Skip to content

Commit

Permalink
Redact static tokens and custom http headers (#4182)
Browse files Browse the repository at this point in the history 
Redact sensitive values in headers and static token within the Config.Redact()

(cherry picked from commit d0993e8)

# Conflicts:
#	internal/pkg/config/config.go
  • Loading branch information
@michel-laterman @mergify
michel-laterman authored and mergify[bot] committed Dec 7, 2024
1 parent 3680c42 commit c7018bf
Show file tree
Hide file tree
Showing 2 changed files with 115 additions and 0 deletions.
36 changes: 36 additions & 0 deletions internal/pkg/config/config.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,11 @@ package config
import (
"context"
"errors"
<<<<<<< HEAD

Check failure on line 11 in internal/pkg/config/config.go

View workflow job for this annotation

GitHub Actions / lint (linux) 

syntax error: missing import path

Check failure on line 11 in internal/pkg/config/config.go

View workflow job for this annotation

GitHub Actions / lint (linux) 

missing import path (typecheck)
"slices"
=======

Check failure on line 13 in internal/pkg/config/config.go

View workflow job for this annotation

GitHub Actions / lint (linux) 

syntax error: missing import path

Check failure on line 13 in internal/pkg/config/config.go

View workflow job for this annotation

GitHub Actions / lint (linux) 

missing import path (typecheck)
"strings"
>>>>>>> d0993e86 (Redact static tokens and custom http headers (#4182))

Check failure on line 15 in internal/pkg/config/config.go

View workflow job for this annotation

GitHub Actions / lint (linux) 

syntax error: missing import path

Check failure on line 15 in internal/pkg/config/config.go

View workflow job for this annotation

GitHub Actions / lint (linux) 

invalid character U+0023 '#' (typecheck)

Check failure on line 15 in internal/pkg/config/config.go

View workflow job for this annotation

GitHub Actions / lint (linux) 

missing import path (typecheck)
"sync"

"github.com/gofrs/uuid"
Expand Down Expand Up @@ -171,9 +175,30 @@ func redactOutput(cfg *Config) Output {
redacted.Elasticsearch.TLS = &newTLS
}

if redacted.Elasticsearch.Headers != nil {
redacted.Elasticsearch.Headers = redactHeaders(redacted.Elasticsearch.Headers)
}

if redacted.Elasticsearch.ProxyHeaders != nil {
redacted.Elasticsearch.ProxyHeaders = redactHeaders(redacted.Elasticsearch.ProxyHeaders)
}
return redacted
}

// redactHeaders returns a copy of the passed headers map.
// It will do a best-effort attempt to redact sensitive headers based on header names.
func redactHeaders(headers map[string]string) map[string]string {
redactedHeaders := make(map[string]string)
for k, v := range headers {
redactedHeaders[k] = v
lk := strings.ToLower(k)
if strings.Contains(lk, "auth") || strings.Contains(lk, "token") || strings.Contains(lk, "key") || strings.Contains(lk, "bearer") {
redactedHeaders[k] = kRedacted
}
}
return redactedHeaders
}

func redactServer(cfg *Config) Server {
redacted := cfg.Inputs[0].Server

Expand All @@ -198,6 +223,17 @@ func redactServer(cfg *Config) Server {
redacted.Instrumentation.SecretToken = kRedacted
}

if redacted.StaticPolicyTokens.PolicyTokens != nil {
policyTokens := make([]PolicyToken, len(redacted.StaticPolicyTokens.PolicyTokens))
for i := range redacted.StaticPolicyTokens.PolicyTokens {
policyTokens[i] = PolicyToken{
TokenKey: kRedacted,
PolicyID: redacted.StaticPolicyTokens.PolicyTokens[i].PolicyID,
}
}
redacted.StaticPolicyTokens.PolicyTokens = policyTokens
}

return redacted
}

Expand Down
79 changes: 79 additions & 0 deletions internal/pkg/config/config_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -423,6 +423,85 @@ func TestConfigRedact(t *testing.T) {
},
},
},
{
name: "Redact custom output headers",
inputCfg: &Config{
Inputs: []Input{{}},
Output: Output{
Elasticsearch: Elasticsearch{
Protocol: "https",
Hosts: []string{"localhost:9200"},
Headers: map[string]string{"X-Authorization": "secretValue", "X-Custom": "value", "X-App-Token": "customToken", "X-App-Key": "secretKey", "X-Custom-Bearer": "secretBearer"},
ServiceTokenPath: "path/to/file",
},
},
},
redactedCfg: &Config{
Inputs: []Input{{}},
Output: Output{
Elasticsearch: Elasticsearch{
Protocol: "https",
Hosts: []string{"localhost:9200"},
Headers: map[string]string{"X-Authorization": kRedacted, "X-Custom": "value", "X-App-Token": kRedacted, "X-App-Key": kRedacted, "X-Custom-Bearer": kRedacted},
ServiceTokenPath: "path/to/file",
},
},
},
},
{
name: "Redact proxy authorization output header",
inputCfg: &Config{
Inputs: []Input{{}},
Output: Output{
Elasticsearch: Elasticsearch{
Protocol: "https",
Hosts: []string{"localhost:9200"},
ProxyHeaders: map[string]string{"X-Proxy-Authorization": "secretValue"},
ServiceTokenPath: "path/to/file",
},
},
},
redactedCfg: &Config{
Inputs: []Input{{}},
Output: Output{
Elasticsearch: Elasticsearch{
Protocol: "https",
Hosts: []string{"localhost:9200"},
ProxyHeaders: map[string]string{"X-Proxy-Authorization": kRedacted},
ServiceTokenPath: "path/to/file",
},
},
},
},
{
name: "redact static tokens",
inputCfg: &Config{
Inputs: []Input{{
Server: Server{
StaticPolicyTokens: StaticPolicyTokens{
Enabled: true,
PolicyTokens: []PolicyToken{{
TokenKey: "secretValue",
PolicyID: "testPolicy",
}},
},
},
}},
},
redactedCfg: &Config{
Inputs: []Input{{
Server: Server{
StaticPolicyTokens: StaticPolicyTokens{
Enabled: true,
PolicyTokens: []PolicyToken{{
TokenKey: kRedacted,
PolicyID: "testPolicy",
}},
},
},
}},
},
},
}

for _, tt := range testcases {
Expand Down

0 comments on commit c7018bf

Please sign in to comment.