api: add 'redacted' option for protobuf messages, and redact SSL certs #9315
Conversation
Signed-off-by: Dan Rosen <mergeconflict@google.com>
|
/review @htuch |
Signed-off-by: Dan Rosen <mergeconflict@google.com>
There was a problem hiding this comment.
Please take a look at the discussion for when we redacted SDS values in /config_dump:
#7365
@jmarantz: I think my current approach isn't a tremendous amount of code, and it's general purpose: anything else in the config dump that needs to be redacted can use this mechanism. See e.g. https://github.com/envoyproxy/envoy/blob/master/source/common/secret/secret_manager_impl.cc#L118. |
|
Big +1 for implementing this. We need this for tapping and other general data exfiltration issues. |
|
/cc @incfly |
Istio builds some tooling to actually get the cert and parse out the expiration time for troubleshooting. Only clearing the private key and password is good enough and above tooling would still work. |
Signed-off-by: Dan Rosen <mergeconflict@google.com>
api/envoy/protobuf/descriptor.proto
Outdated
| // This option indicates that a field contains personally-identifying or otherwise sensitive data, | ||
| // such as a private key or a password. It is used by `MessageUtil::redact` to determine which | ||
| // fields need to be sanitized. Please note that this has no effect on standard Protobuf functions | ||
| // such as `TextFormat::PrintToString`; you must explicitly call `MessageUtil::redact` wherever |
There was a problem hiding this comment.
Can we add check_format support to ban all the likely candidates (e.g. DebugString, PrintToString) and force safe uses?
There was a problem hiding this comment.
Let's chat about that tomorrow; I'm not sure how big a hammer we want to use, if any.
source/server/http/admin.cc
Outdated
|
|
||
| response_headers.setReferenceContentType(Http::Headers::get().ContentTypeValues.Json); | ||
| response.add(MessageUtil::getJsonStringFromMessage(dump, true)); // pretty-print | ||
| response.add(MessageUtil::getJsonStringFromMessage(*redacted, true)); // pretty-print |
There was a problem hiding this comment.
I feel we also want this in various logs, e.g. trace level xDS logs, where this has come up previously as an issue.
There was a problem hiding this comment.
Yes, definitely. I'm thinking to just target this one spot in this PR, as a proof of concept, and then track down others (e.g. #4757) as a follow-up.
There was a problem hiding this comment.
Sure, I'm good with keeping the issue open for follow-up.
Signed-off-by: Dan Rosen <mergeconflict@google.com>
Signed-off-by: Dan Rosen <mergeconflict@google.com>
Signed-off-by: Dan Rosen <mergeconflict@google.com>
Signed-off-by: Dan Rosen <mergeconflict@google.com>
|
@htuch thanks for your help; I think this is ready for a second look. |
|
/retest |
|
🙀 Error while processing event: |
Signed-off-by: Dan Rosen <mergeconflict@google.com>
Signed-off-by: Dan Rosen <mergeconflict@google.com>
Signed-off-by: Dan Rosen <mergeconflict@google.com>
Signed-off-by: Dan Rosen <mergeconflict@google.com>
Signed-off-by: Dan Rosen <mergeconflict@google.com>
Signed-off-by: Dan Rosen <mergeconflict@google.com>
|
@htuch merged master |
Implement
MessageUtil::redact()to redact proto fields with theudpa.annotations.sensitiveoption set. Apply this to SSL certs in the admin config_dump.Risk Level: low
Testing: unit tests
Docs Changes: n/a
Release Notes: n/a
Signed-off-by: Dan Rosen mergeconflict@google.com