Skip to content

Commit

Permalink
fix: redact secrets when logging requests/responses
Browse files Browse the repository at this point in the history 
This commit introduces a number of changes:
1. A new RedactSecrets(string) function that will recognize a
few different patterns re: secrets and redact things like passwords,
access tokens, api keys, etc.

2. Debug logging of requests and responses was added to the
IAM and CP4D authenticators

3. The Iam and CP4D authenticator tests were instrumented to make
it easy to enable debug logging while running the tests to facilitate
debugging and problem diagnosis.

4. All components that perform debug logging of requests and responses
will now use the new RedactSecrets function to sanitize the logged messages.
  • Loading branch information
@padamstx
padamstx committed Oct 25, 2021
1 parent a2ce9d8 commit 8693f6a
Show file tree
Hide file tree
Showing 9 changed files with 206 additions and 48 deletions.
76 changes: 43 additions & 33 deletions .secrets.baseline
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
"files": "package-lock.json|go.sum|^.secrets.baseline$",
"lines": null
},
"generated_at": "2021-08-03T22:01:08Z",
"generated_at": "2021-10-23T22:14:07Z",
"plugins_used": [
{
"name": "AWSKeyDetector"
Expand Down Expand Up @@ -96,7 +96,7 @@
"hashed_secret": "bc2f74c22f98f7b6ffbc2f67453dbfa99bce9a32",
"is_secret": false,
"is_verified": false,
"line_number": 519,
"line_number": 554,
"type": "Secret Keyword",
"verified_result": null
}
Expand All @@ -106,47 +106,47 @@
"hashed_secret": "1f5e25be9b575e9f5d39c82dfd1d9f4d73f1975c",
"is_secret": false,
"is_verified": false,
"line_number": 1116,
"line_number": 1161,
"type": "Secret Keyword",
"verified_result": null
},
{
"hashed_secret": "84ba4ce8a59ed2d6e90726d57cdc4a927d3672b2",
"is_secret": false,
"is_verified": false,
"line_number": 1353,
"line_number": 1398,
"type": "Secret Keyword",
"verified_result": null
},
{
"hashed_secret": "62cdb7020ff920e5aa642c3d4066950dd1f01f4d",
"is_secret": false,
"is_verified": false,
"line_number": 1396,
"line_number": 1441,
"type": "Secret Keyword",
"verified_result": null
},
{
"hashed_secret": "ec7ec9d8ff520250fd5ca955c6474c6d70022407",
"is_secret": false,
"is_verified": false,
"line_number": 1404,
"line_number": 1449,
"type": "JSON Web Token",
"verified_result": null
},
{
"hashed_secret": "40ce4379f5763c05b71c88f9a371809fdbce6a21",
"is_secret": false,
"is_verified": false,
"line_number": 1498,
"line_number": 1543,
"type": "Secret Keyword",
"verified_result": null
},
{
"hashed_secret": "9addbf544119efa4a64223b649750a510f0d463f",
"is_secret": false,
"is_verified": false,
"line_number": 1524,
"line_number": 1569,
"type": "Secret Keyword",
"verified_result": null
}
Expand Down Expand Up @@ -248,15 +248,15 @@
"hashed_secret": "fed915afaba64ebcdfeb805d59ea09a33275c423",
"is_secret": false,
"is_verified": false,
"line_number": 159,
"line_number": 157,
"type": "Secret Keyword",
"verified_result": null
},
{
"hashed_secret": "c1bd026029d704c1543f56c9b0817395bec76165",
"is_secret": false,
"is_verified": false,
"line_number": 163,
"line_number": 161,
"type": "Secret Keyword",
"verified_result": null
}
Expand Down Expand Up @@ -354,23 +354,23 @@
"hashed_secret": "f75b33f87ffeacb3a4f793a09693e672e07449ff",
"is_secret": false,
"is_verified": false,
"line_number": 100,
"line_number": 101,
"type": "Secret Keyword",
"verified_result": null
},
{
"hashed_secret": "84ed7427f222c7a1f43567e1bb3058365a81bbcb",
"is_secret": false,
"is_verified": false,
"line_number": 266,
"line_number": 267,
"type": "Secret Keyword",
"verified_result": null
},
{
"hashed_secret": "d4a9d12d425a0edaf333f49c6004b6d417eeb87b",
"is_secret": false,
"is_verified": false,
"line_number": 267,
"line_number": 268,
"type": "Secret Keyword",
"verified_result": null
}
Expand All @@ -380,71 +380,71 @@
"hashed_secret": "ec7ec9d8ff520250fd5ca955c6474c6d70022407",
"is_secret": false,
"is_verified": false,
"line_number": 39,
"line_number": 42,
"type": "JSON Web Token",
"verified_result": null
},
{
"hashed_secret": "f624446964a455348d97335a75468555c4375a8d",
"is_secret": false,
"is_verified": false,
"line_number": 41,
"line_number": 44,
"type": "JSON Web Token",
"verified_result": null
},
{
"hashed_secret": "576e3a0ad157f3cf3c6c64dd574c6d86ebe09210",
"is_secret": false,
"is_verified": false,
"line_number": 47,
"line_number": 50,
"type": "JSON Web Token",
"verified_result": null
},
{
"hashed_secret": "2e43f72bbea78272c019fb7f4abd2529e3c8ef43",
"is_secret": false,
"is_verified": false,
"line_number": 49,
"line_number": 52,
"type": "JSON Web Token",
"verified_result": null
},
{
