mirrors/prometheus
1
0
Fork 0
mirror of https://github.com/prometheus/prometheus.git synced 2026-05-04 12:01:06 +02:00
Code Issues Projects Releases Wiki Activity

remote/azuread: use Secret type for OAuth client_secret

Browse Source 
The ClientSecret field in OAuthConfig was typed as plain string,
causing it to be exposed in plaintext via the /-/config HTTP endpoint.
Change it to config_util.Secret so Prometheus redacts it as <secret>.

Signed-off-by: Julien Pivotto <291750+roidelapluie@users.noreply.github.com>
This commit is contained in:
Julien Pivotto 2026-04-27 12:16:46 +02:00
parent f0f0fdd679
commit 5ccebcdb3f
2 changed files with 9 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
storage/remote/azuread/azuread.go
View File

@ -27,6 +27,7 @@ import (
"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
"github.com/google/uuid"
"github.com/grafana/regexp"
config_util "github.com/prometheus/common/config"
)
// Clouds.
@ -75,7 +76,7 @@ type OAuthConfig struct {
ClientID string `yaml:"client_id,omitempty"`
// ClientSecret is the clientSecret of the azure active directory application that is being used to authenticate.
ClientSecret string `yaml:"client_secret,omitempty"`
ClientSecret config_util.Secret `yaml:"client_secret,omitempty"`
// TenantID is the tenantId of the azure active directory application that is being used to authenticate.
TenantID string `yaml:"tenant_id,omitempty"`
@ -357,7 +358,7 @@ func newWorkloadIdentityTokenCredential(clientOpts *azcore.ClientOptions, worklo
// newOAuthTokenCredential returns new OAuth token credential.
func newOAuthTokenCredential(clientOpts *azcore.ClientOptions, oAuthConfig *OAuthConfig) (azcore.TokenCredential, error) {
opts := &azidentity.ClientSecretCredentialOptions{ClientOptions: *clientOpts}
return azidentity.NewClientSecretCredential(oAuthConfig.TenantID, oAuthConfig.ClientID, oAuthConfig.ClientSecret, opts)
return azidentity.NewClientSecretCredential(oAuthConfig.TenantID, oAuthConfig.ClientID, string(oAuthConfig.ClientSecret), opts)
}
// newSDKTokenCredential returns new SDK token credential.

11
storage/remote/azuread/azuread_test.go
View File

@ -25,6 +25,7 @@ import (
"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
"github.com/google/uuid"
"github.com/prometheus/client_golang/prometheus/promhttp"
config_util "github.com/prometheus/common/config"
"github.com/stretchr/testify/mock"
"github.com/stretchr/testify/require"
"github.com/stretchr/testify/suite"
@ -32,11 +33,11 @@ import (
)
const (
dummyAudience = "dummyAudience"
dummyClientID = "00000000-0000-0000-0000-000000000000"
dummyClientSecret = "Cl1ent$ecret!"
dummyTenantID = "00000000-a12b-3cd4-e56f-000000000000"
testTokenString = "testTokenString"
dummyAudience = "dummyAudience"
dummyClientID = "00000000-0000-0000-0000-000000000000"
dummyClientSecret config_util.Secret = "Cl1ent$ecret!"
dummyTenantID = "00000000-a12b-3cd4-e56f-000000000000"
testTokenString = "testTokenString"
)
func testTokenExpiry() time.Time { return time.Now().Add(5 * time.Second) }