[Bug fix] Prevent exposing API key secret in stdout logging (#270)

* remove Write-Verbose line

* use masking function in commands

* simplify masking function

OctopusDSC/DSCResources/cTentacleAgent/cTentacleAgent.psm1

@@ -1278,6 +1278,5 @@ function Register-Tentacle {
         $registerArguments += @("--tenanted-deployment-participation", $TenantedDeploymentParticipation)
     }
 
-    Write-Verbose "Registering with arguments: $registerArguments"
     Invoke-TentacleCommand $registerArguments
 }

OctopusDSC/OctopusDSCHelpers.ps1

@@ -153,46 +153,35 @@ Function Invoke-WithRetries {
     return $returnvalue
 }
 
-Function Get-MaskedOutput
-{
+function Get-MaskedOutput {
     [CmdletBinding()]
     param($arguments)
 
-    $reg = [System.Text.RegularExpressions.RegEx]::new("--masterkey|--password|--license",
-                [System.Text.RegularExpressions.RegexOptions]::IgnoreCase)
+    $singleAsterixArgs = "--masterkey|--license|--licence|--trust|--password|--remove-trust|--apikey|--pw|--pfx-password|--proxyPassword";
+    $connectionStringArgs = "--connectionstring";
 
-    if(($arguments -match "--masterkey|--password|--license"))
-    {
-        for($x=0;$x -lt $arguments.count; $x++)
-        {
-            if(($arguments[$x] -match "--masterkey|--password|--license|--trust|--remove-trust|--apikey|--password|--pw|--pfx-password|--proxyPassword"))
-            {
-                $arguments[$x+1] = $arguments[$x+1] -replace ".", "*"
-            }
+    # Scrub sensitive values
+    for($x=0; $x -lt $arguments.count; $x++) {
+        if($arguments[$x] -match $singleAsterixArgs) {
+            $arguments[$x+1] = "**********"
+        } elseif($arguments[$x] -match $connectionStringArgs) {
+            $arguments[$x+1] = $arguments[$x+1] -replace "(password|pwd)=[^;|`"]*", "`$1=********"
         }
-        $out = $arguments
-    }
-    elseif(($arguments -match "password|pwd"))
-    {
-        $out = $arguments -replace "(password|pwd)=[^;|`"]*", "`$1=********"
-    }
-    else
-    {
-        $out = @("************************")
     }
-    return $out
+    return $arguments
+}
+
+function Write-VerboseWithMaskedCommand ($cmdArgs) {
+    $copiedarguments = @() # hack to pass a copy of the array, not a reference
+    $copiedarguments += $cmdArgs
+    $maskedarguments = Get-MaskedOutput $copiedarguments
+    Write-Verbose "Executing command '$octopusServerExePath $($maskedarguments -join ' ')'"
 }
 
 function Invoke-OctopusServerCommand ($cmdArgs) {
-    # todo: fix this up
-    if ((($cmdArgs -match "masterkey|password|license|pwd=").Count -eq 0)) {
-        Write-Verbose "Executing command '$octopusServerExePath $($cmdArgs -join ' ')'"
-    } else {
-        $copiedarguments = @() # hack to pass a copy of the array, not a reference
-        $copiedarguments += $cmdArgs
-        $maskedarguments = Get-MaskedOutput $copiedarguments
-        Write-Verbose "Executing command '$octopusServerExePath $($maskedarguments -join ' ')'"
-    }
+
+    Write-VerboseWithMaskedCommand($cmdArgs);
+
     $LASTEXITCODE = 0
     $output = & $octopusServerExePath $cmdArgs 2>&1
 
@@ -210,15 +199,9 @@ function Test-TentacleExecutableExists {
 }
 
 function Invoke-TentacleCommand ($cmdArgs) {
-    # todo: fix this up
-    if ((($cmdArgs -match "masterkey|password|license|pwd=").Count -eq 0)) {
-        Write-Verbose "Executing command '$tentacleExePath $($cmdArgs -join ' ')'"
-    } else {
-        $copiedarguments = @() # hack to pass a copy of the array, not a reference
-        $copiedarguments += $cmdArgs
-        $maskedarguments = Get-MaskedOutput $copiedarguments
-        Write-Verbose "Executing command '$tentacleExePath $($maskedarguments -join ' ')'"
-    }
+
+    Write-VerboseWithMaskedCommand($cmdArgs);
+
     $LASTEXITCODE = 0
     $output = & $tentacleExePath $cmdArgs 2>&1