Commit d32f0a9

committed

feat: mask sensitive data in the DLE logs output

1 parent d410d09 commit d32f0a9Copy full SHA for d32f0a9

File tree

6 files changed

+91

-43

lines changed

engine
- cmd/database-lab
  - main.go
- internal/srv
- pkg/log
  - filtering.go
  - log.go

6 files changed

+91

-43

lines changed

`‎engine/cmd/database-lab/main.go‎`

Lines changed: 14 additions & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -56,6 +56,9 @@ func main() {`
`56`	`56`	`log.Fatal(errors.WithMessage(err, "failed to parse config"))`
`57`	`57`	`}`
`58`	`58`
	`59`	`+ logFilter := log.GetFilter()`
	`60`	`+ logFilter.ReloadLogRegExp([]string{cfg.Server.VerificationToken, cfg.Platform.AccessToken})`
	`61`	`+`
`59`	`62`	`config.ApplyGlobals(cfg)`
`60`	`63`
`61`	`64`	`docker, err := client.NewClientWithOpts(client.FromEnv)`
`@@ -188,14 +191,16 @@ func main() {`
`188`	`191`	`embeddedUI,`
`189`	`192`	`server,`
`190`	`193`	`logCleaner,`
	`194`	`+ logFilter,`
`191`	`195`	`)`
`192`	`196`	`}`
`193`	`197`
`194`	`198`	`server := srv.NewServer(&cfg.Server, &cfg.Global, engProps, docker, cloningSvc, provisioner, retrievalSvc, platformSvc,`
`195`		`- obs, est, pm, tm, tokenHolder, embeddedUI, reloadConfigFn)`
	`199`	`+ obs, est, pm, tm, tokenHolder, logFilter, embeddedUI, reloadConfigFn)`
`196`	`200`	`shutdownCh := setShutdownListener()`
`197`	`201`
`198`		`- go setReloadListener(ctx, provisioner, tm, retrievalSvc, pm, cloningSvc, platformSvc, est, embeddedUI, server, logCleaner)`
	`202`	`+ go setReloadListener(ctx, provisioner, tm, retrievalSvc, pm, cloningSvc, platformSvc, est, embeddedUI, server,`
	`203`	`+ logCleaner, logFilter)`
`199`	`204`
`200`	`205`	`server.InitHandlers()`
`201`	`206`
`@@ -276,12 +281,14 @@ func getEngineProperties(ctx context.Context, dockerCLI client.Client, cfg con`
`276`	`281`
`277`	`282`	`func reloadConfig(ctx context.Context, provisionSvc provision.Provisioner, tm telemetry.Agent,`
`278`	`283`	`retrievalSvc retrieval.Retrieval, pm pool.Manager, cloningSvc cloning.Base, platformSvc platform.Service,`
`279`		`- est estimator.Estimator, embeddedUI embeddedui.UIManager, server srv.Server, cleaner diagnostic.Cleaner) error {`
	`284`	`+ est estimator.Estimator, embeddedUI embeddedui.UIManager, server srv.Server, cleaner diagnostic.Cleaner,`
	`285`	`+ filtering *log.Filtering) error {`
`280`	`286`	`cfg, err := config.LoadConfiguration()`
`281`	`287`	`if err != nil {`
`282`	`288`	`return err`
`283`	`289`	`}`
`284`	`290`
	`291`	`+ filtering.ReloadLogRegExp([]string{cfg.Server.VerificationToken, cfg.Platform.AccessToken})`
`285`	`292`	`config.ApplyGlobals(cfg)`
`286`	`293`
`287`	`294`	`if err := provision.IsValidConfig(cfg.Provision); err != nil {`
`@@ -328,14 +335,16 @@ func reloadConfig(ctx context.Context, provisionSvc provision.Provisioner, tm `
`328`	`335`
`329`	`336`	`func setReloadListener(ctx context.Context, provisionSvc provision.Provisioner, tm telemetry.Agent,`
`330`	`337`	`retrievalSvc retrieval.Retrieval, pm pool.Manager, cloningSvc cloning.Base, platformSvc platform.Service,`
`331`		`- est estimator.Estimator, embeddedUI embeddedui.UIManager, server srv.Server, cleaner diagnostic.Cleaner) {`
	`338`	`+ est estimator.Estimator, embeddedUI embeddedui.UIManager, server srv.Server, cleaner diagnostic.Cleaner,`
	`339`	`+ logFilter *log.Filtering) {`
`332`	`340`	`reloadCh := make(chan os.Signal, 1)`
`333`	`341`	`signal.Notify(reloadCh, syscall.SIGHUP)`
`334`	`342`
`335`	`343`	`for range reloadCh {`
`336`	`344`	`log.Msg("Reloading configuration")`
`337`	`345`
`338`		`- if err := reloadConfig(ctx, provisionSvc, tm, retrievalSvc, pm, cloningSvc, platformSvc, est, embeddedUI, server, cleaner); err != nil {`
	`346`	`+ if err := reloadConfig(ctx, provisionSvc, tm, retrievalSvc, pm, cloningSvc, platformSvc, est, embeddedUI, server,`
	`347`	`+ cleaner, logFilter); err != nil {`
`339`	`348`	`log.Err("Failed to reload configuration", err)`
`340`	`349`	`}`
`341`	`350`

