From 31fcfe4bc2de046bee0c7b4e72f89c0139a906a2 Mon Sep 17 00:00:00 2001
From: Matthew Hooker <mwhooker@gmail.com>
Date: Wed, 1 Aug 2018 11:20:52 -0700
Subject: [PATCH] PoC for filtering logs

---
 builder/amazon/ebs/builder.go |  1 +
 command/build.go              |  1 +
 command/meta.go               |  2 ++
 main.go                       |  9 +++++--
 packer/core.go                |  3 +++
 packer/logs.go                | 50 +++++++++++++++++++++++++++++++++++
 6 files changed, 64 insertions(+), 2 deletions(-)
 create mode 100644 packer/logs.go

diff --git a/builder/amazon/ebs/builder.go b/builder/amazon/ebs/builder.go
index f2c0bcbec..49185f229 100644
--- a/builder/amazon/ebs/builder.go
+++ b/builder/amazon/ebs/builder.go
@@ -39,6 +39,7 @@ type Builder struct {
 }
 
 func (b *Builder) Prepare(raws ...interface{}) ([]string, error) {
+	log.Printf("SECRET: matt")
 	b.config.ctx.Funcs = awscommon.TemplateFuncs
 	err := config.Decode(&b.config, &config.DecodeOpts{
 		Interpolate:        true,
diff --git a/command/build.go b/command/build.go
index 39e761ba5..a270bd785 100644
--- a/command/build.go
+++ b/command/build.go
@@ -110,6 +110,7 @@ func (c *BuildCommand) Run(args []string) int {
 	log.Printf("Build debug mode: %v", cfgDebug)
 	log.Printf("Force build: %v", cfgForce)
 	log.Printf("On error: %v", cfgOnError)
+	//log.Printf("my secrets: %v", c.CoreConfig.
 
 	// Set the debug and force mode and prepare all the builds
 	for _, b := range builds {
diff --git a/command/meta.go b/command/meta.go
index b8dfdfbf5..4718f3939 100644
--- a/command/meta.go
+++ b/command/meta.go
@@ -29,6 +29,8 @@ type Meta struct {
 	Cache      packer.Cache
 	Ui         packer.Ui
 	Version    string
+	//Secrets        []string
+	//secrets:        []string{"matt"},
 
 	// These are set by command-line flags
 	flagBuildExcept []string
diff --git a/main.go b/main.go
index 2fc626fde..7bef93f13 100644
--- a/main.go
+++ b/main.go
@@ -55,6 +55,10 @@ func realMain() int {
 			logWriter = ioutil.Discard
 		}
 
+		packer.LogSecretFilter.SetOutput(logWriter)
+
+		//packer.LogSecrets.
+
 		// Disable logging here
 		log.SetOutput(ioutil.Discard)
 
@@ -87,7 +91,7 @@ func realMain() int {
 
 		// Create the configuration for panicwrap and wrap our executable
 		wrapConfig.Handler = panicHandler(logTempFile)
-		wrapConfig.Writer = io.MultiWriter(logTempFile, logWriter)
+		wrapConfig.Writer = io.MultiWriter(logTempFile, &packer.LogSecretFilter)
 		wrapConfig.Stdout = outW
 		wrapConfig.DetectDuration = 500 * time.Millisecond
 		wrapConfig.ForwardSignals = []os.Signal{syscall.SIGTERM}
@@ -125,7 +129,8 @@ func wrappedMain() int {
 		runtime.GOMAXPROCS(runtime.NumCPU())
 	}
 
-	log.SetOutput(os.Stderr)
+	packer.LogSecretFilter.SetOutput(os.Stderr)
+	log.SetOutput(&packer.LogSecretFilter)
 
 	log.Printf("[INFO] Packer version: %s", version.FormattedVersion())
 	log.Printf("Packer Target OS/Arch: %s %s", runtime.GOOS, runtime.GOARCH)
diff --git a/packer/core.go b/packer/core.go
index c8ac2cfb7..7bdb4f7b5 100644
--- a/packer/core.go
+++ b/packer/core.go
@@ -19,6 +19,7 @@ type Core struct {
 	variables  map[string]string
 	builds     map[string]*template.Builder
 	version    string
+	secrets    []string
 }
 
 // CoreConfig is the structure for initializing a new Core. Once a CoreConfig
@@ -66,6 +67,8 @@ func NewCore(c *CoreConfig) (*Core, error) {
 	if err := result.init(); err != nil {
 		return nil, err
 	}
+	LogSecretFilter.Set("matt")
+	//log.Printf("NewCore: %+v", result.Template.Variables["efoo"])
 
 	// Go through and interpolate all the build names. We should be able
 	// to do this at this point with the variables.
diff --git a/packer/logs.go b/packer/logs.go
new file mode 100644
index 000000000..b5bb07b1c
--- /dev/null
+++ b/packer/logs.go
@@ -0,0 +1,50 @@
+package packer
+
+import (
+	"bytes"
+	"io"
+	"sync"
+)
+
+type secretFilter struct {
+	s map[string]struct{}
+	m sync.Mutex
+	w io.Writer
+}
+
+func (l *secretFilter) Set(secrets ...string) {
+	l.m.Lock()
+	defer l.m.Unlock()
+	for _, s := range secrets {
+		l.s[s] = struct{}{}
+	}
+}
+
+func (l *secretFilter) SetOutput(output io.Writer) {
+	l.m.Lock()
+	defer l.m.Unlock()
+	l.w = output
+}
+
+func (l *secretFilter) Write(p []byte) (n int, err error) {
+	for s := range l.s {
+		p = bytes.Replace(p, []byte(s), []byte("<filtered>"), -1)
+	}
+	return l.w.Write(p)
+	// return l.w.Write([]byte("foobar"))
+}
+
+func (l *secretFilter) get() (s []string) {
+	l.m.Lock()
+	defer l.m.Unlock()
+	for k := range l.s {
+		s = append(s, k)
+	}
+	return
+}
+
+var LogSecretFilter secretFilter
+
+func init() {
+	LogSecretFilter.s = make(map[string]struct{})
+}