Merge pull request #9226 from weseek/imprv/hide-env-vars

support: Evaluate whether env vars are secret or not by the `isSecret` property

apps/app/src/server/service/config-loader.ts

@@ -22,6 +22,7 @@ interface EnvConfig {
   key: string,
   type: ValueType,
   default?: number | string | boolean | null,
+  isSecret?: boolean,
 }
 
 type EnumDictionary<T extends string | symbol | number, U> = {
@@ -48,7 +49,7 @@ const parserDictionary: EnumDictionary<ValueType, ValueParser<number | string |
  *  The commented out item has not yet entered the migration work.
  *  So, parameters of these are under consideration.
  */
-const ENV_VAR_NAME_TO_CONFIG_INFO = {
+const ENV_VAR_NAME_TO_CONFIG_INFO: Record<string, EnvConfig> = {
   FILE_UPLOAD: {
     ns:      'crowi',
     key:     'app:fileUploadType',
@@ -168,6 +169,7 @@ const ENV_VAR_NAME_TO_CONFIG_INFO = {
     key:     'autoInstall:adminPassword',
     type:    ValueType.STRING,
     default: null,
+    isSecret: true,
   },
   AUTO_INSTALL_GLOBAL_LANG: {
     ns:      'crowi',
@@ -321,6 +323,7 @@ const ENV_VAR_NAME_TO_CONFIG_INFO = {
     key:     'security:sessionMaxAge',
     type:    ValueType.NUMBER,
     default: undefined,
+    isSecret: true,
   },
   USER_UPPER_LIMIT: {
     ns:      'crowi',
@@ -339,18 +342,21 @@ const ENV_VAR_NAME_TO_CONFIG_INFO = {
     key:     'security:trustProxyBool',
     type:    ValueType.BOOLEAN,
     default: null,
+    isSecret: true,
   },
   TRUST_PROXY_CSV: {
     ns:      'crowi',
     key:     'security:trustProxyCsv',
     type:    ValueType.STRING,
     default: null,
+    isSecret: true,
   },
   TRUST_PROXY_HOPS: {
     ns:      'crowi',
     key:     'security:trustProxyHops',
     type:    ValueType.NUMBER,
     default: null,
+    isSecret: true,
   },
   LOCAL_STRATEGY_ENABLED: {
     ns:      'crowi',
@@ -405,6 +411,14 @@ const ENV_VAR_NAME_TO_CONFIG_INFO = {
     key:     'security:passport-saml:issuer',
     type:    ValueType.STRING,
     default: null,
+    isSecret: true,
+  },
+  SAML_CERT: {
+    ns:      'crowi',
+    key:     'security:passport-saml:cert',
+    type:    ValueType.STRING,
+    default: null,
+    isSecret: true,
   },
   SAML_ATTR_MAPPING_ID: {
     ns:      'crowi',
@@ -436,12 +450,6 @@ const ENV_VAR_NAME_TO_CONFIG_INFO = {
     type:    ValueType.STRING,
     default: null,
   },
-  SAML_CERT: {
-    ns:      'crowi',
-    key:     'security:passport-saml:cert',
-    type:    ValueType.STRING,
-    default: null,
-  },
   SAML_ABLC_RULE: {
     ns:      'crowi',
     key:     'security:passport-saml:ABLCRule',
@@ -531,18 +539,21 @@ const ENV_VAR_NAME_TO_CONFIG_INFO = {
     key:     'azure:tenantId',
     type:    ValueType.STRING,
     default: null,
+    isSecret: true,
   },
   AZURE_CLIENT_ID: {
     ns:      'crowi',
     key:     'azure:clientId',
     type:    ValueType.STRING,
     default: null,
+    isSecret: true,
   },
   AZURE_CLIENT_SECRET: {
     ns:      'crowi',
     key:     'azure:clientSecret',
     type:    ValueType.STRING,
     default: null,
+    isSecret: true,
   },
   AZURE_STORAGE_ACCOUNT_NAME: {
     ns:      'crowi',
@@ -609,12 +620,14 @@ const ENV_VAR_NAME_TO_CONFIG_INFO = {
     key:     'slackbot:withoutProxy:signingSecret',
     type:    ValueType.STRING,
     default: null,
+    isSecret: true,
   },
   SLACKBOT_WITHOUT_PROXY_BOT_TOKEN: {
     ns:      'crowi',
     key:     'slackbot:withoutProxy:botToken',
     type:    ValueType.STRING,
     default: null,
+    isSecret: true,
   },
   SLACKBOT_WITHOUT_PROXY_COMMAND_PERMISSION: {
     ns:      'crowi',
@@ -633,12 +646,14 @@ const ENV_VAR_NAME_TO_CONFIG_INFO = {
     key:     'slackbot:withProxy:saltForGtoP',
     type:    ValueType.STRING,
     default: 'gtop',
+    isSecret: true,
   },
   SLACKBOT_WITH_PROXY_SALT_FOR_PTOG: {
     ns:      'crowi',
     key:     'slackbot:withProxy:saltForPtoG',
     type:    ValueType.STRING,
     default: 'ptog',
+    isSecret: true,
   },
   OGP_URI: {
     ns:      'crowi',
@@ -739,16 +754,6 @@ const ENV_VAR_NAME_TO_CONFIG_INFO = {
 };
 
 
-/**
- * return whether env belongs to Security settings
- * @param key ex. 'security:passport-saml:isEnabled' is true
- * @returns
- */
-const isSecurityEnv = (key) => {
-  const array = key.split(':');
-  return (array[0] === 'security');
-};
-
 export interface ConfigObject extends Record<string, any> {
   fromDB: any,
   fromEnvVars: any,
@@ -817,7 +822,7 @@ export default class ConfigLoader {
         config[configInfo.ns][configInfo.key] = configInfo.default;
       }
       else {
-        const parser: ValueParser<number | string | boolean> = parserDictionary[configInfo.type];
+        const parser = parserDictionary[configInfo.type];
         config[configInfo.ns][configInfo.key] = parser.parse(process.env[ENV_VAR_NAME] as string);
       }
     }
@@ -839,10 +844,13 @@ export default class ConfigLoader {
       if (process.env[ENV_VAR_NAME] === undefined) {
         continue;
       }
-      if (isSecurityEnv(configInfo.key) && avoidSecurity) {
+
+      // skip to show secret values
+      if (avoidSecurity && configInfo.isSecret) {
         continue;
       }
-      const parser: ValueParser<number | string | boolean> = parserDictionary[configInfo.type];
+
+      const parser = parserDictionary[configInfo.type];
       config[ENV_VAR_NAME] = parser.parse(process.env[ENV_VAR_NAME] as string);
     }