`‎engine/internal/srv/server.go‎`

Lines changed: 4 additions & 35 deletions

Original file line number	Diff line number	Diff line change
`@@ -9,10 +9,8 @@ import (`
`9`	`9`	`"context"`
`10`	`10`	`"fmt"`
`11`	`11`	`"net/http"`
`12`		`- "regexp"`
`13`	`12`	`"strings"`
`14`	`13`	`"time"`
`15`		`- "unicode"`
`16`	`14`
`17`	`15`	`"github.com/AlekSi/pointer"`
`18`	`16`	`"github.com/docker/docker/client"`
`@@ -41,8 +39,6 @@ import (`
`41`	`39`	`"gitlab.com/postgres-ai/database-lab/v3/version"`
`42`	`40`	`)`
`43`	`41`
`44`		`-const minTokenLength = 8`
`45`		`-`
`46`	`42`	`// Server defines an HTTP server of the Database Lab.`
`47`	`43`	`type Server struct {`
`48`	`44`	`validator validator.Service`
`@@ -61,7 +57,7 @@ type Server struct {`
`61`	`57`	`pm *pool.Manager`
`62`	`58`	`tm *telemetry.Agent`
`63`	`59`	`startedAt *models.LocalTime`
`64`		`- re *regexp.Regexp`
	`60`	`+ filtering *log.Filtering`
`65`	`61`	`reloadFn func(server *Server) error`
`66`	`62`	`}`
`67`	`63`
`@@ -77,7 +73,7 @@ func NewServer(cfg srvCfg.Config, globalCfg global.Config, engineProps global.`
`77`	`73`	`dockerClient client.Client, cloning cloning.Base, provisioner *provision.Provisioner,`
`78`	`74`	`retrievalSvc retrieval.Retrieval, platform platform.Service, observer *observer.Observer,`
`79`	`75`	`estimator estimator.Estimator, pm pool.Manager, tm telemetry.Agent, tokenKeeper ws.TokenKeeper,`
`80`		`- uiManager embeddedui.UIManager, reloadConfigFn func(server Server) error) *Server {`
	`76`	`+ filteringlog.Filtering, uiManager embeddedui.UIManager, reloadConfigFn func(server Server) error) Server {`
`81`	`77`	`server := &Server{`
`82`	`78`	`Config: cfg,`
`83`	`79`	`Global: globalCfg,`
`@@ -96,10 +92,10 @@ func NewServer(cfg srvCfg.Config, globalCfg global.Config, engineProps global.`
`96`	`92`	`docker: dockerClient,`
`97`	`93`	`pm: pm,`
`98`	`94`	`tm: tm,`
	`95`	`+ filtering: filtering,`
`99`	`96`	`startedAt: &models.LocalTime{Time: time.Now().Truncate(time.Second)},`
`100`	`97`	`reloadFn: reloadConfigFn,`
`101`	`98`	`}`
`102`		`- server.initLogRegExp()`
`103`	`99`
`104`	`100`	`return server`
`105`	`101`	`}`
`@@ -185,7 +181,6 @@ func attachAPI(r *mux.Router) error {`
`185`	`181`	`// Reload reloads server configuration.`
`186`	`182`	`func (s *Server) Reload(cfg srvCfg.Config) {`
`187`	`183`	`*s.Config = cfg`
`188`		`- s.initLogRegExp()`
`189`	`184`	`}`
`190`	`185`
`191`	`186`	`// InitHandlers initializes handler functions of the HTTP server.`
`@@ -266,31 +261,5 @@ func reportLaunching(cfg *srvCfg.Config) {`
`266`	`261`	`}`
`267`	`262`
`268`	`263`	`func (s *Server) initLogRegExp() {`
`269`		`- secretPatterns := []string{`
`270`		`- "password:\\s?(\\S+)",`
`271`		`- "POSTGRES_PASSWORD=(\\S+)",`
`272`		`- "PGPASSWORD=(\\S+)",`
`273`		`- "accessToken:\\s?(\\S+)",`
`274`		`- "ACCESS_KEY(_ID)?:\\s?(\\S+)",`
`275`		`- }`
`276`		`-`
`277`		`- if len(s.Config.VerificationToken) >= minTokenLength && !containsSpace(s.Config.VerificationToken) {`
`278`		`- secretPatterns = append(secretPatterns, s.Config.VerificationToken)`
`279`		`- }`
`280`		`-`
`281`		`- if accessToken := s.Platform.AccessToken(); len(accessToken) >= minTokenLength && !containsSpace(accessToken) {`
`282`		`- secretPatterns = append(secretPatterns, accessToken)`
`283`		`- }`
`284`		`-`
`285`		`- s.re = regexp.MustCompile("(?i)" + strings.Join(secretPatterns, "\|"))`
`286`		`-}`
`287`		`-`
`288`		`-func containsSpace(s string) bool {`
`289`		`- for _, v := range s {`
`290`		`- if unicode.IsSpace(v) {`
`291`		`- return true`
`292`		`- }`
`293`		`- }`
`294`		`-`
`295`		`- return false`
	`264`	`+ s.filtering.ReloadLogRegExp([]string{s.Config.VerificationToken, s.Platform.AccessToken()})`
`296`	`265`	`}`

