runatlantis · jamengual · Feb 17, 2022 · Feb 16, 2022 · Feb 16, 2022 · Feb 16, 2022
diff --git a/server/middleware.go b/server/middleware.go
@@ -18,6 +18,7 @@ import (
 
 	"github.com/runatlantis/atlantis/server/logging"
 	"github.com/urfave/negroni"
+	"golang.org/x/crypto/bcrypt"
 )
 
 // NewRequestLogger creates a RequestLogger.
@@ -30,6 +31,8 @@ func NewRequestLogger(s *Server) *RequestLogger {
 	}
 }
 
+const redacted = "[REDACTED]"
+
 // RequestLogger logs requests and their response codes.
 // as well as handle the basicauth on the requests
 type RequestLogger struct {
@@ -42,6 +45,10 @@ type RequestLogger struct {
 // ServeHTTP implements the middleware function. It logs all requests at DEBUG level.
 func (l *RequestLogger) ServeHTTP(rw http.ResponseWriter, r *http.Request, next http.HandlerFunc) {
 	l.logger.Debug("%s %s – from %s", r.Method, r.URL.RequestURI(), r.RemoteAddr)
+	var (
+		hashUser, hashPass []byte
+		err                error
+	)
 	allowed := false
 	if !l.WebAuthentication ||
 		r.URL.Path == "/events" ||
@@ -50,15 +57,25 @@ func (l *RequestLogger) ServeHTTP(rw http.ResponseWriter, r *http.Request, next
 		allowed = true
 	} else {
 		user, pass, ok := r.BasicAuth()
+		hashUser, err = hashData([]byte(user))
+		if err != nil {
+			l.logger.Debug("unable to hash username, defaulting to %s", redacted)
+			hashUser = []byte(redacted)
+		}
+		hashPass, err = hashData([]byte(pass))
+		if err != nil {
+			l.logger.Debug("unable to hash password, defaulting to %s", redacted)
+			hashPass = []byte(redacted)
+		}
 		if ok {
 			r.SetBasicAuth(user, pass)
-			l.logger.Debug("user: %s / pass: %s >> url: %s", user, pass, r.URL.RequestURI())
+			l.logger.Debug("user(hash): %s / pass(hash): %s >> url: %s", string(hashUser), string(hashPass), r.URL.RequestURI())
 			if user == l.WebUsername && pass == l.WebPassword {
-				l.logger.Debug("[VALID] user: %s / pass: %s >> url: %s", user, pass, r.URL.RequestURI())
+				l.logger.Debug("[VALID] user(hash): %s / pass(hash): %s >> url: %s", string(hashUser), string(hashPass), r.URL.RequestURI())
 				allowed = true
 			} else {
 				allowed = false
-				l.logger.Info("[INVALID] user: %s / pass: %s >> url: %s", user, pass, r.URL.RequestURI())
+				l.logger.Info("[INVALID] user(hash): %s / pass(hash): %s >> url: %s", string(hashUser), string(hashPass), r.URL.RequestURI())
 			}
 		}
 	}
@@ -70,3 +87,11 @@ func (l *RequestLogger) ServeHTTP(rw http.ResponseWriter, r *http.Request, next
 	}
 	l.logger.Debug("%s %s – respond HTTP %d", r.Method, r.URL.RequestURI(), rw.(negroni.ResponseWriter).Status())
 }
+
+func hashData(data []byte) ([]byte, error) {
+	hashed, err := bcrypt.GenerateFromPassword(data, bcrypt.DefaultCost)
+	if err != nil {
+		return nil, err
+	}
+	return hashed, nil
+}