"hashed_secret": "b94e9f3d7e001981b2dd49f2a70822a8ac8f3e68",
"is_secret": false,
"is_verified": false,
"line_number": 352,
"line_number": 369,
"type": "Secret Keyword",
"verified_result": null
},
{
"hashed_secret": "10db2b8939e12fa3259bf89a63eab34ee3c281b2",
"is_secret": false,
"is_verified": false,
"line_number": 572,
"line_number": 599,
"type": "Secret Keyword",
"verified_result": null
},
{
"hashed_secret": "84ba4ce8a59ed2d6e90726d57cdc4a927d3672b2",
"is_secret": false,
"is_verified": false,
"line_number": 615,
"line_number": 642,
"type": "Secret Keyword",
"verified_result": null
},
{
"hashed_secret": "4080eeeaf54faf879b9e8d99c49a8503f7e855bb",
"is_secret": false,
"is_verified": false,
"line_number": 630,
"line_number": 657,
"type": "Secret Keyword",
"verified_result": null
},
{
"hashed_secret": "32e8612d8ca77c7ea8374aa7918db8e5df9252ed",
"is_secret": false,
"is_verified": false,
"line_number": 745,
"line_number": 776,
"type": "Secret Keyword",
"verified_result": null
}
Expand All @@ -464,31 +464,31 @@
"hashed_secret": "7a5d27bcb7a1e98b6e1bfca4df223ed578a47283",
"is_secret": false,
"is_verified": false,
"line_number": 88,
"line_number": 89,
"type": "Secret Keyword",
"verified_result": null
},
{
"hashed_secret": "c2df5d3d760ff42f33fb38e2534d4c1b7ddde3ab",
"is_secret": false,
"is_verified": false,
"line_number": 88,
"line_number": 89,
"type": "Secret Keyword",
"verified_result": null
},
{
"hashed_secret": "f75b33f87ffeacb3a4f793a09693e672e07449ff",
"is_secret": false,
"is_verified": false,
"line_number": 95,
"line_number": 96,
"type": "Secret Keyword",
"verified_result": null
},
{
"hashed_secret": "7ea6be9eecb6605329a1b1870c2fd2af9b896991",
"is_secret": false,
"is_verified": false,
"line_number": 98,
"line_number": 99,
"type": "Secret Keyword",
"verified_result": null
}
Expand All @@ -498,47 +498,47 @@
"hashed_secret": "c8f0df25bade89c1873f5f01b85bcfb921443ac6",
"is_secret": false,
"is_verified": false,
"line_number": 30,
"line_number": 33,
"type": "JSON Web Token",
"verified_result": null
},
{
"hashed_secret": "42de4dc186286dbdc2381b3e09a054f96e1995bc",
"is_secret": false,
"is_verified": false,
"line_number": 563,
"line_number": 589,
"type": "Secret Keyword",
"verified_result": null
},
{
"hashed_secret": "1f5e25be9b575e9f5d39c82dfd1d9f4d73f1975c",
"is_secret": false,
"is_verified": false,
"line_number": 704,
"line_number": 734,
"type": "Secret Keyword",
"verified_result": null
},
{
"hashed_secret": "333f0f8814d63e7268f80e1e65e7549137d2350c",
"is_secret": false,
"is_verified": false,
"line_number": 718,
"line_number": 748,
"type": "Secret Keyword",
"verified_result": null
},
{
"hashed_secret": "84ba4ce8a59ed2d6e90726d57cdc4a927d3672b2",
"is_secret": false,
"is_verified": false,
"line_number": 721,
"line_number": 751,
"type": "Secret Keyword",
"verified_result": null
},
{
"hashed_secret": "32e8612d8ca77c7ea8374aa7918db8e5df9252ed",
"is_secret": false,
"is_verified": false,
"line_number": 740,
"line_number": 770,
"type": "Secret Keyword",
"verified_result": null
}
Expand Down Expand Up @@ -577,6 +577,16 @@
"verified_result": null
}
],
"v5/core/utils_test.go": [
{
"hashed_secret": "0266262f439c732a31b9353ced05c9e777a07c54",
"is_secret": false,
"is_verified": false,
"line_number": 599,
"type": "Secret Keyword",
"verified_result": null
}
],
"v5/resources/ibm-credentials.env": [
{
"hashed_secret": "62cdb7020ff920e5aa642c3d4066950dd1f01f4d",
Expand Down Expand Up @@ -712,7 +722,7 @@
}
]
},
"version": "0.13.1+ibm.40.dss",
"version": "0.13.1+ibm.46.dss",
"word_list": {
"file": null,
"hash": null
Expand Down
9 changes: 6 additions & 3 deletions v5/core/base_service.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -342,7 +342,7 @@ func (service *BaseService) Request(req *http.Request, result interface{}) (deta
if GetLogger().IsLogLevelEnabled(LevelDebug) {
buf, dumpErr := httputil.DumpRequestOut(req, req.Body != nil)
if dumpErr == nil {
GetLogger().Debug("Request:\n%s\n", string(buf))
GetLogger().Debug("Request:\n%s\n", RedactSecrets(string(buf)))
} else {
GetLogger().Debug("error while attempting to log outbound request: %s", dumpErr.Error())
}
Expand Down Expand Up @@ -378,7 +378,7 @@ func (service *BaseService) Request(req *http.Request, result interface{}) (deta
if GetLogger().IsLogLevelEnabled(LevelDebug) {
buf, dumpErr := httputil.DumpResponse(httpResponse, httpResponse.Body != nil)
if err == nil {
GetLogger().Debug("Response:\n%s\n", string(buf))
GetLogger().Debug("Response:\n%s\n", RedactSecrets(string(buf)))
} else {
GetLogger().Debug("error while attempting to log inbound response: %s", dumpErr.Error())
}
Expand Down Expand Up @@ -609,7 +609,10 @@ type httpLogger struct {
}

