SERVER-13644 Fix command line censorship

2 files changed, 50 insertions, 4 deletions

diff --git a/jstests/ssl/ssl_options.js b/jstests/ssl/ssl_options.js
new file mode 100644
index 00000000000..f4dcb4d4d47
--- /dev/null
+++ b/jstests/ssl/ssl_options.js
@@ -0,0 +1,35 @@
+var baseName = "jstests_ssl_ssl_options";
+
+jsTest.log("Testing censorship of ssl options");
+
+var mongodConfig = { sslPEMKeyFile : "jstests/libs/password_protected.pem",
+                     sslMode : "requireSSL",
+                     sslPEMKeyPassword : "qwerty",
+                     sslClusterPassword : "qwerty" };
+var mongodSource = MongoRunner.runMongod(mongodConfig);
+
+var getCmdLineOptsResult = mongodSource.adminCommand("getCmdLineOpts");
+
+var i;
+var isPassword = false;
+for (i = 0; i < getCmdLineOptsResult.argv.length; i++) {
+    if (isPassword) {
+        assert.eq(getCmdLineOptsResult.argv[i], "<password>",
+                  "Password not properly censored: " + tojson(getCmdLineOptsResult));
+        isPassword = false;
+        continue;
+    }
+
+    if (getCmdLineOptsResult.argv[i] === "--sslPEMKeyPassword" ||
+        getCmdLineOptsResult.argv[i] === "--sslClusterPassword") {
+        isPassword = true;
+    }
+}
+assert.eq(getCmdLineOptsResult.parsed.net.ssl.PEMKeyPassword, "<password>",
+          "Password not properly censored: " + tojson(getCmdLineOptsResult));
+assert.eq(getCmdLineOptsResult.parsed.net.ssl.clusterPassword, "<password>",
+          "Password not properly censored: " + tojson(getCmdLineOptsResult));
+
+MongoRunner.stopMongod(mongodSource.port);
+
+print(baseName + " succeeded.");
diff --git a/src/mongo/util/cmdline_utils/censor_cmdline.cpp b/src/mongo/util/cmdline_utils/censor_cmdline.cpp
index e50b7018c99..ae51d536be4 100644
--- a/src/mongo/util/cmdline_utils/censor_cmdline.cpp
+++ b/src/mongo/util/cmdline_utils/censor_cmdline.cpp
@@ -41,9 +41,9 @@ namespace mongo {
 
     static bool _isPasswordArgument(const char* argumentName) {
         static const char* const passwordArguments[] = {
-            "sslPEMKeyPassword",
-            "ssl.PEMKeyPassword",
-            "servicePassword",
+            "net.ssl.PEMKeyPassword",
+            "net.ssl.clusterPassword",
+            "processManagement.windowsService.servicePassword",
             NULL  // Last entry sentinel.
         };
         for (const char* const* current = passwordArguments; *current; ++current) {
@@ -54,6 +54,13 @@ namespace mongo {
     }
 
     static bool _isPasswordSwitch(const char* switchName) {
+        static const char* const passwordSwitches[] = {
+            "sslPEMKeyPassword",
+            "sslClusterPassword",
+            "servicePassword",
+            NULL  // Last entry sentinel.
+        };
+
         if (switchName[0] != '-')
             return false;
         size_t i = 1;
@@ -61,7 +68,11 @@ namespace mongo {
             i = 2;
         switchName += i;
 
-        return _isPasswordArgument(switchName);
+        for (const char* const* current = passwordSwitches; *current; ++current) {
+            if (mongoutils::str::equals(switchName, *current))
+                return true;
+        }
+        return false;
     }
 
     static void _redact(char* arg) {