mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 22:51:30 +00:00
shankar0123
e6088c79a3
Mirror M34's dynamic issuer config pattern for deployment targets: AES-256-GCM encrypted config storage, sensitive field redaction in API responses, agent heartbeat-based test connection endpoint, and full frontend updates including test status indicators, source badges, and removal of stale hostname/status fields from the Target interface. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
43 lines
1.0 KiB
Go
43 lines
1.0 KiB
Go
package service
|
|
|
|
import (
|
|
"encoding/json"
|
|
"strings"
|
|
)
|
|
|
|
// sensitiveKeys are config key substrings that should be redacted in API responses.
|
|
var sensitiveKeys = []string{"password", "secret", "token", "key", "hmac", "private", "credentials"}
|
|
|
|
// isSensitiveConfigKey checks if a config key contains sensitive substrings.
|
|
func isSensitiveConfigKey(key string) bool {
|
|
lower := strings.ToLower(key)
|
|
for _, s := range sensitiveKeys {
|
|
if strings.Contains(lower, s) {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|
|
// redactConfigJSON replaces sensitive values in a JSON config with "********".
|
|
func redactConfigJSON(configJSON json.RawMessage) json.RawMessage {
|
|
var m map[string]interface{}
|
|
if err := json.Unmarshal(configJSON, &m); err != nil {
|
|
return configJSON // Not a JSON object, return as-is
|
|
}
|
|
|
|
for k, v := range m {
|
|
if isSensitiveConfigKey(k) {
|
|
if str, ok := v.(string); ok && str != "" {
|
|
m[k] = "********"
|
|
}
|
|
}
|
|
}
|
|
|
|
redacted, err := json.Marshal(m)
|
|
if err != nil {
|
|
return configJSON
|
|
}
|
|
return json.RawMessage(redacted)
|
|
}
|