From 068c859237aa16e534b66b106ef87f18de121b31 Mon Sep 17 00:00:00 2001
From: Danielle Lancashire <dani@hashicorp.com>
Date: Mon, 23 Sep 2019 19:07:27 +0200
Subject: [PATCH] api: Redact tokens in /agent/self

---
 command/agent/agent_endpoint.go      |  8 ++++++++
 command/agent/agent_endpoint_test.go | 22 ++++++++++++++++++++++
 2 files changed, 30 insertions(+)

diff --git a/command/agent/agent_endpoint.go b/command/agent/agent_endpoint.go
index 07988a5f1..7fe9eae6f 100644
--- a/command/agent/agent_endpoint.go
+++ b/command/agent/agent_endpoint.go
@@ -91,6 +91,14 @@ func (s *HTTPServer) AgentSelfRequest(resp http.ResponseWriter, req *http.Reques
 		self.Config.ACL.ReplicationToken = "<redacted>"
 	}
 
+	if self.Config != nil && self.Config.Consul != nil && self.Config.Consul.Token != "" {
+		self.Config.Consul.Token = "<redacted>"
+	}
+
+	if self.Config != nil && self.Config.Telemetry != nil && self.Config.Telemetry.CirconusAPIToken != "" {
+		self.Config.Telemetry.CirconusAPIToken = "<redacted>"
+	}
+
 	return self, nil
 }
 
diff --git a/command/agent/agent_endpoint_test.go b/command/agent/agent_endpoint_test.go
index d5109f2dc..d9e26f186 100644
--- a/command/agent/agent_endpoint_test.go
+++ b/command/agent/agent_endpoint_test.go
@@ -58,6 +58,28 @@ func TestHTTP_AgentSelf(t *testing.T) {
 		require.NoError(err)
 		self = obj.(agentSelf)
 		require.Equal("<redacted>", self.Config.ACL.ReplicationToken)
+
+		// Check the Consul config
+		require.Empty(self.Config.Consul.Token)
+
+		// Assign a Consul token and require it is redacted.
+		s.Config.Consul.Token = "badc0deb-adc0-deba-dc0d-ebadc0debadc"
+		respW = httptest.NewRecorder()
+		obj, err = s.Server.AgentSelfRequest(respW, req)
+		require.NoError(err)
+		self = obj.(agentSelf)
+		require.Equal("<redacted>", self.Config.Consul.Token)
+
+		// Check the Circonus config
+		require.Empty(self.Config.Telemetry.CirconusAPIToken)
+
+		// Assign a Consul token and require it is redacted.
+		s.Config.Telemetry.CirconusAPIToken = "badc0deb-adc0-deba-dc0d-ebadc0debadc"
+		respW = httptest.NewRecorder()
+		obj, err = s.Server.AgentSelfRequest(respW, req)
+		require.NoError(err)
+		self = obj.(agentSelf)
+		require.Equal("<redacted>", self.Config.Telemetry.CirconusAPIToken)
 	})
 }