From 8a23376e307bffac2e51567cb3086efe84c3e4b7 Mon Sep 17 00:00:00 2001
From: Travis Glenn Hansen <travisghansen@yahoo.com>
Date: Wed, 20 Apr 2022 21:17:32 -0600
Subject: [PATCH] additional synology error codes, more robust redaction logic
 for secrets

Signed-off-by: Travis Glenn Hansen <travisghansen@yahoo.com>
---
 src/driver/controller-synology/http/index.js | 70 ++++++++++++--------
 1 file changed, 43 insertions(+), 27 deletions(-)

diff --git a/src/driver/controller-synology/http/index.js b/src/driver/controller-synology/http/index.js
index 5e71b69..dedd0f4 100644
--- a/src/driver/controller-synology/http/index.js
+++ b/src/driver/controller-synology/http/index.js
@@ -12,7 +12,12 @@ const __REGISTRY_NS__ = "SynologyHttpClient";
 SYNO_ERRORS = {
   400: {
     status: grpc.status.UNAUTHENTICATED,
-    message: "Failed to authenticate to the Synology DSM",
+    message: "Failed to authenticate to the Synology DSM.",
+  },
+  407: {
+    status: grpc.status.UNAUTHENTICATED,
+    message:
+      "IP has been blocked to the Synology DSM due to too many failed attempts.",
   },
   18990002: {
     status: grpc.status.RESOURCE_EXHAUSTED,
@@ -35,6 +40,10 @@ SYNO_ERRORS = {
     status: grpc.status.RESOURCE_EXHAUSTED,
     message: "The maximum number if iSCSI target has been reached.",
   },
+  18990708: {
+    status: grpc.status.INVALID_ARGUMENT,
+    message: "Bad target auth info.",
+  },
   18990744: {
     status: grpc.status.ALREADY_EXISTS,
     message: "An iSCSI target with this name already exists.",
@@ -109,38 +118,45 @@ class SynologyHttpClient {
     let prop;
     let val;
 
-    prop = "auth.username";
-    val = _.get(options, prop, false);
-    if (val) {
-      _.set(options, prop, "redacted");
+    const cleansedBody = JSON.parse(JSON.stringify(body));
+    const cleansedOptions = JSON.parse(JSON.stringify(options));
+    // This function handles arrays and objects
+    function recursiveCleanse(obj) {
+      for (const k in obj) {
+        if (typeof obj[k] == "object" && obj[k] !== null) {
+          recursiveCleanse(obj[k]);
+        } else {
+          if (
+            [
+              "account",
+              "passwd",
+              "username",
+              "password",
+              "_sid",
+              "sid",
+              "Authorization",
+              "authorization",
+              "user",
+              "mutual_user",
+              "mutual_password",
+            ].includes(k)
+          ) {
+            obj[k] = "redacted";
+          }
+        }
+      }
     }
+    recursiveCleanse(cleansedBody);
+    recursiveCleanse(cleansedOptions);
 
-    prop = "auth.password";
-    val = _.get(options, prop, false);
-    if (val) {
-      _.set(options, prop, "redacted");
-    }
+    delete cleansedOptions.httpAgent;
+    delete cleansedOptions.httpsAgent;
 
-    prop = "headers.Authorization";
-    val = _.get(options, prop, false);
-    if (val) {
-      _.set(options, prop, "redacted");
-    }
-
-    prop = "params._sid";
-    val = _.get(options, prop, false);
-    if (val) {
-      _.set(options, prop, "redacted");
-    }
-
-    delete options.httpAgent;
-    delete options.httpsAgent;
-
-    this.logger.debug("SYNOLOGY HTTP REQUEST: " + stringify(options));
+    this.logger.debug("SYNOLOGY HTTP REQUEST: " + stringify(cleansedOptions));
     this.logger.debug("SYNOLOGY HTTP ERROR: " + error);
     this.logger.debug("SYNOLOGY HTTP STATUS: " + response.statusCode);
     this.logger.debug("SYNOLOGY HTTP HEADERS: " + stringify(response.headers));
-    this.logger.debug("SYNOLOGY HTTP BODY: " + stringify(body));
+    this.logger.debug("SYNOLOGY HTTP BODY: " + stringify(cleansedBody));
   }
 
   async do_request(method, path, data = {}, options = {}) {