func (l *httpLogger) Printf(format string, inserts ...interface{}) {
GetLogger().Log(LevelDebug, format, inserts...)
if GetLogger().IsLogLevelEnabled(LevelDebug) {
msg := fmt.Sprintf(format, inserts...)
GetLogger().Log(LevelDebug, RedactSecrets(msg))
}
}

// NewRetryableHTTPClient returns a new instance of go-retryablehttp.Client
Expand Down
8 changes: 4 additions & 4 deletions v5/core/container_authenticator.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -92,8 +92,8 @@ type ContainerAuthenticator struct {
}

const (
defaultCRTokenFilename = "/var/run/secrets/tokens/vault-token" // #nosec G101
iamGrantTypeCRToken = "urn:ibm:params:oauth:grant-type:cr-token" // #nosec G101
defaultCRTokenFilename = "/var/run/secrets/tokens/vault-token" // #nosec G101
iamGrantTypeCRToken = "urn:ibm:params:oauth:grant-type:cr-token" // #nosec G101
)

var craRequestTokenMutex sync.Mutex
Expand Down Expand Up @@ -415,7 +415,7 @@ func (authenticator *ContainerAuthenticator) RequestToken() (*IamTokenServerResp
if GetLogger().IsLogLevelEnabled(LevelDebug) {
buf, dumpErr := httputil.DumpRequestOut(req, req.Body != nil)
if dumpErr == nil {
GetLogger().Debug("Request:\n%s\n", string(buf))
GetLogger().Debug("Request:\n%s\n", RedactSecrets(string(buf)))
} else {
GetLogger().Debug(fmt.Sprintf("error while attempting to log outbound request: %s", dumpErr.Error()))
}
Expand All @@ -432,7 +432,7 @@ func (authenticator *ContainerAuthenticator) RequestToken() (*IamTokenServerResp
if GetLogger().IsLogLevelEnabled(LevelDebug) {
buf, dumpErr := httputil.DumpResponse(resp, req.Body != nil)
if dumpErr == nil {
GetLogger().Debug("Response:\n%s\n", string(buf))
GetLogger().Debug("Response:\n%s\n", RedactSecrets(string(buf)))
} else {
GetLogger().Debug(fmt.Sprintf("error while attempting to log inbound response: %s", dumpErr.Error()))
}
Expand Down
Loading

0 comments on commit 8693f6a

Please sign in to comment.