api: Redact tokens in /agent/self

command/agent/agent_endpoint.go

@@ -91,6 +91,14 @@ func (s *HTTPServer) AgentSelfRequest(resp http.ResponseWriter, req *http.Reques
 		self.Config.ACL.ReplicationToken = "<redacted>"
 	}
 
+	if self.Config != nil && self.Config.Consul != nil && self.Config.Consul.Token != "" {
+		self.Config.Consul.Token = "<redacted>"
+	}
+
+	if self.Config != nil && self.Config.Telemetry != nil && self.Config.Telemetry.CirconusAPIToken != "" {
+		self.Config.Telemetry.CirconusAPIToken = "<redacted>"
+	}
+
 	return self, nil
 }
 

command/agent/agent_endpoint_test.go

@@ -58,6 +58,28 @@ func TestHTTP_AgentSelf(t *testing.T) {
 		require.NoError(err)
 		self = obj.(agentSelf)
 		require.Equal("<redacted>", self.Config.ACL.ReplicationToken)
+
+		// Check the Consul config
+		require.Empty(self.Config.Consul.Token)
+
+		// Assign a Consul token and require it is redacted.
+		s.Config.Consul.Token = "badc0deb-adc0-deba-dc0d-ebadc0debadc"
+		respW = httptest.NewRecorder()
+		obj, err = s.Server.AgentSelfRequest(respW, req)
+		require.NoError(err)
+		self = obj.(agentSelf)
+		require.Equal("<redacted>", self.Config.Consul.Token)
+
+		// Check the Circonus config
+		require.Empty(self.Config.Telemetry.CirconusAPIToken)
+
+		// Assign a Consul token and require it is redacted.
+		s.Config.Telemetry.CirconusAPIToken = "badc0deb-adc0-deba-dc0d-ebadc0debadc"
+		respW = httptest.NewRecorder()
+		obj, err = s.Server.AgentSelfRequest(respW, req)
+		require.NoError(err)
+		self = obj.(agentSelf)
+		require.Equal("<redacted>", self.Config.Telemetry.CirconusAPIToken)
 	})
 }