fix: hide private keys in logs (#42)

* add manual `Debug` implementations to hide private keys * update dependencies * bump version * update server example --------- Co-authored-by: Maciej Wójcik <[email protected]>
DefGuard · Dec 19, 2023 · b8e54ba · b8e54ba
1 parent 58b4094
commit b8e54ba
Show file tree

Hide file tree

Showing 5 changed files with 42 additions and 14 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "defguard_wireguard_rs"
-version = "0.3.1"
+version = "0.3.2"
 edition = "2021"
 description = "A unified multi-platform high-level API for managing WireGuard interfaces"
 license = "Apache-2.0"

diff --git a/examples/server.rs b/examples/server.rs
@@ -40,13 +40,14 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
         port: 12345,
         peers: vec![peer],
     };
+    println!("Prepared interface configuration: {interface_config:?}");
 
     // apply initial interface configuration
     wgapi.configure_interface(&interface_config)?;
 
     // read current interface status
     let host = wgapi.read_interface_data()?;
-    println!("WireGuard interface initial config: {host:#?}");
+    println!("WireGuard interface after configuration: {host:#?}");
 
     // add more WireGuard clients
     for peer_id in 3..13 {

diff --git a/src/host.rs b/src/host.rs
@@ -2,6 +2,7 @@
 
 use std::{
     collections::HashMap,
+    fmt::{Debug, Formatter},
     io::{self, BufRead, BufReader, Read},
     net::SocketAddr,
     str::FromStr,
@@ -164,14 +165,25 @@ impl Peer {
 }
 
 /// WireGuard host representation.
-#[derive(Debug, Default, Clone, Serialize, Deserialize)]
+#[derive(Default, Clone, Serialize, Deserialize)]
 pub struct Host {
     pub listen_port: u16,
     pub private_key: Option<Key>,
     pub(super) fwmark: Option<u32>,
     pub peers: HashMap<Key, Peer>,
 }
 
+// implement manually to avoid exposing private keys
+impl Debug for Host {
+    fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
+        f.debug_struct("Host")
+            .field("listen_port", &self.listen_port)
+            .field("fwmark", &self.fwmark)
+            .field("peers", &self.peers)
+            .finish()
+    }
+}
+
 impl Host {
     /// Create new `Host` with a given `listen_port` and `private_key`.
     #[must_use]

diff --git a/src/lib.rs b/src/lib.rs
@@ -72,7 +72,10 @@ mod wireguard_interface;
 extern crate log;
 
 use serde::{Deserialize, Serialize};
-use std::process::Output;
+use std::{
+    fmt::{Debug, Formatter},
+    process::Output,
+};
 
 use self::{
     error::WireguardInterfaceError,
@@ -92,7 +95,7 @@ pub use wgapi_userspace::WireguardApiUserspace;
 pub use wireguard_interface::WireguardInterfaceApi;
 
 /// Host WireGuard interface configuration
-#[derive(Debug, Clone, Serialize, Deserialize)]
+#[derive(Clone, Serialize, Deserialize)]
 pub struct InterfaceConfiguration {
     pub name: String,
     pub prvkey: String,
@@ -101,6 +104,18 @@ pub struct InterfaceConfiguration {
     pub peers: Vec<Peer>,
 }
 
+// implement manually to avoid exposing private keys
+impl Debug for InterfaceConfiguration {
+    fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
+        f.debug_struct("InterfaceConfiguration")
+            .field("name", &self.name)
+            .field("address", &self.address)
+            .field("port", &self.port)
+            .field("peers", &self.peers)
+            .finish()
+    }
+}
+
 impl TryFrom<&InterfaceConfiguration> for Host {
     type Error = WireguardInterfaceError;