Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Encrypt logged HTTP secret header values. #1250

Merged
merged 2 commits into from
Dec 7, 2021
Merged

Encrypt logged HTTP secret header values. #1250

merged 2 commits into from
Dec 7, 2021

Conversation

benashz
Copy link
Contributor

@benashz benashz commented Dec 7, 2021
edited
Loading

When Terraform is executed with TF_LOG=debug all HTTP requests to Vault are logged in clear text. With the recently merged #775 it is possible that a long lived "non-batch" authentication token might be revealed. This PR adds support logging the HMAC'd header value for X-Vault-Token

Community Note

  • Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
  • Please do not leave "+1" comments, they generate extra noise for pull request followers and do not help prioritize the request

Relates #1040

Release note for CHANGELOG:

Output from acceptance testing:

$ make testacc TESTARGS='-run=TestAccXXX'

...

@github-actions github-actions bot added the size/M label Dec 7, 2021
calvn
calvn reviewed Dec 7, 2021
View reviewed changes
Copy link
Contributor

@calvn calvn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see that this is very similar to the RoundTrip code in the SDK but with the additional HMAC'ing logic, LGTM!

@benashz benashz added this to the 3.1.0 milestone Dec 7, 2021
@benashz benashz merged commit 2872e39 into main Dec 7, 2021
@benashz
Copy link
Contributor Author

benashz commented Dec 7, 2021
edited
Loading

Request log lines now look like:

-----------------------------------------------------
2021/12/06 20:06:41 [DEBUG] Vault API Request Details:
---[ REQUEST ]---------------------------------------
GET /v1/auth/token/lookup-self HTTP/1.1
Host: localhost:8200
User-Agent: Go-http-client/1.1
X-Vault-Request: true
X-Vault-Token: hmac-sha256:5c02513df6132c3ad5e40008b38ee5e2f56946e4e2119f0ecbbf93d4048ba3eb
Accept-Encoding: gzip

@benashz benashz deleted the hmac-logged-header-values branch December 7, 2021 01:18
@benashz benashz mentioned this pull request Dec 7, 2021
Closed
benashz added a commit that referenced this pull request Dec 7, 2021
@benashz
Update skip_child_token docs.
aa180b9 
Since #1250, we no longer need to mention the possible token exposure
when running Terraform with a log level of DEBUG or higher.
@benashz benashz mentioned this pull request Dec 7, 2021
Merged
benashz added a commit that referenced this pull request Dec 7, 2021
@benashz
Update skip_child_token docs. (#1252)
0024ad1 
Since #1250, we no longer need to mention the possible token exposure
when running Terraform with a log level of DEBUG or higher.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@calvn calvn calvn approved these changes

@vinay-gopalan vinay-gopalan Awaiting requested review from vinay-gopalan

Assignees
No one assigned
Labels
size/M
Projects
None yet
Milestone
3.1.0
Development

Successfully merging this pull request may close these issues.
2 participants
@benashz @calvn