`‎engine/internal/srv/ws.go‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -109,5 +109,5 @@ func (s Server) instanceLogs(w http.ResponseWriter, r http.Request) {`
`109`	`109`	`}`
`110`	`110`
`111`	`111`	`func (s *Server) filterLogLine(inputLine []byte) []byte {`
`112`		`- return s.re.ReplaceAll(inputLine, []byte("********"))`
	`112`	`+ return s.filtering.ReplaceAll(inputLine)`
`113`	`113`	`}`

`‎engine/internal/srv/ws_test.go‎`

Lines changed: 6 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -9,13 +9,18 @@ import (`
`9`	`9`
`10`	`10`	`"gitlab.com/postgres-ai/database-lab/v3/internal/platform"`
`11`	`11`	`"gitlab.com/postgres-ai/database-lab/v3/internal/srv/config"`
	`12`	`+ "gitlab.com/postgres-ai/database-lab/v3/pkg/log"`
`12`	`13`	`)`
`13`	`14`
`14`	`15`	`func TestLogLineFiltering(t *testing.T) {`
`15`	`16`	`pl, err := platform.New(context.Background(), platform.Config{AccessToken: "platformAccessToken"})`
`16`	`17`	`require.NoError(t, err)`
`17`	`18`
`18`		`- s := Server{Config: &config.Config{VerificationToken: "secretToken"}, Platform: pl}`
	`19`	`+ s := Server{`
	`20`	`+ Config: &config.Config{VerificationToken: "secretToken"},`
	`21`	`+ Platform: pl,`
	`22`	`+ filtering: log.GetFilter(),`
	`23`	`+ }`
`19`	`24`	`s.initLogRegExp()`
`20`	`25`
`21`	`26`	`testCases := []struct {`

