Use 'secrecy' to avoid logging passwords

elonen · elonen · commit 3696d22bd01e · 2023-02-22T02:09:32.000+02:00
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -48,6 +48,7 @@ ldap3 = "0.11.1"
 lru_time_cache = "0.11.11"
 regex = "1.7.1"
 rust-ini = "0.18.0"
+secrecy = "0.8.0"
 sha2 = "0.10.6"
 tokio = { version = "1.24.2", features = ["full"] }
 tracing = "0.1.37"
diff --git a/src/config.rs b/src/config.rs
@@ -7,6 +7,7 @@ use ini::Ini;
 use anyhow::Error;
 use anyhow::Result;
 use regex::Regex;
+use secrecy::SecretString;
 
 use crate::SubQueryJoin;
 
@@ -92,7 +93,7 @@ config_options! {
     ldap_server_url: String = None; "URL of the LDAP server (e.g. 'ldaps://ldap.example.com:636')",
     ldap_conn_timeout: f32 = Some("10.0"); "LDAP connection timeout in seconds",
     ldap_bind_dn: String = None; "DN of the LDAP user to bind as (e.g. 'CN=proxyuser,OU=users,DC=example,DC=com')",
-    ldap_bind_password: String = None; "Password of the LDAP user to bind as",
+    ldap_bind_password: SecretString = None; "Password of the LDAP user to bind as",
     ldap_search_base: String = None; "LDAP base DN to search in (e.g. 'OU=users,DC=example,DC=com')",
     ldap_scope: ldap3::Scope = Some("subtree"); "LDAP search scope. Must be 'subtree', 'onelevel' or 'base')",
     ldap_query: String = None; "LDAP query to use. May contain '%USERNAME%', which will be quoted and replaced.\nExample: '(&(objectClass=person)(sAMAccountName=%USERNAME%))",
@@ -250,7 +251,7 @@ pub(crate) fn parse_config(config_file: &str) -> Result<Vec<ConfigSection>, Erro
             ldap_server_url: get("ldap_server_url"),
             ldap_conn_timeout: get("ldap_conn_timeout").parse().or_else(|_| Err(parse_err("ldap_conn_timeout")))?,
             ldap_bind_dn: get("ldap_bind_dn"),
-            ldap_bind_password: get("ldap_bind_password"),
+            ldap_bind_password: get("ldap_bind_password").into(),
             ldap_search_base: get("ldap_search_base"),
             ldap_scope: match get("ldap_scope").as_str() {
                 "subtree" => ldap3::Scope::Subtree,
diff --git a/src/main.rs b/src/main.rs
@@ -16,6 +16,7 @@ use ldap3::{LdapConnAsync, SearchEntry};
 use sha2::{Sha256, Digest};
 use lru_time_cache::LruCache;
 use tokio::sync::{Mutex, RwLock};
+use secrecy::ExposeSecret;
 
 mod config;
 
@@ -118,7 +119,7 @@ async fn ldap_query(
     ldap3::drive!(conn);
 
     let bind_dn = conf.ldap_bind_dn.as_str();
-    let bind_pw = conf.ldap_bind_password.as_str();
+    let bind_pw = conf.ldap_bind_password.expose_secret().as_str();
     ldap.simple_bind(bind_dn, bind_pw).await?.success()?;
 
     let (rs, _res) = match ldap.search(
@@ -247,8 +248,14 @@ async fn http_handler(req: Request<Body>, ctx: Arc<ReqContext>) -> Result<Respon
 
     // Check LDAP (and cache)
     let cache = ctx.cache.get(conf.section.as_str()).unwrap().clone();
-    match ldap_query(
-            conf.section.clone(), username.into(), ctx.config.clone(), cache, Arc::new(RwLock::new(HashSet::new()))).await {
+    let ldap_res = span.in_scope(|| async { ldap_query(
+        conf.section.clone(), 
+        username.into(), 
+        ctx.config.clone(),
+        cache, 
+        Arc::new(RwLock::new(HashSet::new()))).await }).await;
+
+    match ldap_res {
         Err(e) => {
             span.in_scope(|| { tracing::error!("LDAP error: {:?}", e); });
             return Response::builder().status(StatusCode::BAD_GATEWAY).body(Body::from("LDAP error"))
