diff --git a/src/sts/tests.rs b/src/sts/tests.rs
index dc98d04..986372c 100644
--- a/src/sts/tests.rs
+++ b/src/sts/tests.rs
@@ -155,15 +155,21 @@ fn unexpected_status_includes_upstream_json_error_summary() {
fn unexpected_status_redacts_sensitive_upstream_error_summary() {
let err = RustfsClientError::unexpected_status_with_body(
StatusCode::BAD_REQUEST,
- r#"{"code":"InvalidRequest","message":"secretkey: SK_TEST clientSecret: oidc-secret AKIA_XML"}"#,
+ r#"{"code":"InvalidRequest","message":"secretkey: SK_TEST clientSecret: oidc-secret SecretAccessKey: SK_STS AccessKeyId: AKIA_STS SK_XML AKIA_XML"}"#,
);
let message = err.to_string();
assert!(message.contains("secretkey: "));
assert!(message.contains("clientSecret: "));
- assert!(message.contains(""));
+ assert!(message.contains("SecretAccessKey: "));
+ assert!(message.contains("AccessKeyId: "));
+ assert!(message.contains(""));
+ assert!(message.contains(""));
assert!(!message.contains("SK_TEST"));
assert!(!message.contains("oidc-secret"));
+ assert!(!message.contains("SK_STS"));
+ assert!(!message.contains("AKIA_STS"));
+ assert!(!message.contains("SK_XML"));
assert!(!message.contains("AKIA_XML"));
}
diff --git a/src/utils/sanitize.rs b/src/utils/sanitize.rs
index f1fc5bc..bea44a0 100644
--- a/src/utils/sanitize.rs
+++ b/src/utils/sanitize.rs
@@ -12,15 +12,21 @@
// See the License for the specific language governing permissions and
// limitations under the License.
-const SENSITIVE_KEYS: [&str; 16] = [
+const SENSITIVE_KEYS: [&str; 22] = [
"token",
"password",
"accesskey",
"access_key",
"access-key",
+ "accesskeyid",
+ "access_key_id",
+ "access-key-id",
"secretkey",
"secret_key",
"secret-key",
+ "secretaccesskey",
+ "secret_access_key",
+ "secret-access-key",
"clientsecret",
"client_secret",
"client-secret",
@@ -42,7 +48,9 @@ fn is_sensitive_key(key: &str) -> bool {
"token"
| "password"
| "accesskey"
+ | "accesskeyid"
| "secretkey"
+ | "secretaccesskey"
| "clientsecret"
| "sessiontoken"
| "credential"
@@ -282,6 +290,26 @@ mod tests {
assert!(!sanitized.contains("SK_XML"));
}
+ #[test]
+ fn redacts_sts_credential_field_names() {
+ let message = r#"AccessKeyId: AKIA_TEXT SecretAccessKey: SK_TEXT {"access_key_id":"AKIA_JSON","secret-access-key":"SK_JSON"} AKIA_XML SK_XML"#;
+
+ let sanitized = redact_sensitive_pairs(message);
+
+ assert!(sanitized.contains("AccessKeyId: "));
+ assert!(sanitized.contains("SecretAccessKey: "));
+ assert!(sanitized.contains(r#""access_key_id":"""#));
+ assert!(sanitized.contains(r#""secret-access-key":"""#));
+ assert!(sanitized.contains(""));
+ assert!(sanitized.contains(""));
+ assert!(!sanitized.contains("AKIA_TEXT"));
+ assert!(!sanitized.contains("SK_TEXT"));
+ assert!(!sanitized.contains("AKIA_JSON"));
+ assert!(!sanitized.contains("SK_JSON"));
+ assert!(!sanitized.contains("AKIA_XML"));
+ assert!(!sanitized.contains("SK_XML"));
+ }
+
#[test]
fn handles_unicode_without_panicking() {
let message = "错误🔐 token: tok_123 用户=测试 secretkey: SK_TEST 完成";