Commit 8f5116da authored by Ryan Cobb's avatar Ryan Cobb

Mask Sentry auth token

This makes it so we mask Sentry's auth token. This mask only occurs in
the UI.
parent eb5aab8f
......@@ -32,7 +32,7 @@ module ErrorTracking
project_slug: 'proj'
)
setting.token = params[:token]
setting.token = token(setting)
setting.enabled = true
end
end
......@@ -40,5 +40,12 @@ module ErrorTracking
def can_read?
can?(current_user, :read_sentry_issue, project)
end
def token(setting)
# Use param token if not masked, otherwise use database token
return params[:token] unless /\A\*+\z/.match?(params[:token])
setting.token
end
end
end
......@@ -36,15 +36,17 @@ module Projects
organization_slug: settings.dig(:project, :organization_slug)
)
{
params = {
error_tracking_setting_attributes: {
api_url: api_url,
token: settings[:token],
enabled: settings[:enabled],
project_name: settings.dig(:project, :name),
organization_name: settings.dig(:project, :organization_name)
}
}
params[:error_tracking_setting_attributes][:token] = settings[:token] unless /\A\*+\z/.match?(settings[:token]) # Don't update token if we receive masked value
params
end
def grafana_integration_params
......
......@@ -17,4 +17,4 @@
project: error_tracking_setting_project_json,
api_host: setting.api_host,
enabled: setting.enabled.to_json,
token: setting.token } }
token: setting.token.present? ? '*' * 12 : nil } }
---
title: Mask sentry auth token in Error Tracking dashboard
author:
type: security
......@@ -50,6 +50,19 @@ describe ErrorTracking::ListProjectsService do
end
end
context 'masked param token' do
let(:params) { ActionController::Parameters.new(token: "*********", api_host: new_api_host) }
before do
expect(error_tracking_setting).to receive(:list_sentry_projects)
.and_return({ projects: [] })
end
it 'uses database token' do
expect { subject.execute }.not_to change { error_tracking_setting.token }
end
end
context 'sentry client raises exception' do
context 'Sentry::Client::Error' do
before do
......
......@@ -145,6 +145,27 @@ describe Projects::Operations::UpdateService do
end
end
context 'with masked param token' do
let(:params) do
{
error_tracking_setting_attributes: {
enabled: false,
token: '*' * 8
}
}
end
before do
create(:project_error_tracking_setting, project: project, token: 'token')
end
it 'does not update token' do
expect(result[:status]).to eq(:success)
expect(project.error_tracking_setting.token).to eq('token')
end
end
context 'with invalid parameters' do
let(:params) { {} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment