secure debug message

2017-02-19 13:24:00 +08:00 · 2017-02-19 13:24:00 +08:00 · e6e85b0c55
parent 52765466c1
commit e6e85b0c55
4 changed files with 75 additions and 9 deletions
--- a/acme.sh
+++ b/acme.sh
@ -71,6 +71,8 @@ DEBUG_LEVEL_3=3
 DEBUG_LEVEL_DEFAULT=$DEBUG_LEVEL_1
 DEBUG_LEVEL_NONE=0

+HIDDEN_VALUE="[hidden](please add '--output-insecure' to see this value)"
+
 SYSLOG_ERROR="user.error"
 SYSLOG_INFO="user.info"
 SYSLOG_DEBUG="user.debug"
@ -212,6 +214,27 @@ _debug() {
  fi
 }

+#output the sensitive messages
+_secure_debug() {
+  if [ "${LOG_LEVEL:-$DEFAULT_LOG_LEVEL}" -ge "$LOG_LEVEL_1" ]; then
+    if [ "$OUTPUT_INSECURE" = "1" ]; then
+      _log "$@"
+    else
+      _log "$1" "$HIDDEN_VALUE"
+    fi
+  fi
+  if [ "${SYS_LOG:-$SYSLOG_LEVEL_NONE}" -ge "$SYSLOG_LEVEL_DEBUG" ]; then
+    _syslog "$SYSLOG_DEBUG" "$1" "$HIDDEN_VALUE"
+  fi
+  if [ "${DEBUG:-$DEBUG_LEVEL_NONE}" -ge "$DEBUG_LEVEL_1" ]; then
+    if [ "$OUTPUT_INSECURE" = "1" ]; then
+      _printargs "$@" >&2
+    else
+      _printargs "$1" "$HIDDEN_VALUE" >&2
+    fi
+  fi
+}
+
 _debug2() {
  if [ "${LOG_LEVEL:-$DEFAULT_LOG_LEVEL}" -ge "$LOG_LEVEL_2" ]; then
    _log "$@"
@ -224,6 +247,26 @@ _debug2() {
  fi
 }

+_secure_debug2() {
+  if [ "${LOG_LEVEL:-$DEFAULT_LOG_LEVEL}" -ge "$LOG_LEVEL_2" ]; then
+    if [ "$OUTPUT_INSECURE" = "1" ]; then
+      _log "$@"
+    else
+      _log "$1" "$HIDDEN_VALUE"
+    fi
+  fi
+  if [ "${SYS_LOG:-$SYSLOG_LEVEL_NONE}" -ge "$SYSLOG_LEVEL_DEBUG_2" ]; then
+    _syslog "$SYSLOG_DEBUG" "$1" "$HIDDEN_VALUE"
+  fi
+  if [ "${DEBUG:-$DEBUG_LEVEL_NONE}" -ge "$DEBUG_LEVEL_2" ]; then
+    if [ "$OUTPUT_INSECURE" = "1" ]; then
+      _printargs "$@" >&2
+    else
+      _printargs "$1" "$HIDDEN_VALUE" >&2
+    fi
+  fi
+}
+
 _debug3() {
  if [ "${LOG_LEVEL:-$DEFAULT_LOG_LEVEL}" -ge "$LOG_LEVEL_3" ]; then
    _log "$@"
@ -236,6 +279,26 @@ _debug3() {
  fi
 }

+_secure_debug3() {
+  if [ "${LOG_LEVEL:-$DEFAULT_LOG_LEVEL}" -ge "$LOG_LEVEL_3" ]; then
+    if [ "$OUTPUT_INSECURE" = "1" ]; then
+      _log "$@"
+    else
+      _log "$1" "$HIDDEN_VALUE"
+    fi
+  fi
+  if [ "${SYS_LOG:-$SYSLOG_LEVEL_NONE}" -ge "$SYSLOG_LEVEL_DEBUG_3" ]; then
+    _syslog "$SYSLOG_DEBUG" "$1" "$HIDDEN_VALUE"
+  fi
+  if [ "${DEBUG:-$DEBUG_LEVEL_NONE}" -ge "$DEBUG_LEVEL_3" ]; then
+    if [ "$OUTPUT_INSECURE" = "1" ]; then
+      _printargs "$@" >&2
+    else
+      _printargs "$1" "$HIDDEN_VALUE" >&2
+    fi
+  fi
+}
+
 _startswith() {
  _str="$1"
  _sub="$2"
@ -4583,7 +4646,7 @@ Parameters:
  --force, -f                       Used to force to install or force to renew a cert immediately.
  --staging, --test                 Use staging server, just for test.
  --debug                           Output debug info.
-    
+  --output-insecure                 Output all the sensitive messages. By default all the credentials/sensitive messages are hidden from the output/debug/log for secure.
  --webroot, -w  /path/to/webroot   Specifies the web root folder for web root mode.
  --standalone                      Use standalone mode.
  --stateless                       Use stateless mode, see: $_STATELESS_WIKI
@ -4877,6 +4940,9 @@ _process() {
          shift
        fi
        ;;
+      --output-insecure)
+        export OUTPUT_INSECURE=1
+        ;;
      --webroot | -w)
        wvalue="$2"
        if [ -z "$_webroot" ]; then
--- a/dnsapi/dns_aws.sh
+++ b/dnsapi/dns_aws.sh
@ -181,10 +181,10 @@ aws_rest() {

