Remove spurious fmt.Printf calls including one of a key (#15344)

And add a semgrep for fmt.Printf/Println.

api/auth/azure/azure.go

@@ -198,7 +198,6 @@ func (a *AzureAuth) getJWT() (string, error) {
 func getMetadata() (metadataJSON, error) {
 	metadataEndpoint, err := url.Parse(fmt.Sprintf("%s/metadata/instance", metadataEndpoint))
 	if err != nil {
-		fmt.Println("Error creating URL: ", err)
 		return metadataJSON{}, err
 	}
 

builtin/credential/aws/pkcs7/decrypt.go

@@ -60,7 +60,6 @@ func (eci encryptedContentInfo) decrypt(key []byte) ([]byte, error) {
 		!alg.Equal(OIDEncryptionAlgorithmAES128CBC) &&
 		!alg.Equal(OIDEncryptionAlgorithmAES128GCM) &&
 		!alg.Equal(OIDEncryptionAlgorithmAES256GCM) {
-		fmt.Printf("Unsupported Content Encryption Algorithm: %s\n", alg)
 		return nil, ErrUnsupportedAlgorithm
 	}
 

builtin/credential/aws/pkcs7/verify_test_dsa.go

@@ -5,7 +5,6 @@ package pkcs7
 import (
 	"crypto/x509"
 	"encoding/pem"
-	"fmt"
 	"io/ioutil"
 	"os"
 	"os/exec"
@@ -108,7 +107,7 @@ but that's not what ships are built for.
 	if err != nil {
 		t.Fatal(err)
 	}
-	fmt.Printf("%s\n", pemSignature)
+	t.Logf("%s\n", pemSignature)
 	derBlock, _ := pem.Decode(pemSignature)
 	if derBlock == nil {
 		t.Fatalf("failed to read DER block from signature PEM %s", tmpSignedFile.Name())

builtin/logical/rabbitmq/path_role_create.go

@@ -74,7 +74,6 @@ func (b *backend) pathCredsRead(ctx context.Context, req *logical.Request, d *fr
 	if err != nil {
 		return nil, fmt.Errorf("failed to generate username: %w", err)
 	}
-	fmt.Printf("username: %s\n", username)
 
 	password, err := b.generatePassword(ctx, config.PasswordPolicy)
 	if err != nil {

command/server/config_test_helpers.go

@@ -320,7 +320,6 @@ func testParseEntropy(t *testing.T, oss bool) {
 		case err != test.outErr:
 			t.Fatalf("error mismatch: expected %#v got %#v", err, test.outErr)
 		case err == nil && config.Entropy != nil && *config.Entropy != test.outEntropy:
-			fmt.Printf("\n config.Entropy: %#v", config.Entropy)
 			t.Fatalf("entropy config mismatch: expected %#v got %#v", test.outEntropy, *config.Entropy)
 		}
 	}

helper/dhutil/dhutil.go

@@ -6,7 +6,6 @@ import (
 	"crypto/cipher"
 	"crypto/rand"
 	"crypto/sha256"
-	"encoding/hex"
 	"errors"
 	"fmt"
 	"io"
@@ -90,7 +89,6 @@ func DeriveSharedKey(secret, ourPublic, theirPublic []byte) ([]byte, error) {
 	if n != 32 {
 		return nil, errors.New("short read from hkdf")
 	}
-	fmt.Printf("Key: %s\n", hex.EncodeToString(key[:]))
 
 	return key[:], nil
 }

tools/semgrep/ci/fmt-printf.yml

@@ -0,0 +1,16 @@
+rules:
+  - id: fmt.Printf
+    languages: [go]
+    message: fmt.Printf/Println is forbidden outside of cmd and test files
+    patterns:
+      - pattern-either:
+        - pattern: fmt.Printf
+        - pattern: fmt.Println
+    severity: ERROR
+    paths:
+      exclude:
+        - "*_test.go"
+        - "cmd/*.go"
+        - "cmd/**/*.go"
+        - sdk/database/dbplugin/server.go # effectively a cmd
+        - sdk/database/dbplugin/v5/plugin_server.go # effectively a cmd