBindOpts:             []string{},
+			expectedRemountOpts:          []string{},
+			expectedSensitiveRemountOpts: []string{"user=foo", "pass=bar"},
+		},
+		{
+
+			mountOptions:                 []string{"vers=2", "bind", "ro", "_netdev"},
+			sensitiveMountOptions:        []string{"user=foo", "remount", "pass=bar"},
+			isBind:                       true,
+			expectedBindOpts:             []string{"bind", "_netdev"},
+			expectedRemountOpts:          []string{"bind", "remount", "vers=2", "ro", "_netdev"},
+			expectedSensitiveRemountOpts: []string{"user=foo", "pass=bar"},
+		},
+		{
+
+			mountOptions:                 []string{"vers=2", "bind", "ro", "_netdev"},
+			sensitiveMountOptions:        []string{"user=foo", "remount", "pass=bar"},
+			isBind:                       true,
+			expectedBindOpts:             []string{"bind", "_netdev"},
+			expectedRemountOpts:          []string{"bind", "remount", "vers=2", "ro", "_netdev"},
+			expectedSensitiveRemountOpts: []string{"user=foo", "pass=bar"},
+		},
+	}
+	for _, test := range tests {
+		bind, bindOpts, bindRemountOpts, bindRemountSensitiveOpts := MakeBindOptsSensitive(test.mountOptions, test.sensitiveMountOptions)
+		if bind != test.isBind {
+			t.Errorf("Expected bind to be %v but got %v", test.isBind, bind)
+		}
+		if test.isBind {
+			if !reflect.DeepEqual(test.expectedBindOpts, bindOpts) {
+				t.Errorf("Expected bind mount options to be %+v got %+v", test.expectedBindOpts, bindOpts)
+			}
+			if !reflect.DeepEqual(test.expectedRemountOpts, bindRemountOpts) {
+				t.Errorf("Expected remount options to be %+v got %+v", test.expectedRemountOpts, bindRemountOpts)
+			}
+			if !reflect.DeepEqual(test.expectedSensitiveRemountOpts, bindRemountSensitiveOpts) {
+				t.Errorf("Expected sensitive remount options to be %+v got %+v", test.expectedSensitiveRemountOpts, bindRemountSensitiveOpts)
+			}
+		}
+
+	}
+}
+
+func TestOptionsForLogging(t *testing.T) {
+	// Arrange
+	testcases := []struct {
+		options          []string
+		sensitiveOptions []string
+	}{
+		{
+			options:          []string{"o1", "o2"},
+			sensitiveOptions: []string{"s1"},
+		},
+		{
+			options:          []string{"o1", "o2"},
+			sensitiveOptions: []string{"s1", "s2"},
+		},
+		{
+			sensitiveOptions: []string{"s1", "s2"},
+		},
+		{
+			options: []string{"o1", "o2"},
+		},
+		{},
+	}
+
+	for _, v := range testcases {
+		// Act
+		maskedStr := sanitizedOptionsForLogging(v.options, v.sensitiveOptions)
+
+		// Assert
+		for _, sensitiveOption := range v.sensitiveOptions {
+			if strings.Contains(maskedStr, sensitiveOption) {
+				t.Errorf("Found sensitive log option %q in %q", sensitiveOption, maskedStr)
+			}
+		}
+
+		actualCount := strings.Count(maskedStr, sensitiveOptionsRemoved)
+		expectedCount := len(v.sensitiveOptions)
+		if actualCount != expectedCount {
+			t.Errorf("Found %v instances of %q in %q. Expected %v", actualCount, sensitiveOptionsRemoved, maskedStr, expectedCount)
+		}
+	}
+}