(arrow-rs-object-store) branch main updated: fix: mask the aws credential info (#364)

Fri, 16 May 2025 11:24:47 -0700 

This is an automated email from the ASF dual-hosted git repository.

tustvold pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/arrow-rs-object-store.git


The following commit(s) were added to refs/heads/main by this push:
     new 55dab67  fix: mask the aws credential info (#364)
55dab67 is described below

commit 55dab670f38793a5f64d6f09719667cc8fd0e797
Author: vinoyang <[email protected]>
AuthorDate: Sat May 17 02:24:36 2025 +0800

    fix: mask the aws credential info (#364)
    
    * fix: mask the aws credential info
    
    * fix: mask the aws credential info
---
 src/aws/credential.rs | 30 +++++++++++++++++++++++++++++-
 1 file changed, 29 insertions(+), 1 deletion(-)

diff --git a/src/aws/credential.rs b/src/aws/credential.rs
index 56aa952..60cc6a4 100644
--- a/src/aws/credential.rs
+++ b/src/aws/credential.rs
@@ -67,7 +67,7 @@ static UNSIGNED_PAYLOAD: &str = "UNSIGNED-PAYLOAD";
 static STREAMING_PAYLOAD: &str = "STREAMING-AWS4-HMAC-SHA256-PAYLOAD";
 
 /// A set of AWS security credentials
-#[derive(Debug, Eq, PartialEq)]
+#[derive(Eq, PartialEq)]
 pub struct AwsCredential {
     /// AWS_ACCESS_KEY_ID
     pub key_id: String,
@@ -77,6 +77,16 @@ pub struct AwsCredential {
     pub token: Option<String>,
 }
 
+impl std::fmt::Debug for AwsCredential {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        f.debug_struct("AwsCredential")
+            .field("key_id", &self.key_id)
+            .field("secret_key", &"******")
+            .field("token", &self.token.as_ref().map(|_| "******"))
+            .finish()
+    }
+}
+
 impl AwsCredential {
     /// Signs a string
     ///
@@ -1265,4 +1275,22 @@ mod tests {
         assert_eq!(cred.secret_key, "TEST_SECRET");
         assert_eq!(cred.token.as_deref(), Some("TEST_SESSION_TOKEN"));
     }
+
+    #[test]
+    fn test_output_masks_all_fields() {
+        let cred = AwsCredential {
+            key_id: "AKIAXXX".to_string(),
+            secret_key: "super_secret".to_string(),
+            token: Some("temp_token".to_string()),
+        };
+
+        let debug_output = format!("{:?}", cred);
+
+        assert!(debug_output.contains("key_id: \"AKIAXXX\""));
+        assert!(debug_output.contains("secret_key: \"******\""));
+        assert!(debug_output.contains("token: Some(\"******\")"));
+
+        assert!(!debug_output.contains("super_secret"));
+        assert!(!debug_output.contains("temp_token"));
+    }
 }

Reply via email to