dtanner
commented
1 year ago FWIW this post and some of its linked docs sparked the idea.
Closed dtanner closed 1 year ago
sksamuel
commented
1 year ago Are you aware of the withReport you can enable on the config builder?
On Wed, Sep 6, 2023, 1:43 PM Dan Tanner @.***> wrote:
FWIW this post https://utcc.utoronto.ca/~cks/space/blog/sysadmin/ReportConfigFileLocations and some of its linked docs sparked the idea.
— Reply to this email directly, view it on GitHub https://github.com/sksamuel/hoplite/issues/390#issuecomment-1708989102, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAFVSGUHICOR2STXKK5UBV3XZDG6BANCNFSM6AAAAAA4N2RIVY . You are receiving this because you are subscribed to this thread.Message ID: @.***>
dtanner
commented
1 year ago No I wasn't aware of that! Thanks! Looking at it, it almost works out of the box for me with the exception of the limited masking. e.g. As pragmatic as it is, our security team would have an issue with any value leakage, like:
| db.password | classpath:/default.conf | van***** |
In this example, I'm hydrating a library's configuration domain object that's out of my control, so it's not easy for me to mark it as a secret, and I'd probably forget even if I could.
So...
Is withReport primarily intended for testing, and not for production server startup usage? I'm stoked that you have this data available. A couple ideas:
1) allow an argument in withReport to indicate if it should include values in the report
2) or mask all string values (don't show partial values), or make that an option.
dtanner
commented
1 year ago apologies - i see there are more dials in there for obfuscation - awesome.
sksamuel
commented
1 year ago You can supply your own implementation of the obfuscator to set all values as masked, as well as code to determine what is a secret.
On Wed, Sep 6, 2023, 3:20 PM Dan Tanner @.***> wrote:
No I wasn't aware of that! Thanks! Looking at it, it almost works out of the box for me with the exception of the limited masking. e.g. As pragmatic as it is, our security team would have an issue with any value leakage, like: | db.password | classpath:/default.conf | van***** | In this example, I'm hydrating a library's configuration domain object that's out of my control, so it's not easy for me to mark it as a secret, and it's probably I'd forget even if I could.
So...
Is withReport primarily intended for testing, and not for production server startup usage? I'm stoked that you have this data available. A couple ideas:
- allow an argument in withReport to indicate if it should include values in the report
- or mask all string values (don't show partial values), or make that an option.
— Reply to this email directly, view it on GitHub https://github.com/sksamuel/hoplite/issues/390#issuecomment-1709133619, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAFVSGUHNEZC77QBEEJUN43XZDSJDANCNFSM6AAAAAA4N2RIVY . You are receiving this because you commented.Message ID: @.***>
sksamuel
commented
1 year ago Yep hopefully it has all you need, otherwise can add more.
On Wed, Sep 6, 2023, 2:27 PM Dan Tanner @.***> wrote:
apologies - i see there are more dials in there for obfuscation - awesome.
— Reply to this email directly, view it on GitHub https://github.com/sksamuel/hoplite/issues/390#issuecomment-1709149442, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAFVSGR77BUANVAUBYSLVKDXZDTFVANCNFSM6AAAAAA4N2RIVY . You are receiving this because you commented.Message ID: @.***>
dtanner
commented
1 year ago yep all i need! fantastic work @sksamuel
.withReport()
.withObfuscator(HashObfuscator())
.withSecretsPolicy(EveryFieldSecretsPolicy)
It would be useful for me when an app runs if I was able to see what sources were considered, and what were actually used. Most of the time I'm thinking about optional resources and files here in the context of debugging an app, and I want to quickly see what sources were actually used for configuration.
I presume this could get messy with things like environment variable overrides and all the other types of sources. What are your thoughts on feasibility of this? e.g. At the very least it would be handy to know the files and resources considered and actually used. Ideally the keys of environment variables and system properties would be included too. Not sure if the core is designed in a way that supports this though.