Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Redact URLs before logging or returning in error #2643

Merged
merged 4 commits into from
Oct 27, 2021
Merged

Redact URLs before logging or returning in error #2643

merged 4 commits into from
Oct 27, 2021

Conversation

philpennock
Copy link
Member

This does not affect strings which failed to parse, and in such a scenario there's a mix of "which evil" to accept; we can't sanely find what should be redacted in those cases, so we leave them alone for debugging.

The JWT library returns some errors for Operator URLs, but it rejects URLs which contain userinfo, so there can't be passwords in those and they're safe.

Fixes #2597

/cc @nats-io/core

derekcollison
derekcollison reviewed Oct 21, 2021
View reviewed changes
Copy link
Member

@derekcollison derekcollison left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this looks good, but we need a test I think on this one.

@philpennock
Copy link
Member Author

I looked at the time but didn't see any framework for testing the logged strings sanely, so I passed on it. I can do tests for the auxiliary helpers but that's not E2E so only tests that redaction works.

@derekcollison
Copy link
Member

@kozlovic may be able to assist, he has a dummy logger for checking that certain things get logged etc.

@kozlovic
Copy link
Member

@philpennock Here is an example on how to use a logger that capture debug statements:

nats-server/server/mqtt_test.go

Line 5271 in 208146a

l := &captureDebugLogger{dbgCh: make(chan string, 10)}

kozlovic
kozlovic reviewed Oct 26, 2021
View reviewed changes
Copy link
Member

@kozlovic kozlovic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not totally against the idea of moving one of the logger to a central place. Still, I have some comments that I think could be applied regardless of moving logger or creating simple ones.

server/leafnode_test.go Outdated Show resolved Hide resolved
internal/testhelper/logging.go Show resolved Hide resolved
internal/testhelper/logging.go Outdated Show resolved Hide resolved
internal/testhelper/logging.go Outdated Show resolved Hide resolved
server/leafnode_test.go Outdated Show resolved Hide resolved
kozlovic
kozlovic requested changes Oct 26, 2021
View reviewed changes
internal/testhelper/logging.go Show resolved Hide resolved
internal/testhelper/logging.go Show resolved Hide resolved
server/log_test.go Outdated Show resolved Hide resolved
server/log_test.go Outdated Show resolved Hide resolved
server/util_test.go Outdated Show resolved Hide resolved
server/util_test.go Outdated Show resolved Hide resolved
internal/testhelper/logging.go Show resolved Hide resolved
internal/testhelper/logging.go Show resolved Hide resolved
server/leafnode_test.go Outdated Show resolved Hide resolved
kozlovic
kozlovic approved these changes Oct 26, 2021
View reviewed changes
Copy link
Member

@kozlovic kozlovic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. For the t.Errorf(), I personally think that they are not required and we should always use t.Fatalf(). Errorf() is ok if you want to list all possible issues, but again, as part of dev when fixing the issue(s), but once finalized, there is no point in having it. But this is not a blocker, more of a personal preference.

@philpennock
Copy link
Member Author

squashed down to 3 commits with distinct changes, and rebased to current main. Still need to sort out the solicited gone/back test scenario, but Ivan has provided me with guidance on triggering that; once that's in, we'll be good.

@philpennock
Redact URLs before logging or returning in error
a2d34ae 
This does not affect strings which failed to parse, and in such a scenario
there's a mix of "which evil" to accept; we can't sanely find what should be
redacted in those cases, so we leave them alone for debugging.

The JWT library returns some errors for Operator URLs, but it rejects URLs
which contain userinfo, so there can't be passwords in those and they're safe.

Fixes #2597
@philpennock
Test the URL redaction auxiliary functions
e7bd914
@philpennock
End-to-end tests for secrets in debug/trace
0b5e424 
Create internal/testhelper and move DummyLogger there, so it can be used from
the test/ sub-dir too.

Let DummyLogger optionally accumulate all log messages, not just retain the
last-seen message.

Confirm no passwords logged by TestLeafNodeBasicAuthFailover.

Change TestNoPasswordsFromConnectTrace to check all trace messages, not just the
most recent.

Validate existing trace redaction in TestRouteToSelf.
@philpennock
Test for password in solicited route reconnect debug
468cc13
kozlovic
kozlovic approved these changes Oct 27, 2021
View reviewed changes
Copy link
Member

@kozlovic kozlovic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@philpennock philpennock merged commit fc6df0f into main Oct 27, 2021
@philpennock philpennock deleted the pdp/redact-urls branch October 27, 2021 16:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@derekcollison derekcollison derekcollison left review comments

@kozlovic kozlovic kozlovic approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

user/password logged in a couple places
3 participants
@philpennock @derekcollison @kozlovic