Description
This will I think be an enhancement request somewhat related but different from #6876 (and #6903).
As mentioned on the Spring Cloud Gitter, I would like to mask the password for MongoDB in the /env and /configprops Actuator endpoints. Mongo essentially requires using the spring.data.mongodb.uri for multiple hosts, so spring.data.mongodb.password cannot be used.
Since I am using Spring Cloud Config and want to encrypt the MongoDB password, I am using a separate property for that (mongo.password in the snippets below). I then use this variable as a placeholder in spring.data.mongodb.uri. This works well, but I would still need to add uri to the list of keys to sanitize to avoid leaking the password as shown below.
It would be a useful enhancement if placeholders of properties to be sanitized were not resolved and instead masked.
Here is a snippet from GET /env
The mongo.password property is sanitized since it ends in password, and from here placeholders are not resolved, so everything is fine.
{
"configService:ssh://git@git-server:9999/cloud-config/mongo-demo/mongo-demo.yml": {
"spring.application.name":"mongo-demo",
"spring.data.mongodb.uri":"mongodb://user:${mongo.password}@host1:27017,host2:27017,host3:27017/dbname",
"mongo.password":"******"
}
}When retrieving the value for a specific property from the /env endpoint, currently the placeholders are unconditionally resolved as follows.
GET /env/spring.data.mongodb.uri
{
"spring.data.mongodb.uri":"mongodb://user:password@host1:27017,host2:27017,host3:27017/dbname",
}With this ticket's requested enhancement, the placeholder ${mongo.password} will be masked because it is a key to be sanitized (endpoints.env.keys-to-sanitize)
GET /env/spring.data.mongodb.uri
{
"spring.data.mongodb.uri":"mongodb://user:********@host1:27017,host2:27017,host3:27017/dbname",
}The above applies to the /configprops endpoint also.