fix(config): add redaction for sensitive fields (#185)

vladopajic · web-flow · commit ad8efc22ff3f · 2025-04-18T18:39:00.000+02:00
diff --git a/pkg/testcoverage/check.go b/pkg/testcoverage/check.go
@@ -12,13 +12,13 @@ import (
 	"github.com/vladopajic/go-test-coverage/v2/pkg/testcoverage/logger"
 )
 
-//nolint:maintidx // relax
-func Check(wout io.Writer, cfg Config) (bool, error) {
+//nolint:maintidx,nonamedreturns // relax
+func Check(wout io.Writer, cfg Config) (pass bool, err error) {
 	buffer := &bytes.Buffer{}
 	w := bufio.NewWriter(buffer)
 	//nolint:errcheck // relax
 	defer func() {
-		if cfg.Debug {
+		if cfg.Debug || err != nil {
 			wout.Write(logger.Bytes())
 			wout.Write([]byte("-------------------------\n\n"))
 		}
@@ -33,7 +33,7 @@ func Check(wout io.Writer, cfg Config) (bool, error) {
 	}
 
 	logger.L.Info().Msg("running check...")
-	logger.L.Info().Any("config", cfg).Msg("using configuration")
+	logger.L.Info().Any("config", cfg.Redacted()).Msg("using configuration")
 
 	currentStats, err := GenerateCoverageStats(cfg)
 	if err != nil {
diff --git a/pkg/testcoverage/config.go b/pkg/testcoverage/config.go
@@ -13,6 +13,8 @@ import (
 	"github.com/vladopajic/go-test-coverage/v2/pkg/testcoverage/badgestorer"
 )
 
+const HiddenValue = "***"
+
 var (
 	ErrThresholdNotInRange         = errors.New("threshold must be in range [0 - 100]")
 	ErrCoverageProfileNotSpecified = errors.New("coverage profile file not specified")
@@ -60,6 +62,23 @@ type Badge struct {
 	Git      badgestorer.Git
 }
 
+//nolint:wsl,mnd // relax
+func (c Config) Redacted() Config {
+	r := c
+
+	if r.Badge.CDN.Key != "" {
+		r.Badge.CDN.Key = r.Badge.CDN.Key[0:min(len(r.Badge.CDN.Key), 5)] + HiddenValue
+	}
+	if r.Badge.CDN.Secret != "" {
+		r.Badge.CDN.Secret = HiddenValue
+	}
+	if r.Badge.Git.Token != "" {
+		r.Badge.Git.Token = HiddenValue
+	}
+
+	return r
+}
+
 func (c Config) Validate() error {
 	validateRegexp := func(s string) error {
 		_, err := regexp.Compile("(?i)" + s)
diff --git a/pkg/testcoverage/config_test.go b/pkg/testcoverage/config_test.go
@@ -12,6 +12,36 @@ import (
 
 const nonEmptyStr = "any"
 
+func Test_Config_Redacted(t *testing.T) {
+	t.Parallel()
+
+	cfg := newValidCfg()
+	cfg.Badge.Git.Token = nonEmptyStr
+	cfg.Badge.CDN.Secret = nonEmptyStr
+	cfg.Badge.CDN.Key = nonEmptyStr
+
+	r := cfg.Redacted()
+
+	// redacted should not be equal to original
+	assert.NotEqual(t, cfg, r)
+
+	// original should not change
+	assert.Equal(t, nonEmptyStr, cfg.Badge.Git.Token)
+	assert.Equal(t, nonEmptyStr, cfg.Badge.CDN.Secret)
+	assert.Equal(t, nonEmptyStr, cfg.Badge.CDN.Key)
+
+	// redacted should have hidden values
+	assert.Equal(t, HiddenValue, r.Badge.Git.Token)
+	assert.Equal(t, HiddenValue, r.Badge.CDN.Secret)
+	assert.Equal(t, nonEmptyStr+HiddenValue, r.Badge.CDN.Key)
+
+	// redacted config of empty field should not do anything
+	r = Config{}.Redacted()
+	assert.Empty(t, r.Badge.Git.Token)
+	assert.Empty(t, r.Badge.CDN.Secret)
+	assert.Empty(t, r.Badge.CDN.Key)
+}
+
 func Test_Config_Validate(t *testing.T) {
 	t.Parallel()
 
