more feedback during auth option parsing (#806)

* remove stray std::unique_ptr<AuthMgr> Auth; causing crashes
* add more feedback during parsing of auth options

4 files changed, 99 insertions, 41 deletions

diff --git a/src/zen/authutils.cpp b/src/zen/authutils.cpp
index 16427acf5..23ac70965 100644
--- a/src/zen/authutils.cpp
+++ b/src/zen/authutils.cpp
@@ -154,21 +154,34 @@ AuthCommandLineOptions::ParseOptions(cxxopts::Options&			  Ops,
 		ZEN_ASSERT(!SystemRootDir.empty());
 		if (!Auth)
 		{
-			if (m_EncryptionKey.empty())
+			static const std::string_view DefaultEncryptionKey("abcdefghijklmnopqrstuvxyz0123456");
+			static const std::string_view DefaultEncryptionIV("0123456789abcdef");
+			if (m_EncryptionKey.empty() && m_EncryptionIV.empty())
 			{
-				m_EncryptionKey = "abcdefghijklmnopqrstuvxyz0123456";
+				m_EncryptionKey = DefaultEncryptionKey;
+				m_EncryptionIV	= DefaultEncryptionIV;
 				if (!Quiet)
 				{
-					ZEN_CONSOLE_WARN("Using default encryption key");
+					ZEN_CONSOLE_WARN("Auth: Using default encryption key and initialization vector for auth storage");
 				}
 			}
-
-			if (m_EncryptionIV.empty())
+			else
 			{
-				m_EncryptionIV = "0123456789abcdef";
-				if (!Quiet)
+				if (m_EncryptionKey.empty())
+				{
+					m_EncryptionKey = DefaultEncryptionKey;
+					if (!Quiet)
+					{
+						ZEN_CONSOLE_WARN("Auth: Using default encryption key for auth storage");
+					}
+				}
+				if (m_EncryptionIV.empty())
 				{
-					ZEN_CONSOLE_WARN("Using default encryption initialization vector");
+					m_EncryptionIV = DefaultEncryptionIV;
+					if (!Quiet)
+					{
+						ZEN_CONSOLE_WARN("Auth: Using default encryption initialization vector for auth storage");
+					}
 				}
 			}
 
@@ -187,9 +200,9 @@ AuthCommandLineOptions::ParseOptions(cxxopts::Options&			  Ops,
 			{
 				ExtendableStringBuilder<128> SB;
 				SB << "\n    RootDirectory: " << AuthMgrConfig.RootDirectory.string();
-				SB << "\n    EncryptionKey: " << m_EncryptionKey;
-				SB << "\n    EncryptionIV:  " << m_EncryptionIV;
-				ZEN_CONSOLE("Creating auth manager with:{}", SB.ToString());
+				SB << "\n    EncryptionKey: " << HideSensitiveString(m_EncryptionKey);
+				SB << "\n    EncryptionIV:  " << HideSensitiveString(m_EncryptionIV);
+				ZEN_CONSOLE("Auth: Creating auth manager with:{}", SB.ToString());
 			}
 			Auth = AuthMgr::Create(AuthMgrConfig);
 		}
@@ -204,13 +217,18 @@ AuthCommandLineOptions::ParseOptions(cxxopts::Options&			  Ops,
 			ExtendableStringBuilder<128> SB;
 			SB << "\n    Name:     " << ProviderName;
 			SB << "\n    Url:      " << m_OpenIdProviderUrl;
-			SB << "\n    ClientId: " << m_OpenIdClientId;
-			ZEN_CONSOLE("Adding openid auth provider:{}", SB.ToString());
+			SB << "\n    ClientId: " << HideSensitiveString(m_OpenIdClientId);
+			ZEN_CONSOLE("Auth: Adding Open ID auth provider:{}", SB.ToString());
 		}
 		Auth->AddOpenIdProvider({.Name = ProviderName, .Url = m_OpenIdProviderUrl, .ClientId = m_OpenIdClientId});
 		if (!m_OpenIdRefreshToken.empty())
 		{
-			ZEN_CONSOLE("Adding open id refresh token {} to provider {}", m_OpenIdRefreshToken, ProviderName);
+			if (!Quiet)
+			{
+				ZEN_CONSOLE("Auth: Adding open id refresh token {} to provider {}",
+							HideSensitiveString(m_OpenIdRefreshToken),
+							ProviderName);
+			}
 			Auth->AddOpenIdToken({.ProviderName = ProviderName, .RefreshToken = m_OpenIdRefreshToken});
 		}
 	}
@@ -225,9 +243,9 @@ AuthCommandLineOptions::ParseOptions(cxxopts::Options&			  Ops,
 
