Remove sensitive fields when reading config data (#4216)

* Remove sensitive fields when reading config data

* Do not use structs; build and return map explicitly

* Revert tag in postgresql

* Fix tests

builtin/credential/aws/path_config_client.go

@@ -116,7 +116,6 @@ func (b *backend) pathConfigClientRead(ctx context.Context, req *logical.Request
 	return &logical.Response{
 		Data: map[string]interface{}{
 			"access_key":                 clientConfig.AccessKey,
-			"secret_key":                 clientConfig.SecretKey,
 			"endpoint":                   clientConfig.Endpoint,
 			"iam_endpoint":               clientConfig.IAMEndpoint,
 			"sts_endpoint":               clientConfig.STSEndpoint,

builtin/credential/ldap/path_config.go

@@ -11,7 +11,6 @@ import (
 	"strings"
 	"text/template"
 
-	"github.com/fatih/structs"
 	"github.com/go-ldap/ldap"
 	multierror "github.com/hashicorp/go-multierror"
 	"github.com/hashicorp/vault/helper/tlsutil"
@@ -174,9 +173,24 @@ func (b *backend) pathConfigRead(ctx context.Context, req *logical.Request, d *f
 	}
 
 	resp := &logical.Response{
-		Data: structs.New(cfg).Map(),
+		Data: map[string]interface{}{
+			"url":             cfg.Url,
+			"userdn":          cfg.UserDN,
+			"groupdn":         cfg.GroupDN,
+			"groupfilter":     cfg.GroupFilter,
+			"groupattr":       cfg.GroupAttr,
+			"upndomain":       cfg.UPNDomain,
+			"userattr":        cfg.UserAttr,
+			"certificate":     cfg.Certificate,
+			"insecure_tls":    cfg.InsecureTLS,
+			"starttls":        cfg.StartTLS,
+			"binddn":          cfg.BindDN,
+			"deny_null_bind":  cfg.DenyNullBind,
+			"discoverdn":      cfg.DiscoverDN,
+			"tls_min_version": cfg.TLSMinVersion,
+			"tls_max_version": cfg.TLSMaxVersion,
+		},
 	}
-	resp.AddWarning("Read access to this endpoint should be controlled via ACLs as it will return the configuration information as-is, including any passwords.")
 	return resp, nil
 }
 

builtin/credential/radius/path_config.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"strings"
 
-	"github.com/fatih/structs"
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/logical/framework"
 )
@@ -104,9 +103,15 @@ func (b *backend) pathConfigRead(ctx context.Context, req *logical.Request, d *f
 	}
 
 	resp := &logical.Response{
-		Data: structs.New(cfg).Map(),
+		Data: map[string]interface{}{
+			"host": cfg.Host,
+			"port": cfg.Port,
+			"unregistered_user_policies": cfg.UnregisteredUserPolicies,
+			"dial_timeout":               cfg.DialTimeout,
+			"read_timeout":               cfg.ReadTimeout,
+			"nas_port":                   cfg.NasPort,
+		},
 	}
-	resp.AddWarning("Read access to this endpoint should be controlled via ACLs as it will return the configuration information as-is, including any secrets.")
 	return resp, nil
 }
 

builtin/logical/cassandra/path_config_connection.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"fmt"
 
-	"github.com/fatih/structs"
 	"github.com/hashicorp/vault/helper/certutil"
 	"github.com/hashicorp/vault/helper/tlsutil"
 	"github.com/hashicorp/vault/logical"
@@ -100,14 +99,20 @@ func (b *backend) pathConnectionRead(ctx context.Context, req *logical.Request,
 		return nil, err
 	}
 
-	config.Password = "**********"
-	if len(config.PrivateKey) > 0 {
-		config.PrivateKey = "**********"
+	resp := &logical.Response{
+		Data: map[string]interface{}{
+			"hosts":            config.Hosts,
+			"username":         config.Username,
+			"tls":              config.TLS,
+			"insecure_tls":     config.InsecureTLS,
+			"certificate":      config.Certificate,
+			"issuing_ca":       config.IssuingCA,
+			"protocol_version": config.ProtocolVersion,
+			"connect_timeout":  config.ConnectTimeout,
+			"tls_min_version":  config.TLSMinVersion,
+		},
 	}
-
-	return &logical.Response{
-		Data: structs.New(config).Map(),
-	}, nil
+	return resp, nil
 }
 
 func (b *backend) pathConnectionWrite(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {

builtin/logical/database/backend_test.go

@@ -210,9 +210,7 @@ func TestBackend_config_connection(t *testing.T) {
 
 	expected := map[string]interface{}{
 		"plugin_name":                        "postgresql-database-plugin",
-		"connection_details": map[string]interface{}{
-			"connection_url": "sample_connection_url",
-		},
+		"connection_details":                 map[string]interface{}{},
 		"allowed_roles":                      []string{"*"},
 		"root_credentials_rotate_statements": []string{},
 	}
@@ -520,9 +518,7 @@ func TestBackend_connectionCrud(t *testing.T) {
 	// Read connection
 	expected := map[string]interface{}{
 		"plugin_name":                        "postgresql-database-plugin",
-		"connection_details": map[string]interface{}{
-			"connection_url": connURL,
-		},
+		"connection_details":                 map[string]interface{}{},
 		"allowed_roles":                      []string{"plugin-role-test"},
 		"root_credentials_rotate_statements": []string{},
 	}

