From 2244ae22c278272ddccc4d4ada9c4d3c9db0f56e Mon Sep 17 00:00:00 2001
From: John Livingston <git@john-livingston.fr>
Date: Tue, 7 Dec 2021 10:50:28 +0100
Subject: [PATCH] Prosody diagnostic: hidden secret keys from the result.

---
 server/lib/diagnostic/prosody.ts | 10 +++++++---
 server/lib/prosody/config.ts     | 23 ++++++++++++++++++++---
 2 files changed, 27 insertions(+), 6 deletions(-)

diff --git a/server/lib/diagnostic/prosody.ts b/server/lib/diagnostic/prosody.ts
index 57252004..5ba10e49 100644
--- a/server/lib/diagnostic/prosody.ts
+++ b/server/lib/diagnostic/prosody.ts
@@ -1,4 +1,4 @@
-import { getProsodyConfig, getWorkingDir } from '../prosody/config'
+import { getProsodyConfig, getProsodyConfigContentForDiagnostic, getWorkingDir } from '../prosody/config'
 import { getProsodyAbout, testProsodyCorrectlyRunning } from '../prosody/ctl'
 import { newResult, TestResult } from './utils'
 import { getAPIKey } from '../apikey'
@@ -62,7 +62,10 @@ export async function diagProsody (test: string, options: RegisterServerOptions)
 
     result.debug.push({
       title: 'Current prosody configuration',
-      message: actualContent
+      // we have to hide secret keys and other values.
+      // But here, we haven't them for actualContent.
+      // So we will use values in wantedConfig, hopping it is enough.
+      message: getProsodyConfigContentForDiagnostic(wantedConfig, actualContent)
     })
 
     const wantedContent = wantedConfig.content
@@ -72,7 +75,8 @@ export async function diagProsody (test: string, options: RegisterServerOptions)
       result.messages.push('Prosody configuration file content is not correct.')
       result.debug.push({
         title: 'Prosody configuration should be',
-        message: wantedContent
+        // we have to hide secret keys and other values:
+        message: getProsodyConfigContentForDiagnostic(wantedConfig)
       })
       return result
     }
diff --git a/server/lib/prosody/config.ts b/server/lib/prosody/config.ts
index eddd52bd..cc5a30df 100644
--- a/server/lib/prosody/config.ts
+++ b/server/lib/prosody/config.ts
@@ -77,6 +77,7 @@ interface ProsodyConfig {
   logByDefault: boolean
   logExpiration: ConfigLogExpiration
   bots: ProsodyConfigBots
+  valuesToHideInDiagnostic: {[key: string]: string}
 }
 async function getProsodyConfig (options: RegisterServerOptions): Promise<ProsodyConfig> {
   const logger = options.peertubeHelpers.logger
@@ -84,6 +85,7 @@ async function getProsodyConfig (options: RegisterServerOptions): Promise<Prosod
 
   let useExternalComponents = false
   const bots: ProsodyConfigBots = {}
+  const valuesToHideInDiagnostic: {[key: string]: string} = {}
 
   const settings = await options.settingsManager.getSettings([
     'prosody-port',
@@ -109,6 +111,8 @@ async function getProsodyConfig (options: RegisterServerOptions): Promise<Prosod
   const roomType = (settings['prosody-room-type']) === 'channel' ? 'channel' : 'video'
 
   const apikey = await getAPIKey(options)
+  valuesToHideInDiagnostic.APIKey = apikey
+
   let baseApiUrl = settings['prosody-peertube-uri'] as string
   if (baseApiUrl && !/^https?:\/\/[a-z0-9.-_]+(?::\d+)?$/.test(baseApiUrl)) {
     throw new Error('Invalid prosody-peertube-uri')
@@ -162,7 +166,9 @@ async function getProsodyConfig (options: RegisterServerOptions): Promise<Prosod
   const demoBotUUIDs = parseConfigDemoBotUUIDs((settings['chat-videos-list'] as string) || '')
   if (demoBotUUIDs?.length > 0) {
     useExternalComponents = true
-    config.useDemoBot(await getExternalComponentKey(options, 'DEMOBOT'))
+    const componentSecret = await getExternalComponentKey(options, 'DEMOBOT')
+    valuesToHideInDiagnostic.ComponentSecret = componentSecret
+    config.useDemoBot(componentSecret)
     bots.demo = demoBotUUIDs
   }
 
@@ -185,7 +191,8 @@ async function getProsodyConfig (options: RegisterServerOptions): Promise<Prosod
     roomType,
     logByDefault,
     logExpiration,
-    bots
+    bots,
+    valuesToHideInDiagnostic
   }
 }
 
@@ -258,10 +265,20 @@ function readLogExpiration (options: RegisterServerOptions, logExpiration: strin
   }
 }
 
+function getProsodyConfigContentForDiagnostic (config: ProsodyConfig, content?: string): string {
+  let r: string = content ?? config.content
+  for (const key in config.valuesToHideInDiagnostic) {
+    // replaceAll not available, using trick:
+    r = r.split(config.valuesToHideInDiagnostic[key]).join(`***${key}***`)
+  }
+  return r
+}
+
 export {
   getProsodyConfig,
   getWorkingDir,
   ensureWorkingDir,
   getProsodyFilePaths,
-  writeProsodyConfig
+  writeProsodyConfig,
+  getProsodyConfigContentForDiagnostic
 }