Allow customizing sanitization rules for /env #11264
Conversation
...main/java/org/springframework/boot/actuate/endpoint/sanitize/KeyBlacklistSanitizeFilter.java
Show resolved
Hide resolved
spring-projects-issues
added
the
status: waiting-for-triage
| @@ -195,8 +206,8 @@ private void extract(String root, Map<String, PropertySource<?>> map, | |||
| } | |||
| } | |||
|
|
|||
| public Object sanitize(String name, Object object) { | |||
| return this.sanitizer.sanitize(name, object); | |||
| private Object sanitize(PropertyNameAndSource source, Object object) { | |||
There was a problem hiding this comment.
Couldn't find out why this method was public, made it private since I changed the signature anyway. If we make this public again then PropertyNameAndSource must have a public constructor which it now doesn't.
| } | ||
| } | ||
| } | ||
| return null; | ||
| } | ||
|
|
||
| protected String convertResolvedValueToString(String placeholder, Object value, PropertySource<?> source) { |
There was a problem hiding this comment.
I changed the method that we allow to override, making the previous one private. I thought it's not a problem since resolvePlaceholder was made protected only recently (commit eb045f1).
| } | ||
|
|
||
| public void setKeysToSanitize(String... keysToSanitize) { |
There was a problem hiding this comment.
Again, dropped the setter in favour of constructor.
| return endpoint; | ||
| KeyBlacklistSanitizeFilter keyMatchFilter = (keysToSanitize != null) | ||
| ? KeyBlacklistSanitizeFilter.matchingKeys(keysToSanitize) | ||
| : KeyBlacklistSanitizeFilter.matchingDefaultKeys(); |
There was a problem hiding this comment.
I wanted to create the instance of KeyBlacklistSanitizeFilter as a bean that we would autowire here, but couldn't express the condition "register the filter bean only if environment endpoint is enabled". Is there a way for expressing that given that the filter bean must be registered before EnvironmentEndpoint?
|
@philwebb can you have a look at this? |
|
@philwebb @spencergibb it's been 3 months, are you still interested in this feature? I won't bother resolving conflicts if you're not. |
|
Hi @pbetkier, Thanks for the PR and sorry I didn't get back to you earlier. We're planning to start the planning process for Spring Boot 2.1 soon and I'd like to review this at that point. There's no need to resolve conflicts now, we can deal with that when we merge. FWIW I really like the idea of supporting more flexible sanitization rules, we just ran out of time to get this into 2.0. |
philwebb
added
for: team-meeting
type: enhancement
|
@pbetkier Sorry for the delay in getting to this. Given that the code has moved on quite a bit since the original PR, we decided to approach this in a different manner. This commit adds a new method to the |
mbhave
added
status: declined
This PR introduces more flexible sanitization rules for /env actuator endpoint.
Sanitization rules can be customized by registering one or more beans of type
EnvironmentEndpoint.SanitizeFilter. Such filters decide whether to sanitize a given value basing on its property name and the property source it originates from. By default there is only one filter,KeyBlacklistSanitizeFilter, which contains the already existing logic of sanitizing based on the matching key names.I made a couple of backwards-incompatible changes which I assumed are OK at this release stage. I pointed them in the PR comments. I also haven't wrote the docs for this feature assuming it won't be commonly used.
@philwebb @spencergibb you may be interested in this :)
Fixes gh-6587