Mask raw token in debug logs

Configure extended expiration time through flag
kyma-project · Oct 25, 2024 · 2e20017 · 2e20017
1 parent d23cdfd
commit 2e20017
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 15 deletions.
diff --git a/cmd/oidc-token-verifier/main.go b/cmd/oidc-token-verifier/main.go
@@ -20,13 +20,14 @@ type Logger interface {
 }
 
 type options struct {
-	token                string
-	clientID             string
-	outputPath           string
-	publicKeyPath        string
-	newPublicKeysVarName string
-	trustedWorkflows     []string
-	debug                bool
+	token                   string
+	clientID                string
+	outputPath              string
+	publicKeyPath           string
+	newPublicKeysVarName    string
+	trustedWorkflows        []string
+	debug                   bool
+	oidcTokenExpirationTime int // OIDC token expiration time in minutes
 }
 
 var (
@@ -53,6 +54,7 @@ func NewRootCmd() *cobra.Command {
 	rootCmd.PersistentFlags().StringVarP(&opts.clientID, "client-id", "c", "image-builder", "OIDC token client ID, this is used to verify the audience claim in the token. The value should be the same as the audience claim value in the token.")
 	rootCmd.PersistentFlags().StringVarP(&opts.publicKeyPath, "public-key-path", "p", "", "Path to the cached public keys directory")
 	rootCmd.PersistentFlags().BoolVarP(&opts.debug, "debug", "d", false, "Enable debug mode")
+	rootCmd.PersistentFlags().IntVarP(&opts.oidcTokenExpirationTime, "oidc-token-expiration-time", "e", 10, "OIDC token expiration time in minutes")
 	return rootCmd
 }
 
@@ -165,7 +167,8 @@ func (opts *options) extractClaims() error {
 
 	token, err = verifier.VerifyToken(ctx, opts.token)
 	if errors.As(err, &tokenExpiredError) {
-		err = verifier.VerifyExtendedExpiration(err.(tioidc.TokenExpiredError).Expiry, 5)
+		// Verify the token expiration time using the extended expiration time.
+		err = verifier.VerifyExtendedExpiration(err.(tioidc.TokenExpiredError).Expiry, opts.oidcTokenExpirationTime)
 		if err != nil {
 			return err
 		}
@@ -181,10 +184,8 @@ func (opts *options) extractClaims() error {
 	// claims will store the extracted claim values from the token.
 	claims := tioidc.NewClaims(logger)
 	logger.Infow("Verifying token claims")
-	// Verifies the token and check if the claims have expected values.
-	// Verifies custom claim values too.
+	// Verifies if custom claims has expected values.
 	// Extract the claim values from the token into the claims struct.
-	// It provides a final result if the token is valid and the claims have expected values.
 	err = tokenProcessor.ValidateClaims(ctx, &claims)
 	if err != nil {
 		return err

diff --git a/pkg/oidc/oidc.go b/pkg/oidc/oidc.go
@@ -155,6 +155,13 @@ type TokenVerifier struct {
 	Logger   LoggerInterface
 }
 
+func maskToken(token string) string {
+	if len(token) < 15 {
+		return "********"
+	}
+	return token[:2] + "********" + token[len(token)-2:]
+}
+
 // NewVerifierConfig creates a new VerifierConfig.
 // It verifies the clientID is not empty.
 func NewVerifierConfig(logger LoggerInterface, clientID string, options ...VerifierConfigOption) (VerifierConfig, error) {
@@ -201,7 +208,7 @@ func NewVerifierConfig(logger LoggerInterface, clientID string, options ...Verif
 func (tokenVerifier *TokenVerifier) Verify(ctx context.Context, rawToken string) (Token, error) {
 	logger := tokenVerifier.Logger
 	logger.Debugw("Verifying token")
-	logger.Debugw("Got raw token value", "rawToken", rawToken)
+	logger.Debugw("Got raw token value", "rawToken", maskToken(rawToken))
 	idToken, err := tokenVerifier.Verifier.Verify(ctx, rawToken)
 	if err != nil {
 		token := Token{}
@@ -241,7 +248,7 @@ func NewClaims(logger LoggerInterface) Claims {
 	}
 }
 
-// ValidateExpectations validates the claims against the trusted issuer expected values.
+// validateExpectations validates the claims against the trusted issuer expected values.
 // It checks audience, issuer, and job_workflow_ref claims.
 func (claims *Claims) validateExpectations(issuer Issuer) error {
 	logger := claims.LoggerInterface
@@ -300,7 +307,7 @@ func NewTokenProcessor(
 	tokenProcessor.logger = logger
 
 	tokenProcessor.rawToken = rawToken
-	logger.Debugw("Added raw token to token processor", "rawToken", rawToken)
+	logger.Debugw("Added raw token to token processor", "rawToken", maskToken(rawToken))
 
 	tokenProcessor.verifierConfig = config
 	logger.Debugw("Added Verifier config to token processor",
@@ -391,7 +398,7 @@ func (tokenProcessor *TokenProcessor) Issuer() string {
 	return tokenProcessor.issuer.IssuerURL
 }
 
-// VerifyAndExtractClaims verify and parse the token to get the token claims.
+// ValidateClaims verify and parse the token to get the token claims.
 // It uses the provided verifier to verify the token signature and expiration time.
 // It verifies if the token claims have expected values.
 // It unmarshal the claims into the provided claims struct.