 	if (!m_AccessToken.empty())
 	{
-		if (Verbose)
+		if (!Quiet)
 		{
-			ZEN_CONSOLE("Adding static auth token: {}", m_AccessToken);
+			ZEN_CONSOLE("Auth: Using static auth token: {}", HideSensitiveString(m_AccessToken));
 		}
 		ClientSettings.AccessTokenProvider = httpclientauth::CreateFromStaticToken(m_AccessToken);
 	}
@@ -237,9 +255,9 @@ AuthCommandLineOptions::ParseOptions(cxxopts::Options&			  Ops,
 		std::string ResolvedAccessToken = ReadAccessTokenFromJsonFile(m_AccessTokenPath);
 		if (!ResolvedAccessToken.empty())
 		{
-			if (Verbose)
+			if (!Quiet)
 			{
-				ZEN_CONSOLE("Adding static auth token from {}: {}", m_AccessTokenPath, ResolvedAccessToken);
+				ZEN_CONSOLE("Auth: Adding static auth token from {}: {}", m_AccessTokenPath, HideSensitiveString(ResolvedAccessToken));
 			}
 			ClientSettings.AccessTokenProvider = httpclientauth::CreateFromStaticToken(ResolvedAccessToken);
 		}
@@ -250,9 +268,9 @@ AuthCommandLineOptions::ParseOptions(cxxopts::Options&			  Ops,
 		{
 			ExtendableStringBuilder<128> SB;
 			SB << "\n    Url:          " << m_OAuthUrl;
-			SB << "\n    ClientId:     " << m_OAuthClientId;
-			SB << "\n    ClientSecret: " << m_OAuthClientSecret;
-			ZEN_CONSOLE("Adding oauth provider:{}", SB.ToString());
+			SB << "\n    ClientId:     " << HideSensitiveString(m_OAuthClientId);
+			SB << "\n    ClientSecret: " << HideSensitiveString(m_OAuthClientSecret);
+			ZEN_CONSOLE("Auth: Adding oauth provider:{}", SB.ToString());
 		}
 		ClientSettings.AccessTokenProvider = httpclientauth::CreateFromOAuthClientCredentials(
 			{.Url = m_OAuthUrl, .ClientId = m_OAuthClientId, .ClientSecret = m_OAuthClientSecret});
@@ -260,25 +278,27 @@ AuthCommandLineOptions::ParseOptions(cxxopts::Options&			  Ops,
 	else if (!m_OpenIdProviderName.empty())
 	{
 		CreateAuthMgr();
-		if (Verbose)
+		if (!Quiet)
 		{
-			ZEN_CONSOLE("Using openid provider: {}", m_OpenIdProviderName);
+			ZEN_CONSOLE("Auth: Using OpenId provider: {}", m_OpenIdProviderName);
 		}
 		ClientSettings.AccessTokenProvider = httpclientauth::CreateFromOpenIdProvider(*Auth, m_OpenIdProviderName);
 	}
 	else if (std::string ResolvedAccessToken = GetEnvAccessToken(m_AccessTokenEnv); !ResolvedAccessToken.empty())
 	{
-		if (Verbose)
+		if (!Quiet)
 		{
-			ZEN_CONSOLE("Using environment variable '{}' as access token '{}'", m_AccessTokenEnv, ResolvedAccessToken);
+			ZEN_CONSOLE("Auth: Resolved environment variable '{}' to access token '{}'",
+						m_AccessTokenEnv,
+						HideSensitiveString(ResolvedAccessToken));
 		}
 		ClientSettings.AccessTokenProvider = httpclientauth::CreateFromStaticToken(ResolvedAccessToken);
 	}
-	else if (std::filesystem::path OidcTokenExePath = FindOidcTokenExePath(m_OidcTokenAuthExecutablePath); !OidcTokenExePath.empty())
+	else if (std::filesystem::path OidcTokenExePath = FindOidcTokenExePath(m_OidcTokenAuthExecutablePath); OidcTokenExePath.empty())
 	{
-		if (Verbose)
+		if (!Quiet)
 		{
-			ZEN_CONSOLE("Running oidctoken exe from path '{}'", m_OidcTokenAuthExecutablePath);
+			ZEN_CONSOLE("Auth: Using oidctoken exe from path '{}'", OidcTokenExePath);
 		}
 		ClientSettings.AccessTokenProvider =
 			httpclientauth::CreateFromOidcTokenExecutable(OidcTokenExePath, HostUrl, Quiet, m_OidcTokenUnattended, Hidden);
@@ -291,9 +311,9 @@ AuthCommandLineOptions::ParseOptions(cxxopts::Options&			  Ops,
 	if (!ClientSettings.AccessTokenProvider)
 	{
 		CreateAuthMgr();
-		if (Verbose)
+		if (!Quiet)
 		{
-			ZEN_CONSOLE("Using default openid provider");
+			ZEN_CONSOLE("Auth: Using default Open ID provider");
 		}
 		ClientSettings.AccessTokenProvider = httpclientauth::CreateFromDefaultOpenIdProvider(*Auth);
 	}
diff --git a/src/zen/cmds/builds_cmd.cpp b/src/zen/cmds/builds_cmd.cpp
index ffdc5fe48..0722e9714 100644
--- a/src/zen/cmds/builds_cmd.cpp
+++ b/src/zen/cmds/builds_cmd.cpp
@@ -2808,8 +2808,6 @@ BuildsCommand::Run(const ZenCliOptions& GlobalOptions, int argc, char** argv)
 			.Verbose					 = m_VerboseHttp,
 			.MaximumInMemoryDownloadSize = GetMaxMemoryBufferSize(DefaultMaxChunkBlockSize, m_BoostWorkerMemory)};
 
