Fix/redact sensitive auth logs#333
Open
Priyanshubhartistm wants to merge 3 commits into
Open
Conversation
Priyanshubhartistm
requested review from
Harsh4902,
lbroudoux and
yada
as code owners
|
Welcome to the Microcks community! 💖 Thanks and congrats 🎉 for opening your first pull request here! Be sure to follow the pull request template or please update it accordingly. Hope you have a great time there! |
Introduce a new pkg/utils/sanitize.go package with utilities to redact sensitive values before they are written to logs or stdout: - MaskSecret: replaces any non-empty secret with '[REDACTED]' - SanitizeHeaders: returns a copy of http.Header with sensitive header values replaced - SanitizeJSON: recursively redacts sensitive keys in JSON payloads - SanitizeString: handles raw HTTP dump strings (CRLF/LF), sanitizing headers, Authorization scheme tokens, and URL-encoded form fields (access_token=, client_secret=, password=, etc.) Sensitive key matching is case-insensitive and covers authorization, proxy-authorization, access_token, refresh_token, id_token, client_secret, password, token, api_key, cookie, set-cookie, x-api-key. Also adds sanitize_test.go with 7 unit tests covering all helpers. Closes microcks#265 Signed-off-by: Priyanshubhartistm <bhartipriyanshustm@gmail.com>
DumpRequestIfRequired and DumpResponseIfRequired previously printed raw httputil dump output directly to stdout, which included Authorization headers (Basic and Bearer), token response bodies, and form-encoded secrets when --verbose was active. Pass the dump through utils.SanitizeString before printing so that all sensitive headers and body values are replaced with '[REDACTED]'. This single fix covers all callers across the codebase: - pkg/connectors/keycloak_client.go (Keycloak auth requests/responses) - pkg/connectors/microcks_client.go (Microcks API requests/responses) Fixes microcks#265 Signed-off-by: Priyanshubhartistm <bhartipriyanshustm@gmail.com>
The oauth2login function logged the raw access token and refresh token directly via log.Printf, making them visible in any terminal or CI/CD log where --verbose is active. - Replace token log calls with utils.MaskSecret so the values are always printed as '[REDACTED]' regardless of --verbose state - Sanitize the OAuth2 callback URL logged on each redirect using utils.SanitizeString to redact any authorization codes or state params that may appear in query strings Fixes microcks#265 Signed-off-by: Priyanshubhartistm <bhartipriyanshustm@gmail.com>
Priyanshubhartistm
force-pushed
the
fix/redact-sensitive-auth-logs
branch
from
d9a0239 to
572d7d0
Compare
Author
|
Hii @lbroudoux, @yada , @Harsh4902 could you please take a look at this PR when you get a chance? Would appreciate your review |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
pkg/utilspackage with sanitization helpers (SanitizeString,SanitizeJSON,SanitizeHeaders,MaskSecret) that redact sensitive values before they are written to logs or stdout.DumpRequestIfRequiredandDumpResponseIfRequiredinpkg/config/config.goto pass all raw HTTP dump output throughSanitizeStringbefore printing, ensuringAuthorization: Basic/Bearerheaders,access_token/refresh_tokenresponse bodies, and URL-encoded form secrets (e.g.client_secret=) are always replaced with[REDACTED]— this single change covers all callers acrosskeycloak_client.goandmicrocks_client.go.cmd/login.goto mask the SSO access token and refresh token withMaskSecretbefore logging, and to sanitize the OAuth2 callback URL withSanitizeStringto prevent authorization codes from leaking in log output.pkg/utils/sanitize_test.gocoveringMaskSecret,SanitizeHeaders, nested JSON redaction, case-insensitive key matching, malformed JSON passthrough, HTTP dump with form body, and Basic auth header redaction.Before (with
--verbose):After (with
--verbose):Test results
Related issue(s)
Fixes #265