Commit 5c072495 authored by Ryan Cobb's avatar Ryan Cobb

Mask Sentry auth token

This makes it so we mask Sentry's auth token. This mask only occurs in
the UI.
parent 1425a56c
...@@ -32,7 +32,7 @@ module ErrorTracking ...@@ -32,7 +32,7 @@ module ErrorTracking
project_slug: 'proj' project_slug: 'proj'
) )
setting.token = params[:token] setting.token = token(setting)
setting.enabled = true setting.enabled = true
end end
end end
...@@ -40,5 +40,12 @@ module ErrorTracking ...@@ -40,5 +40,12 @@ module ErrorTracking
def can_read? def can_read?
can?(current_user, :read_sentry_issue, project) can?(current_user, :read_sentry_issue, project)
end end
def token(setting)
# Use param token if not masked, otherwise use database token
return params[:token] unless /\A\*+\z/.match?(params[:token])
setting.token
end
end end
end end
...@@ -36,15 +36,17 @@ module Projects ...@@ -36,15 +36,17 @@ module Projects
organization_slug: settings.dig(:project, :organization_slug) organization_slug: settings.dig(:project, :organization_slug)
) )
{ params = {
error_tracking_setting_attributes: { error_tracking_setting_attributes: {
api_url: api_url, api_url: api_url,
token: settings[:token],
enabled: settings[:enabled], enabled: settings[:enabled],
project_name: settings.dig(:project, :name), project_name: settings.dig(:project, :name),
organization_name: settings.dig(:project, :organization_name) organization_name: settings.dig(:project, :organization_name)
} }
} }
params[:error_tracking_setting_attributes][:token] = settings[:token] unless /\A\*+\z/.match?(settings[:token]) # Don't update token if we receive masked value
params
end end
def grafana_integration_params def grafana_integration_params
......
...@@ -17,4 +17,4 @@ ...@@ -17,4 +17,4 @@
project: error_tracking_setting_project_json, project: error_tracking_setting_project_json,
api_host: setting.api_host, api_host: setting.api_host,
enabled: setting.enabled.to_json, enabled: setting.enabled.to_json,
token: setting.token } } token: setting.token.present? ? '*' * 12 : nil } }
---
title: Mask sentry auth token in Error Tracking dashboard
author:
type: security
...@@ -50,6 +50,19 @@ describe ErrorTracking::ListProjectsService do ...@@ -50,6 +50,19 @@ describe ErrorTracking::ListProjectsService do
end end
end end
context 'masked param token' do
let(:params) { ActionController::Parameters.new(token: "*********", api_host: new_api_host) }
before do
expect(error_tracking_setting).to receive(:list_sentry_projects)
.and_return({ projects: [] })
end
it 'uses database token' do
expect { subject.execute }.not_to change { error_tracking_setting.token }
end
end
context 'sentry client raises exception' do context 'sentry client raises exception' do
context 'Sentry::Client::Error' do context 'Sentry::Client::Error' do
before do before do
......
...@@ -145,6 +145,27 @@ describe Projects::Operations::UpdateService do ...@@ -145,6 +145,27 @@ describe Projects::Operations::UpdateService do
end end
end end
context 'with masked param token' do
let(:params) do
{
error_tracking_setting_attributes: {
enabled: false,
token: '*' * 8
}
}
end
before do
create(:project_error_tracking_setting, project: project, token: 'token')
end
it 'does not update token' do
expect(result[:status]).to eq(:success)
expect(project.error_tracking_setting.token).to eq('token')
end
end
context 'with invalid parameters' do context 'with invalid parameters' do
let(:params) { {} } let(:params) { {} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment