From 1e53b21697cc7d033174ace02f8df33ec385e7bc Mon Sep 17 00:00:00 2001 From: Alex Kubacki Date: Sat, 28 Feb 2026 12:42:03 -0700 Subject: [PATCH 1/6] STaRt over --- lib/aptible/cli.rb | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/lib/aptible/cli.rb b/lib/aptible/cli.rb index 56757ac5..68fd8c56 100644 --- a/lib/aptible/cli.rb +++ b/lib/aptible/cli.rb @@ -7,6 +7,11 @@ require 'aptible/cli/renderer' require 'aptible/cli/resource_formatter' +# Set no_sensitive_extras=true as the default for all API resources. +# This avoids returning sensitive embedded data unless explicitly requested. +Aptible::Api::Resource.headers = + { 'Prefer' => 'no_sensitive_extras=true' } + module Aptible module CLI class TtyLogFormatter From b7cb1bed9ee23916c9b7ae3caf83218c7fe34852 Mon Sep 17 00:00:00 2001 From: Alex Kubacki Date: Sat, 28 Feb 2026 14:23:06 -0700 Subject: [PATCH 2/6] Bump --- Gemfile.lock | 2 +- lib/aptible/cli/version.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index b2179b8e..0463a2f8 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,7 +1,7 @@ PATH remote: . specs: - aptible-cli (0.26.3) + aptible-cli (0.26.4) activesupport (>= 4.0, < 6.0) aptible-api (~> 1.12) aptible-auth (~> 1.4) diff --git a/lib/aptible/cli/version.rb b/lib/aptible/cli/version.rb index e8cef53e..7e0021f6 100644 --- a/lib/aptible/cli/version.rb +++ b/lib/aptible/cli/version.rb @@ -1,5 +1,5 @@ module Aptible module CLI - VERSION = '0.26.3'.freeze + VERSION = '0.26.4'.freeze end end From c735f2c9abe0d59424f1ca795ccfdd48ec3580ea Mon Sep 17 00:00:00 2001 From: Alex Kubacki Date: Sat, 28 Feb 2026 23:03:22 -0700 Subject: [PATCH 3/6] Load sensitive database paramenters when we need creds --- lib/aptible/cli.rb | 5 +++++ lib/aptible/cli/agent.rb | 11 +++++++---- lib/aptible/cli/helpers/database.rb | 9 +-------- lib/aptible/cli/subcommands/db.rb | 3 +++ 4 files changed, 16 insertions(+), 12 deletions(-) diff --git a/lib/aptible/cli.rb b/lib/aptible/cli.rb index 68fd8c56..e9683c49 100644 --- a/lib/aptible/cli.rb +++ b/lib/aptible/cli.rb @@ -12,6 +12,11 @@ Aptible::Api::Resource.headers = { 'Prefer' => 'no_sensitive_extras=true' } +def with_sensitive(resource) + resource.headers['Prefer'] = 'no_sensitive_extras=false' + resource.find_by_url(resource.href) +end + module Aptible module CLI class TtyLogFormatter diff --git a/lib/aptible/cli/agent.rb b/lib/aptible/cli/agent.rb index 6bc1ff2f..8af664c9 100644 --- a/lib/aptible/cli/agent.rb +++ b/lib/aptible/cli/agent.rb @@ -92,10 +92,13 @@ def initialize(*) level = Logger::WARN debug_level = ENV['APTIBLE_DEBUG'] level = debug_level if debug_level - require 'httplog' if ENV['BUNDLER_VERSION'] && \ - ENV['APTIBLE_LOG_HTTP_REQUEST_RESPONSE'] && \ - !ENV['APTIBLE_LOG_HTTP_REQUEST_RESPONSE'] \ - .downcase.start_with?('f') + if ENV['BUNDLER_VERSION'] && \ + ENV['APTIBLE_LOG_HTTP_REQUEST_RESPONSE'] && \ + !ENV['APTIBLE_LOG_HTTP_REQUEST_RESPONSE'] \ + .downcase.start_with?('f') + require 'httplog' + HttpLog.configure { |c| c.log_headers = true } + end conf.logger.tap { |l| l.level = level } end warn_sso_enforcement diff --git a/lib/aptible/cli/helpers/database.rb b/lib/aptible/cli/helpers/database.rb index 0b79269f..45d6562f 100644 --- a/lib/aptible/cli/helpers/database.rb +++ b/lib/aptible/cli/helpers/database.rb @@ -322,14 +322,6 @@ def find_credential(database, type = nil) types = database.database_credentials.map(&:type) - # On v1, we fallback to the DB. We make sure to make --type work, to - # avoid a confusing experience for customers. - if database.account.stack.version == 'v1' - types << database.type - types.uniq! - return database if type.nil? || type == database.type - end - valid = types.join(', ') err = 'No default credential for database' @@ -365,6 +357,7 @@ def validate_image_type(type) end def render_database(database, account) + database = with_sensitive(database) Formatter.render(Renderer.current) do |root| root.keyed_object('connection_url') do |node| ResourceFormatter.inject_database(node, database, account) diff --git a/lib/aptible/cli/subcommands/db.rb b/lib/aptible/cli/subcommands/db.rb index 8656ebb9..8778f083 100644 --- a/lib/aptible/cli/subcommands/db.rb +++ b/lib/aptible/cli/subcommands/db.rb @@ -335,6 +335,7 @@ def self.included(thor) return use_rds_tunnel(handle, desired_port) if aws_rds_db?