fix: strip LDAPPassword from errors (#1514)

fixes minio/minio#12723 Co-authored-by: Aditya Manthramurthy <donatello@users.noreply.github.com>
minio · Jul 15, 2021 · 9e71353 · 9e71353
1 parent 570d735
commit 9e71353
Showing 1 changed file with 27 additions and 15 deletions.
diff --git a/pkg/credentials/sts_ldap_identity.go b/pkg/credentials/sts_ldap_identity.go
@@ -1,6 +1,6 @@
 /*
  * MinIO Go Library for Amazon S3 Compatible Cloud Storage
- * Copyright 2019 MinIO, Inc.
+ * Copyright 2019-2021 MinIO, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -77,6 +77,22 @@ func NewLDAPIdentity(stsEndpoint, ldapUsername, ldapPassword string) (*Credentia
 	}), nil
 }
 
+func stripPassword(err error) error {
+	urlErr, ok := err.(*url.Error)
+	if ok {
+		u, _ := url.Parse(urlErr.URL)
+		if u == nil {
+			return urlErr
+		}
+		values := u.Query()
+		values.Set("LDAPPassword", "xxxxx")
+		u.RawQuery = values.Encode()
+		urlErr.URL = u.String()
+		return urlErr
+	}
+	return err
+}
+
 // NewLDAPIdentityWithSessionPolicy returns new credentials object that uses
 // LDAP Identity with a specified session policy. The `policy` parameter must be
 // a JSON string specifying the policy document.
@@ -93,10 +109,9 @@ func NewLDAPIdentityWithSessionPolicy(stsEndpoint, ldapUsername, ldapPassword, p
 // Retrieve gets the credential by calling the MinIO STS API for
 // LDAP on the configured stsEndpoint.
 func (k *LDAPIdentity) Retrieve() (value Value, err error) {
-	u, kerr := url.Parse(k.STSEndpoint)
-	if kerr != nil {
-		err = kerr
-		return
+	u, err := url.Parse(k.STSEndpoint)
+	if err != nil {
+		return value, err
 	}
 
 	v := url.Values{}
@@ -110,22 +125,19 @@ func (k *LDAPIdentity) Retrieve() (value Value, err error) {
 
 	u.RawQuery = v.Encode()
 
-	req, kerr := http.NewRequest(http.MethodPost, u.String(), nil)
-	if kerr != nil {
-		err = kerr
-		return
+	req, err := http.NewRequest(http.MethodPost, u.String(), nil)
+	if err != nil {
+		return value, stripPassword(err)
 	}
 
-	resp, kerr := k.Client.Do(req)
-	if kerr != nil {
-		err = kerr
-		return
+	resp, err := k.Client.Do(req)
+	if err != nil {
+		return value, stripPassword(err)
 	}
 
 	defer resp.Body.Close()
 	if resp.StatusCode != http.StatusOK {
-		err = errors.New(resp.Status)
-		return
+		return value, errors.New(resp.Status)
 	}
 
 	r := AssumeRoleWithLDAPResponse{}