  #kSecret="wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY" ############################

-  _debug2 kSecret "$kSecret"
+  _secure_debug2 kSecret "$kSecret"

  kSecretH="$(printf "%s" "$kSecret" | _hex_dump | tr -d " ")"
-  _debug2 kSecretH "$kSecretH"
+  _secure_debug2 kSecretH "$kSecretH"

  kDateH="$(printf "$RequestDateOnly%s" | _hmac "$Hash" "$kSecretH" hex)"
  _debug2 kDateH "$kDateH"
--- a/dnsapi/dns_lexicon.sh
+++ b/dnsapi/dns_lexicon.sh
@ -34,7 +34,7 @@ dns_lexicon_add() {
  # shellcheck disable=SC2018,SC2019
  Lx_name=$(echo LEXICON_"${PROVIDER}"_USERNAME | tr 'a-z' 'A-Z')
  Lx_name_v=$(eval echo \$"$Lx_name")
-  _debug "$Lx_name" "$Lx_name_v"
+  _secure_debug "$Lx_name" "$Lx_name_v"
  if [ "$Lx_name_v" ]; then
    _saveaccountconf "$Lx_name" "$Lx_name_v"
    eval export "$Lx_name"
@ -43,7 +43,7 @@ dns_lexicon_add() {
  # shellcheck disable=SC2018,SC2019
  Lx_token=$(echo LEXICON_"${PROVIDER}"_TOKEN | tr 'a-z' 'A-Z')
  Lx_token_v=$(eval echo \$"$Lx_token")
-  _debug "$Lx_token" "$Lx_token_v"
+  _secure_debug "$Lx_token" "$Lx_token_v"
  if [ "$Lx_token_v" ]; then
    _saveaccountconf "$Lx_token" "$Lx_token_v"
    eval export "$Lx_token"
@ -52,7 +52,7 @@ dns_lexicon_add() {
  # shellcheck disable=SC2018,SC2019
  Lx_password=$(echo LEXICON_"${PROVIDER}"_PASSWORD | tr 'a-z' 'A-Z')
  Lx_password_v=$(eval echo \$"$Lx_password")
-  _debug "$Lx_password" "$Lx_password_v"
+  _secure_debug "$Lx_password" "$Lx_password_v"
  if [ "$Lx_password_v" ]; then
    _saveaccountconf "$Lx_password" "$Lx_password_v"
    eval export "$Lx_password"
@ -61,7 +61,7 @@ dns_lexicon_add() {
  # shellcheck disable=SC2018,SC2019
  Lx_domaintoken=$(echo LEXICON_"${PROVIDER}"_DOMAINTOKEN | tr 'a-z' 'A-Z')
  Lx_domaintoken_v=$(eval echo \$"$Lx_domaintoken")
-  _debug "$Lx_domaintoken" "$Lx_domaintoken_v"
+  _secure_debug "$Lx_domaintoken" "$Lx_domaintoken_v"
  if [ "$Lx_domaintoken_v" ]; then
    eval export "$Lx_domaintoken"
    _saveaccountconf "$Lx_domaintoken" "$Lx_domaintoken_v"
--- a/dnsapi/dns_ovh.sh
+++ b/dnsapi/dns_ovh.sh
@ -207,7 +207,7 @@ _ovh_authentication() {
    _err "Unable to get consumerKey"
    return 1
  fi
-  _debug consumerKey "$consumerKey"
+  _secure_debug consumerKey "$consumerKey"

  OVH_CK="$consumerKey"
  _saveaccountconf OVH_CK "$OVH_CK"
@ -269,7 +269,7 @@ _ovh_rest() {
  _ovh_t="$(_ovh_timestamp)"
  _debug2 _ovh_t "$_ovh_t"
  _ovh_p="$OVH_AS+$OVH_CK+$m+$_ovh_url+$data+$_ovh_t"
-  _debug _ovh_p "$_ovh_p"
+  _secure_debug _ovh_p "$_ovh_p"
  _ovh_hex="$(printf "%s" "$_ovh_p" | _digest sha1 hex)"
  _debug2 _ovh_hex "$_ovh_hex"