(handle) database = ensure_database(options.merge(db: handle)) + database = with_sensitive(database) credential = find_credential(database, options[:type]) m = "Creating #{credential.type} tunnel to #{database.handle}..." @@ -481,6 +482,8 @@ def self.included(thor) telemetry(__method__, options.merge(handle: handle)) database = ensure_database(options.merge(db: handle)) + database = with_sensitive(database) + credential = find_credential(database, options[:type]) Formatter.render(Renderer.current) do |root| From 372b603ebc8afc95bc5031b8b14ecc7b2ef0c29f Mon Sep 17 00:00:00 2001 From: Alex Kubacki Date: Sat, 28 Feb 2026 23:35:55 -0700 Subject: [PATCH 4/6] Better location --- lib/aptible/cli/helpers/database.rb | 3 +++ lib/aptible/cli/subcommands/db.rb | 2 -- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/aptible/cli/helpers/database.rb b/lib/aptible/cli/helpers/database.rb index 45d6562f..84eae2ea 100644 --- a/lib/aptible/cli/helpers/database.rb +++ b/lib/aptible/cli/helpers/database.rb @@ -314,6 +314,9 @@ def find_credential(database, type = nil) raise Thor::Error, "Database #{database.handle} is not provisioned" end + # Reload with senstive data + database = with_sensitive(database) + finder = proc { |c| c.default } finder = proc { |c| c.type == type } if type credential = database.database_credentials.find(&finder) diff --git a/lib/aptible/cli/subcommands/db.rb b/lib/aptible/cli/subcommands/db.rb index 8778f083..92efc44a 100644 --- a/lib/aptible/cli/subcommands/db.rb +++ b/lib/aptible/cli/subcommands/db.rb @@ -335,7 +335,6 @@ def self.included(thor) return use_rds_tunnel(handle, desired_port) if aws_rds_db?(handle) database = ensure_database(options.merge(db: handle)) - database = with_sensitive(database) credential = find_credential(database, options[:type]) m = "Creating #{credential.type} tunnel to #{database.handle}..." @@ -482,7 +481,6 @@ def self.included(thor) telemetry(__method__, options.merge(handle: handle)) database = ensure_database(options.merge(db: handle)) - database = with_sensitive(database) credential = find_credential(database, options[:type]) From c9ae303af47e2315c2ccf8858479f21ea33475c1 Mon Sep 17 00:00:00 2001 From: Alex Kubacki Date: Sun, 1 Mar 2026 00:00:12 -0700 Subject: [PATCH 5/6] More fixes --- lib/aptible/cli/helpers/log_drain.rb | 3 ++- lib/aptible/cli/helpers/metric_drain.rb | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/aptible/cli/helpers/log_drain.rb b/lib/aptible/cli/helpers/log_drain.rb index 62c636f5..57506b35 100644 --- a/lib/aptible/cli/helpers/log_drain.rb +++ b/lib/aptible/cli/helpers/log_drain.rb @@ -65,7 +65,8 @@ def ensure_url(options, url_format_msg: nil) end def ensure_log_drain(account, handle) - drains = account.reload.log_drains.select { |d| d.handle == handle } + account = with_sensitive(account) + drains = account.log_drains.select { |d| d.handle == handle } if drains.empty? raise Thor::Error, "No drain found with handle #{handle}" diff --git a/lib/aptible/cli/helpers/metric_drain.rb b/lib/aptible/cli/helpers/metric_drain.rb index 9cd8e4c6..3799f327 100644 --- a/lib/aptible/cli/helpers/metric_drain.rb +++ b/lib/aptible/cli/helpers/metric_drain.rb @@ -19,6 +19,7 @@ def create_metric_drain(account, drain_opts) end def ensure_metric_drain(account, handle) + account = with_sensitive(account) drains = account.metric_drains.select { |d| d.handle == handle } if drains.empty? From b31c544e4c642038e16f5770d34234185de3aa5f Mon Sep 17 00:00:00 2001 From: Alex Kubacki Date: Sun, 1 Mar 2026 16:40:54 -0700 Subject: [PATCH 6/6] One time --- lib/aptible/cli/helpers/database.rb | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/lib/aptible/cli/helpers/database.rb b/lib/aptible/cli/helpers/database.rb index 84eae2ea..2830c103 100644 --- a/lib/aptible/cli/helpers/database.rb +++ b/lib/aptible/cli/helpers/database.rb @@ -314,8 +314,8 @@ def find_credential(database, type = nil) raise Thor::Error, "Database #{database.handle} is not provisioned" end - # Reload with senstive data - database = with_sensitive(database) + # Maybe reload with senstive data + database = with_sensitive(database) if database.objects[:database_credentials].nil? finder = proc { |c| c.default } finder = proc { |c| c.type == type } if type @@ -360,7 +360,8 @@ def validate_image_type(type) end def render_database(database, account) - database = with_sensitive(database) + # Maybe reload with senstive data + database = with_sensitive(database) if database.connection_url.nil? Formatter.render(Renderer.current) do |root| root.keyed_object('connection_url') do |node| ResourceFormatter.inject_database(node, database, account)