From b1b899e87f0247a480ca7c07457218db461eaa54 Mon Sep 17 00:00:00 2001
From: Marco Pracucci <marco.pracucci@spreaker.com>
Date: Tue, 11 Dec 2018 15:47:25 +0100
Subject: [PATCH] Correctly mask the DSN in logs when the password is empty

---
 CHANGELOG.md                            | 2 ++
 prometheus_pgbouncer_exporter/config.py | 2 +-
 tests/test_config.py                    | 8 ++++++++
 3 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ca2231e..35fe7a7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,7 @@
 # Changelog
 
+- [BUGFIX] Correctly mask the DSN in logs when the password is empty
+
 ### 2.0.0 (2018-12-05)
 - [BREAKING CHANGE] Renamed `pgbouncer_stats_queries_total` to `pgbouncer_stats_requests_total` on pgbouncer <= 1.7
 - [FEATURE] Added pgbouncer >= 1.8 support [#8](https://github.com/spreaker/prometheus-pgbouncer-exporter/pull/8) (thanks to [bitglue](https://github.com/bitglue)), including the following new metrics:
diff --git a/prometheus_pgbouncer_exporter/config.py b/prometheus_pgbouncer_exporter/config.py
index 464cc3c..00dd71f 100644
--- a/prometheus_pgbouncer_exporter/config.py
+++ b/prometheus_pgbouncer_exporter/config.py
@@ -7,7 +7,7 @@
 ENV_VAR_REPLACER_PATTERN = re.compile(r'\$\(([^\)]+)\)')
 
 # Define the regex used to mask the password in the DSN
-DSN_PASSWORD_MASK_PATTERN = re.compile(r'^(.*:)([^@]+)(@.*)$')
+DSN_PASSWORD_MASK_PATTERN = re.compile(r'^(.*:)([^@]*)(@.*)$')
 
 
 class Config():
diff --git a/tests/test_config.py b/tests/test_config.py
index 719af79..51c8baf 100644
--- a/tests/test_config.py
+++ b/tests/test_config.py
@@ -153,6 +153,14 @@ def testValidateShouldPassOnTwoPgbouncersWithDifferentExtraLabels(self):
 
 class TestPgbouncerConfig(unittest.TestCase):
 
+    def testGetDsnWithMaskedPasswordShouldReturnDsnWithThreeAsterisksInsteadOfThePassword(self):
+        config = PgbouncerConfig({"dsn": "postgresql://pgbouncer:secret@localhost:6431/pgbouncer"})
+        self.assertEqual(config.getDsnWithMaskedPassword(), "postgresql://pgbouncer:***@localhost:6431/pgbouncer")
+
+    def testGetDsnWithMaskedPasswordShouldWorkEvenIfThePasswordIsEmpty(self):
+        config = PgbouncerConfig({"dsn": "postgresql://pgbouncer:@localhost:6431/pgbouncer"})
+        self.assertEqual(config.getDsnWithMaskedPassword(), "postgresql://pgbouncer:***@localhost:6431/pgbouncer")
+
     def testValidateShouldPassOnConfigContainingOnlyDsn(self):
         config = PgbouncerConfig({"dsn": "postgresql://"})
         config.validate()