fix: user/pass in redis URI support (#305)

This changes the code to only override/set username and pass if they are
explicitly set, otherwise leaving the `opts` unmodified.

I also updated the log line to ensure that credentials are not logged in
plaintext during the info log statement.

Fixes #304

Signed-off-by: Micah Nagel <micah.nagel@defenseunicorns.com>

Author: mjnagel

internal/oidc/redis.go

@@ -72,8 +72,12 @@ func NewRedisClient(config *oidc.RedisConfig) (redis.Cmdable, error) {
 	if err != nil {
 		return nil, fmt.Errorf("parsing redis URL: %w", err)
 	}
-	opts.Username = config.GetUsername()
-	opts.Password = config.GetPassword()
+	if username := config.GetUsername(); username != "" {
+		opts.Username = username
+	}
+	if password := config.GetPassword(); password != "" {
+		opts.Password = password
+	}
 
 	log.Info("connecting to redis",
 		"addr", opts.Addr,

internal/oidc/redis_test.go

@@ -69,6 +69,17 @@ func TestRedisAuth(t *testing.T) {
 		_, err = NewRedisStore(&Clock{}, client, 0, 1*time.Minute)
 		require.NoError(t, err)
 	})
+
+	t.Run("credentials-in-url", func(t *testing.T) {
+		// Test credentials in URL (the fix for issue #304)
+		client, err := NewRedisClient(&oidc.RedisConfig{
+			ServerUri: "redis://redis-user:redis-pass@" + mr.Addr(),
+		})
+		require.NoError(t, err)
+
+		_, err = NewRedisStore(&Clock{}, client, 0, 1*time.Minute)
+		require.NoError(t, err)
+	})
 }
 
 func TestRedisTLS(t *testing.T) {

internal/oidc/session.go

@@ -26,6 +26,7 @@ import (
 	"sync"
 	"time"
 
+	"github.com/redis/go-redis/v9"
 	"github.com/tetratelabs/run"
 	"github.com/tetratelabs/telemetry"
 	"golang.org/x/oauth2"
@@ -129,10 +130,19 @@ func (s *sessionStoreFactory) PreRun() error {
 // loadRedisConfig loads the Redis configuration from the OIDCConfig and initializes or updates
 // the Redis session store.
 func (s *sessionStoreFactory) loadRedisConfig(cfg *oidcv1.OIDCConfig) error {
-	s.log.Info("configuring redis session store",
-		"redis-url", cfg.GetRedisSessionStoreConfig().GetServerUri(),
-		"client-id", cfg.GetClientId(),
-	)
+	// Parse the Redis URL to extract host and port for logging (without credentials)
+	parseOpts, parseErr := redis.ParseURL(cfg.GetRedisSessionStoreConfig().GetServerUri())
+	if parseErr == nil {
+		s.log.Info("configuring redis session store",
+			"redis-url", parseOpts.Addr,
+			"client-id", cfg.GetClientId(),
+		)
+	} else {
+		// If URL parsing fails, log without the URL
+		s.log.Info("configuring redis session store",
+			"client-id", cfg.GetClientId(),
+		)
+	}
 	client, err := NewRedisClient(cfg.GetRedisSessionStoreConfig())
 	if err != nil {
 		return err