-		std::unique_ptr<AuthMgr> Auth;
-
 		std::string StorageDescription;
 		std::string CacheDescription;
 
diff --git a/src/zencore/include/zencore/string.h b/src/zencore/include/zencore/string.h
index 5a12ba5d2..250eb9f56 100644
--- a/src/zencore/include/zencore/string.h
+++ b/src/zencore/include/zencore/string.h
@@ -1265,6 +1265,8 @@ private:
 	uint64_t LoMask, HiMask;
 };
 
+std::string HideSensitiveString(std::string_view String);
+
 //////////////////////////////////////////////////////////////////////////
 
 void string_forcelink();  // internal
diff --git a/src/zencore/string.cpp b/src/zencore/string.cpp
index 27635a86c..3d0451e27 100644
--- a/src/zencore/string.cpp
+++ b/src/zencore/string.cpp
@@ -539,10 +539,33 @@ UrlDecode(std::string_view InUrl)
 	return std::string(Url.ToView());
 }
 
-//////////////////////////////////////////////////////////////////////////
-//
-// Unit tests
-//
+std::string
+HideSensitiveString(std::string_view String)
+{
+	const size_t	  Length	   = String.length();
+	const size_t	  SourceLength = Length > 16 ? 4 : 0;
+	const size_t	  PadLength	   = Min(Length - SourceLength, 4u);
+	const bool		  AddEllipsis  = (SourceLength + PadLength) < Length;
+	StringBuilder<16> SB;
+	if (SourceLength > 0)
+	{
+		SB << String.substr(0, SourceLength);
+	}
+	if (PadLength > 0)
+	{
+		SB << std::string(PadLength, 'X');
+	}
+	if (AddEllipsis)
+	{
+		SB << "...";
+	}
+	return SB.ToString();
+};
+
+	//////////////////////////////////////////////////////////////////////////
+	//
+	// Unit tests
+	//
 
 #if ZEN_WITH_TESTS
 
@@ -814,11 +837,6 @@ TEST_CASE("niceNum")
 	}
 }
 
-void
-string_forcelink()
-{
-}
-
 TEST_CASE("StringBuilder")
 {
 	StringBuilder<64> sb;
@@ -1224,8 +1242,28 @@ TEST_CASE("string")
 	}
 }
 
+TEST_CASE("hidesensitivestring")
+{
+	using namespace std::literals;
+
+	CHECK_EQ(HideSensitiveString(""sv), ""sv);
+	CHECK_EQ(HideSensitiveString("A"sv), "X"sv);
+	CHECK_EQ(HideSensitiveString("ABCD"sv), "XXXX"sv);
+	CHECK_EQ(HideSensitiveString("ABCDE"sv), "XXXX..."sv);
+	CHECK_EQ(HideSensitiveString("ABCDEFGH"sv), "XXXX..."sv);
+	CHECK_EQ(HideSensitiveString("ABCDEFGHIJKLMNOP"sv), "XXXX..."sv);
+	CHECK_EQ(HideSensitiveString("ABCDEFGHIJKLMNOPQ"sv), "ABCDXXXX..."sv);
+	CHECK_EQ(HideSensitiveString("ABCDEFGHIJKLMNOPQRSTUVWXYZ012345"sv), "ABCDXXXX..."sv);
+	CHECK_EQ(HideSensitiveString("1234567890123456789"sv), "1234XXXX..."sv);
+}
+
 TEST_SUITE_END();
 
+void
+string_forcelink()
+{
+}
+
 #endif
 
 }  // namespace zen