Skip to content

Programatically Declare "keys-to-sanitize" #27296

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
michaelmcfadyensky opened this issue Jul 12, 2021 · 5 comments
Closed

Programatically Declare "keys-to-sanitize" #27296

michaelmcfadyensky opened this issue Jul 12, 2021 · 5 comments
Labels
status: duplicate A duplicate of another issue type: enhancement A general enhancement

Comments

@michaelmcfadyensky
Copy link

Problem I am looking to solve:

I am building a library that exposes configuration properties and some of these configuration properties would be seen as sensitive. So we'd want these properties to be masked on the /configprops endpoint. I would prefer for the library to be the source that declares these properties as sensitive and not push that responsibility down to each spring boot application using this library.

Current Solution

Each application using this library needs to be aware that they need to update the management.endpoint.configprops.keys-to-sanitize property to ensure sensitive information is not leaked. This results in this responsibility being managed in many places, instead of one.

Proposed Solution(s)

Below are a couple suggestions but more than welcome to suggestions.

1 .Introduce a mechanism to define additional keys-to-santize programmatically.

2 .Introduce a way to tag a field within a @ConfigurationProperties class as "should be santized"

@ConfigurationProperties(prefix = "my.sensitive")
public class SensitiveProperties {
    
    @Sanitize
    private String valueToSanitise;
}

More than happy to find out this functionality already exists in Spring Boot and I've just missed it.
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Jul 12, 2021
@wilkinsona
Copy link
Member

Have you seen the support that we added for this in 2.5?

@wilkinsona wilkinsona added the status: waiting-for-feedback We need additional information before we can continue label Jul 12, 2021
@michaelmcfadyensky
Copy link
Author

Correct me if I'm wrong but that feature still requires yml/properties to be set. I'm not sure how that could be used by a custom "starter" library to define additional keys to sanitize.

@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue labels Jul 12, 2021
@wilkinsona
Copy link
Member

You can call keysToSanitize(String...) on the endpoint to add additional keys.

@wilkinsona
Copy link
Member

Judging by the 👍, I think we're good here. Closing as a duplicate of #25384.

@wilkinsona wilkinsona added status: duplicate A duplicate of another issue type: enhancement A general enhancement and removed status: feedback-provided Feedback has been provided status: waiting-for-triage An issue we've not yet triaged labels Jul 13, 2021
@michaelmcfadyensky
Copy link
Author

sorry, for the delay. I was just testing a few things and you're right, we're good here. Thanks for your help.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status: duplicate A duplicate of another issue type: enhancement A general enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@wilkinsona @spring-projects-issues @michaelmcfadyensky