diff --git a/crates/ecstore/src/rpc/http_auth.rs b/crates/ecstore/src/rpc/http_auth.rs index e974e79b..5d69e280 100644 --- a/crates/ecstore/src/rpc/http_auth.rs +++ b/crates/ecstore/src/rpc/http_auth.rs @@ -108,14 +108,19 @@ pub fn verify_rpc_signature(url: &str, method: &Method, headers: &HeaderMap) -> } // Generate expected signature - let expected_signature = generate_signature(&secret, url, method, timestamp); // Compare signatures if signature != expected_signature { error!( - "verify_rpc_signature: Invalid signature: secret {}, url {}, method {}, timestamp {}, signature {}, expected_signature {}", - secret, url, method, timestamp, signature, expected_signature + "verify_rpc_signature: Invalid signature: url {}, method {}, timestamp {}, signature {}, expected_signature: {}***{}|{}", + url, + method, + timestamp, + signature, + expected_signature.chars().next().unwrap_or('*'), + expected_signature.chars().last().unwrap_or('*'), + expected_signature.len() ); return Err(std::io::Error::other("Invalid signature")); diff --git a/rustfs/src/admin/mod.rs b/rustfs/src/admin/mod.rs index 22f6a881..e554ace5 100644 --- a/rustfs/src/admin/mod.rs +++ b/rustfs/src/admin/mod.rs @@ -239,14 +239,12 @@ pub fn make_admin_route(console_enabled: bool) -> std::io::Result )?; // Performance profiling endpoints (available on all platforms, with platform-specific responses) - #[cfg(not(target_os = "windows"))] r.insert( Method::GET, format!("{}{}", ADMIN_PREFIX, "/debug/pprof/profile").as_str(), AdminOperation(&handlers::ProfileHandler {}), )?; - #[cfg(not(target_os = "windows"))] r.insert( Method::GET, format!("{}{}", ADMIN_PREFIX, "/debug/pprof/status").as_str(), diff --git a/rustfs/src/config/mod.rs b/rustfs/src/config/mod.rs index 00d068ba..87462eb2 100644 --- a/rustfs/src/config/mod.rs +++ b/rustfs/src/config/mod.rs @@ -47,7 +47,7 @@ const LONG_VERSION: &str = concat!( concat!("git status :\n", build::GIT_STATUS_FILE), ); -#[derive(Debug, Parser, Clone)] +#[derive(Parser, Clone)] #[command(version = SHORT_VERSION, long_version = LONG_VERSION)] pub struct Opt { /// DIR points to a directory on a filesystem. @@ -60,7 +60,11 @@ pub struct Opt { pub volumes: Vec, /// bind to a specific ADDRESS:PORT, ADDRESS can be an IP or hostname - #[arg(long, default_value_t = rustfs_config::DEFAULT_ADDRESS.to_string(), env = "RUSTFS_ADDRESS")] + #[arg( + long, + default_value_t = rustfs_config::DEFAULT_ADDRESS.to_string(), + env = "RUSTFS_ADDRESS" + )] pub address: String, /// Domain name used for virtual-hosted-style requests. @@ -73,23 +77,43 @@ pub struct Opt { pub server_domains: Vec, /// Access key used for authentication. - #[arg(long, default_value_t = rustfs_credentials::DEFAULT_ACCESS_KEY.to_string(), env = "RUSTFS_ACCESS_KEY")] + #[arg( + long, + default_value_t = rustfs_credentials::DEFAULT_ACCESS_KEY.to_string(), + env = "RUSTFS_ACCESS_KEY" + )] pub access_key: String, /// Secret key used for authentication. - #[arg(long, default_value_t = rustfs_credentials::DEFAULT_SECRET_KEY.to_string(), env = "RUSTFS_SECRET_KEY")] + #[arg( + long, + default_value_t = rustfs_credentials::DEFAULT_SECRET_KEY.to_string(), + env = "RUSTFS_SECRET_KEY" + )] pub secret_key: String, /// Enable console server - #[arg(long, default_value_t = rustfs_config::DEFAULT_CONSOLE_ENABLE, env = "RUSTFS_CONSOLE_ENABLE")] + #[arg( + long, + default_value_t = rustfs_config::DEFAULT_CONSOLE_ENABLE, + env = "RUSTFS_CONSOLE_ENABLE" + )] pub console_enable: bool, /// Console server bind address - #[arg(long, default_value_t = rustfs_config::DEFAULT_CONSOLE_ADDRESS.to_string(), env = "RUSTFS_CONSOLE_ADDRESS")] + #[arg( + long, + default_value_t = rustfs_config::DEFAULT_CONSOLE_ADDRESS.to_string(), + env = "RUSTFS_CONSOLE_ADDRESS" + )] pub console_address: String, /// Observability endpoint for trace, metrics and logs,only support grpc mode. - #[arg(long, default_value_t = rustfs_config::DEFAULT_OBS_ENDPOINT.to_string(), env = "RUSTFS_OBS_ENDPOINT")] + #[arg( + long, + default_value_t = rustfs_config::DEFAULT_OBS_ENDPOINT.to_string(), + env = "RUSTFS_OBS_ENDPOINT" + )] pub obs_endpoint: String, /// tls path for rustfs API and console. @@ -137,6 +161,42 @@ pub struct Opt { pub buffer_profile: String, } +impl std::fmt::Debug for Opt { + fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { + f.debug_struct("Opt") + .field("volumes", &self.volumes) + .field("address", &self.address) + .field("server_domains", &self.server_domains) + .field("access_key", &self.access_key) + .field("secret_key", &Opt::mask_sensitive(Some(&self.secret_key))) // Hide sensitive values + .field("console_enable", &self.console_enable) + .field("console_address", &self.console_address) + .field("obs_endpoint", &self.obs_endpoint) + .field("tls_path", &self.tls_path) + .field("license", &Opt::mask_sensitive(self.license.as_ref())) + .field("region", &self.region) + .field("kms_enable", &self.kms_enable) + .field("kms_backend", &self.kms_backend) + .field("kms_key_dir", &self.kms_key_dir) + .field("kms_vault_address", &self.kms_vault_address) + .field("kms_vault_token", &Opt::mask_sensitive(self.kms_vault_token.as_ref())) + .field("kms_default_key_id", &self.kms_default_key_id) + .field("buffer_profile_disable", &self.buffer_profile_disable) + .field("buffer_profile", &self.buffer_profile) + .finish() + } +} + +impl Opt { + /// Mask sensitive information in Option + fn mask_sensitive(s: Option<&String>) -> String { + match s { + None => "".to_string(), + Some(s) => format!("{}***{}|{}", s.chars().next().unwrap_or('*'), s.chars().last().unwrap_or('*'), s.len()), + } + } +} + // lazy_static::lazy_static! { // pub(crate) static ref OPT: OnceLock = OnceLock::new(); // }