Mask sensitive config fields for debug logs
-
Please check this box if this contribution uses AI-generated content (including content generated by GitLab Duo features) as outlined in the GitLab DCO & CLA. As a benefit of being a GitLab Community Contributor, you can request access to GitLab Duo.
What does this MR do?
This commit masks the sensitive fields on the configuration struct when it is logged on debug level.
All sensitive fields are marked with the mask struct tag. Simple
string fields are masked with the filled option (i.e. the masked
string will match the same char length), while file-like fields (e.g.
private key files) are masked with the fixed option.
Why was this MR needed?
It can be helpful at times to turn on debug logging when diagnosing runner issues, but it is generally preferred not to expose the GitLab Runner authentication token in plaintext.
What's the best way to test this MR?
$ go run main.go --log-level debug run -c config.toml.example
Runtime platform arch=arm64 os=darwin pid=35404 revision=HEAD version=development version
Starting multi-runner from config.toml.example... builds=0 max_builds=0
Checking runtime mode GOOS=darwin uid=501
WARNING: Running in user-mode.
WARNING: Use sudo for system-mode:
WARNING: $ sudo gitlab-runner...
Configuration loaded builds=0 max_builds=4
listenaddress: ""
sessionserver:
listenaddress: ""
advertiseaddress: ""
sessiontimeout: 1800
concurrent: 4
checkinterval: 0
loglevel: null
logformat: null
user: ""
runners:
- name: shell
limit: 2
outputlimit: 0
requestconcurrency: 0
unhealthyrequestslimit: 0
unhealthyinterval: null
systemidstate: {}
configloadedat: 2024-10-25T23:02:42.857014+08:00
configdir: .
runnercredentials:
url: https://CI/
id: 0
token: '*****'
tokenobtainedat: 0001-01-01T00:00:00Z
tokenexpiresat: 0001-01-01T00:00:00Z
tlscafile: ""
tlscertfile: ""
tlskeyfile: '********'
logger: null
...What are the relevant issue numbers?
Resolves #38279
Edited by 🤖 GitLab Bot 🤖