`‎engine/pkg/log/filtering.go‎`

Lines changed: 65 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,65 @@`
	`1`	`+package log`
	`2`	`+`
	`3`	`+import (`
	`4`	`+ "regexp"`
	`5`	`+ "strings"`
	`6`	`+ "unicode"`
	`7`	`+)`
	`8`	`+`
	`9`	`+const (`
	`10`	`+ minTokenLength = 8`
	`11`	`+ replacingMask = "********"`
	`12`	`+)`
	`13`	`+`
	`14`	`+var filter = newFiltering([]string{})`
	`15`	`+`
	`16`	`+// Filtering represents a struct to filter secrets in logs output.`
	`17`	`+type Filtering struct {`
	`18`	`+ re *regexp.Regexp`
	`19`	`+}`
	`20`	`+`
	`21`	`+// GetFilter gets an instance of Log Filtering.`
	`22`	`+func GetFilter() *Filtering {`
	`23`	`+ return filter`
	`24`	`+}`
	`25`	`+`
	`26`	`+func newFiltering(tokens []string) *Filtering {`
	`27`	`+ f := &Filtering{}`
	`28`	`+ f.ReloadLogRegExp(tokens)`
	`29`	`+`
	`30`	`+ return f`
	`31`	`+}`
	`32`	`+`
	`33`	`+// ReloadLogRegExp updates secrets configuration.`
	`34`	`+func (f *Filtering) ReloadLogRegExp(secretStings []string) {`
	`35`	`+ secretPatterns := []string{`
	`36`	`+ "password:\\s?(\\S+)",`
	`37`	`+ "POSTGRES_PASSWORD=(\\S+)",`
	`38`	`+ "PGPASSWORD=(\\S+)",`
	`39`	`+ "accessToken:\\s?(\\S+)",`
	`40`	`+ "ACCESS_KEY(_ID)?:\\s?(\\S+)",`
	`41`	`+ }`
	`42`	`+`
	`43`	`+ for _, secret := range secretStings {`
	`44`	`+ if len(secret) >= minTokenLength && !containsSpace(secret) {`
	`45`	`+ secretPatterns = append(secretPatterns, secret)`
	`46`	`+ }`
	`47`	`+ }`
	`48`	`+`
	`49`	`+ f.re = regexp.MustCompile("(?i)" + strings.Join(secretPatterns, "\|"))`
	`50`	`+}`
	`51`	`+`
	`52`	`+// ReplaceAll replaces all secrets in the input line.`
	`53`	`+func (f *Filtering) ReplaceAll(input []byte) []byte {`
	`54`	`+ return f.re.ReplaceAll(input, []byte(replacingMask))`
	`55`	`+}`
	`56`	`+`
	`57`	`+func containsSpace(s string) bool {`
	`58`	`+ for _, v := range s {`
	`59`	`+ if unicode.IsSpace(v) {`
	`60`	`+ return true`
	`61`	`+ }`
	`62`	`+ }`
	`63`	`+`
	`64`	`+ return false`
	`65`	`+}`

`‎engine/pkg/log/log.go‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -70,7 +70,7 @@ func prepareMessage(v ...interface{}) string {`
`70`	`70`	`builder := strings.Builder{}`
`71`	`71`
`72`	`72`	`for _, value := range v {`
`73`		`- builder.WriteString(" " + toString(value))`
	`73`	`+ builder.WriteString(" " + filter.re.ReplaceAllString(toString(value), replacingMask))`
`74`	`74`	`}`
`75`	`75`
`76`	`76`	`return builder.String()`

0 commit comments

Comments

(0)

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit d32f0a9

File tree

6 files changed

6 files changed

`‎engine/cmd/database-lab/main.go‎`

`‎engine/internal/srv/server.go‎`

`‎engine/internal/srv/ws.go‎`

`‎engine/internal/srv/ws_test.go‎`

`‎engine/pkg/log/filtering.go‎`

`‎engine/pkg/log/log.go‎`

0 commit comments