Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

Sanitize credentials from AWS client err (#2431)

Signed-off-by: Jordi Prats <jordi.prats@gmail.com>
Jordi Prats 2 years ago
parent
a4c136ced9
commit
10b15db2b2
3 changed files with 15 additions and 6 deletions
Split View Show Diff Stats
  1. 1 1
      pkg/provider/aws/secretsmanager/secretsmanager.go
  2. 10 5
      pkg/provider/aws/util/errors.go
  3. 4 0
      pkg/provider/aws/util/errors_test.go

+ 1 - 1
pkg/provider/aws/secretsmanager/secretsmanager.go
View File 

@@ -460,7 +460,7 @@ func (sm *SecretsManager) Validate() (esv1beta1.ValidationResult, error) {
 
 	}
 
 	_, err := sm.sess.Config.Credentials.Get()
 
 	if err != nil {
 
-		return esv1beta1.ValidationResultError, err
 
+		return esv1beta1.ValidationResultError, util.SanitizeErr(err)
 
 	}
 
 	return esv1beta1.ValidationResultReady, nil
 
 }

+ 10 - 5
pkg/provider/aws/util/errors.go
View File 

@@ -19,11 +19,16 @@ import (
 
 	"regexp"
 
 )
 
 
-var regexReqID = regexp.MustCompile(`request id: (\S+)`)
 
+var regexReqIDs = []*regexp.Regexp{
 
+	regexp.MustCompile(`request id: (\S+)`),
 
+	regexp.MustCompile(` Credential=.+`),
 
+}
 
 
-// SanitizeErr sanitizes the error string
 
-// because the requestID must not be included in the error.
 
-// otherwise the secrets keeps syncing.
 
+// SanitizeErr sanitizes the error string.
 
 func SanitizeErr(err error) error {
 
-	return errors.New(string(regexReqID.ReplaceAll([]byte(err.Error()), nil)))
 
+	msg := err.Error()
 
+	for _, regex := range regexReqIDs {
 
+		msg = string(regex.ReplaceAll([]byte(msg), nil))
 
+	}
 
+	return errors.New(msg)
 
 }

+ 4 - 0
pkg/provider/aws/util/errors_test.go
View File 

@@ -30,6 +30,10 @@ func TestSanitize(t *testing.T) {
 
 			expected: "some AccessDeniedException: User: arn:aws:sts::123123123123:assumed-role/foobar is not authorized to perform: secretsmanager:GetSecretValue on resource: example\n\tstatus code: 400, ",
 
 		},
 
 		{
 
+			err:      errors.New("IncompleteSignature: 'something' not a valid key=value pair (missing equal-sign) in Authorization header: 'AWS4-HMAC-SHA256 Credential=You,Can Get\"Almost{Anything}Here', SignedHeaders=content-length;content-type;host;x-amz-date, Signature=42ee80d90508ee472701f8fb7014f10c0ac16b6d6ac59379f0612ca2d35d7464'"),
 
+			expected: "IncompleteSignature: 'something' not a valid key=value pair (missing equal-sign) in Authorization header: 'AWS4-HMAC-SHA256",
 
+		},
 
+		{
 
 			err:      errors.New("some generic error"),
 
 			expected: "some generic error",
 
 		},