(t *testing.T)
| 254 | } |
| 255 | |
| 256 | func TestConfigEndpoint_SecretsMasked(t *testing.T) { |
| 257 | cfg := newDefaultConfig() |
| 258 | |
| 259 | // Use reflection to find every flagext.Secret field in the config and set |
| 260 | // it to a sentinel value. This ensures newly added Secret fields are |
| 261 | // automatically covered without updating this test. |
| 262 | sentinel := "LEAKED_SECRET_VALUE" |
| 263 | setAllSecrets(reflect.ValueOf(cfg), sentinel) |
| 264 | |
| 265 | cortex := &Cortex{ |
| 266 | Server: &server.Server{}, |
| 267 | Cfg: *cfg, |
| 268 | } |
| 269 | cortex.Server.HTTP = mux.NewRouter() |
| 270 | |
| 271 | _, err := cortex.initAPI() |
| 272 | require.NoError(t, err) |
| 273 | |
| 274 | req := httptest.NewRequest("GET", "/config", nil) |
| 275 | resp := httptest.NewRecorder() |
| 276 | cortex.Server.HTTP.ServeHTTP(resp, req) |
| 277 | |
| 278 | require.Equal(t, 200, resp.Code) |
| 279 | |
| 280 | body := resp.Body.String() |
| 281 | |
| 282 | // Verify the sentinel never appears in cleartext. |
| 283 | assert.NotContains(t, body, sentinel, "a flagext.Secret value was leaked in /config output") |
| 284 | |
| 285 | // Verify at least one masked value is present (sanity check). |
| 286 | assert.Contains(t, body, "********", "expected masked secrets in /config output") |
| 287 | } |
| 288 | |
| 289 | // TestConfig_SensitiveFieldTypes verifies that every struct field in Config |
| 290 | // whose YAML tag name suggests a credential uses flagext.Secret, not string. |
nothing calls this directly
no test coverage detected