jackc / tern

The SQL Fan's Migrator
MIT License
1k stars 71 forks source link

Ability to mask created user's passwords #87

Closed dragonfriend0013 closed 10 months ago

dragonfriend0013 commented 1 year ago

I am starting to use this utility to handle our database migrations. One thing that is missing is the ability to suppress any user created SQL's password.

When this is run in Jenkins, this output can be saved and the users password can be exposed.

I could suppress all output by redirecting all output to /dev/null, but seeing the SQL statements during a migration is helpful.

for example:

CREATE USER testuser WITH PASSWORD 'testpass'; GRANT CONNECT ON DATABASE adl TO testuser;

could be masked with:

CREATE USER testuser WITH PASSWORD '*****'; GRANT CONNECT ON DATABASE test TO testuser;

jackc commented 1 year ago

tern doesn't have a way to know what text to redact.

Instead of redirecting to /dev/null you could redirect to sed, perl, ruby, or the like and do your filtering there.

e.g.

$ echo "CREATE USER testuser WITH PASSWORD 'testpass'; GRANT CONNECT ON DATABASE adl TO testuser;" | ruby -pe '$_.gsub!(/(?<=password '\'').*?(?='\'')/i, '\''***'\'')'
CREATE USER testuser WITH PASSWORD '***'; GRANT CONNECT ON DATABASE adl TO testuser;

Obviously the combination of regex and shell escaping is pretty brutal, but the redaction could be extracted into its own script and the results of tern piped into there.