builtin/logical/database/path_config_connection.go

@@ -168,6 +168,11 @@ func (b *databaseBackend) connectionReadHandler() framework.OperationFunc {
 		if err := entry.DecodeJSON(&config); err != nil {
 			return nil, err
 		}
+
+		if _, ok := config.ConnectionDetails["connection_url"]; ok {
+			delete(config.ConnectionDetails, "connection_url")
+		}
+
 		return &logical.Response{
 			Data: structs.New(config).Map(),
 		}, nil

builtin/logical/mongodb/backend_test.go

@@ -102,10 +102,6 @@ func TestBackend_config_connection(t *testing.T) {
 	if err != nil || (resp != nil && resp.IsError()) {
 		t.Fatalf("err:%s resp:%#v\n", err, resp)
 	}
-
-	if resp.Data["uri"] != configData["uri"] {
-		t.Fatalf("bad: %#v", resp)
-	}
 }
 
 func TestBackend_basic(t *testing.T) {

builtin/logical/mongodb/path_config_connection.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"fmt"
 
-	"github.com/fatih/structs"
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/logical/framework"
 	"gopkg.in/mgo.v2"
@@ -43,13 +42,7 @@ func (b *backend) pathConnectionRead(ctx context.Context, req *logical.Request,
 		return nil, nil
 	}
 
-	var config connectionConfig
-	if err := entry.DecodeJSON(&config); err != nil {
-		return nil, err
-	}
-	return &logical.Response{
-		Data: structs.New(config).Map(),
-	}, nil
+	return nil, nil
 }
 
 func (b *backend) pathConnectionWrite(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {

builtin/logical/mssql/backend_test.go

@@ -47,6 +47,7 @@ func TestBackend_config_connection(t *testing.T) {
 	}
 
 	delete(configData, "verify_connection")
+	delete(configData, "connection_string")
 	if !reflect.DeepEqual(configData, resp.Data) {
 		t.Fatalf("bad: expected:%#v\nactual:%#v\n", configData, resp.Data)
 	}

builtin/logical/mssql/path_config_connection.go

@@ -5,7 +5,6 @@ import (
 	"database/sql"
 	"fmt"
 
-	"github.com/fatih/structs"
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/logical/framework"
 )
@@ -53,8 +52,11 @@ func (b *backend) pathConnectionRead(ctx context.Context, req *logical.Request,
 	if err := entry.DecodeJSON(&config); err != nil {
 		return nil, err
 	}
+
 	return &logical.Response{
-		Data: structs.New(config).Map(),
+		Data: map[string]interface{}{
+			"max_open_connections": config.MaxOpenConnections,
+		},
 	}, nil
 }
 

builtin/logical/mysql/backend_test.go

@@ -81,7 +81,6 @@ func TestBackend_config_connection(t *testing.T) {
 	}
 
 	configData := map[string]interface{}{
-		"value":                "",
 		"connection_url":       "sample_connection_url",
 		"max_open_connections": 9,
 		"max_idle_connections": 7,
@@ -106,6 +105,7 @@ func TestBackend_config_connection(t *testing.T) {
 	}
 
 	delete(configData, "verify_connection")
+	delete(configData, "connection_url")
 	if !reflect.DeepEqual(configData, resp.Data) {
 		t.Fatalf("bad: expected:%#v\nactual:%#v\n", configData, resp.Data)
 	}

builtin/logical/mysql/path_config_connection.go

@@ -5,7 +5,6 @@ import (
 	"database/sql"
 	"fmt"
 
-	"github.com/fatih/structs"
 	_ "github.com/go-sql-driver/mysql"
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/logical/framework"
@@ -63,8 +62,12 @@ func (b *backend) pathConnectionRead(ctx context.Context, req *logical.Request,
 	if err := entry.DecodeJSON(&config); err != nil {
 		return nil, err
 	}
+
 	return &logical.Response{
-		Data: structs.New(config).Map(),
+		Data: map[string]interface{}{
+			"max_open_connections": config.MaxOpenConnections,
+			"max_idle_connections": config.MaxIdleConnections,
+		},
 	}, nil
 }
 

builtin/logical/postgresql/backend_test.go

@@ -86,7 +86,6 @@ func TestBackend_config_connection(t *testing.T) {
 
 	configData := map[string]interface{}{
 		"connection_url":       "sample_connection_url",
-		"value":                "",
 		"max_open_connections": 9,
 		"max_idle_connections": 7,
 		"verify_connection":    false,
@@ -110,6 +109,7 @@ func TestBackend_config_connection(t *testing.T) {
 	}
 
 	delete(configData, "verify_connection")
+	delete(configData, "connection_url")
 	if !reflect.DeepEqual(configData, resp.Data) {
 		t.Fatalf("bad: expected:%#v\nactual:%#v\n", configData, resp.Data)
 	}

builtin/logical/postgresql/path_config_connection.go

@@ -5,7 +5,6 @@ import (
 	"database/sql"
 	"fmt"
 
-	"github.com/fatih/structs"
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/logical/framework"
 	_ "github.com/lib/pq"
@@ -73,8 +72,12 @@ func (b *backend) pathConnectionRead(ctx context.Context, req *logical.Request,
 	if err := entry.DecodeJSON(&config); err != nil {
 		return nil, err
 	}
+
 	return &logical.Response{
-		Data: structs.New(config).Map(),
+		Data: map[string]interface{}{
+			"max_open_connections": config.MaxOpenConnections,
+			"max_idle_connections": config.MaxIdleConnections,
+		},
 	}, nil
 }