DEVPROD-4025 project variable redaction #7453
Conversation
|
cc @bsamek since you'd mentioned you might want to look over the PR. |
There was a problem hiding this comment.
Thanks! LGTM, but @julianedwards should also review, since I'm not familiar with the logging subsystem.
| "github.com/mongodb/grip/send" | ||
| ) | ||
|
|
||
| const redactedVariableTemplate = "<redacted:%s>" |
There was a problem hiding this comment.
Nit: could we make it in caps, something like<REDACTED:%s>, so it is more obvious to users in the logs?
| @@ -648,6 +648,9 @@ level on the project configuration page or on a build variant level | |||
| within the project. They can be used **as inputs to commands**, | |||
| including shell scripts. | |||
|
|
|||
| Expansion values defined on the project configurations page are redacted from task logs | |||
| and replaced with \<redacted:expansion_key\> | |||
There was a problem hiding this comment.
This needs to be updated with <REDACTED:expansion_key>
| "secret_key": "secret_val", | ||
| }, | ||
| inputString: "secret_val secret_val", | ||
| expected: "<redacted:secret_key> <redacted:secret_key>", |
There was a problem hiding this comment.
These tests need to be updated, maybe use fmt.Sprintf(redactedVariableTemplate, <val>) instead of hardcoding it?
|
Still works with the new strategy. |
|
I think our log redaction might be a bit over eager.
[2024/01/25 15:30:30.067] Filesystem Inodes IUsed IFree IUse% Mounted on
[2024/01/25 15:30:30.067] /dev/root 7.9M 5<redacted:num_hosts>6K 7.<redacted:num_hosts>M 7% /
[2024/01/25 15:30:30.067] tmpfs 2.0M 2 2.0M 1% /dev/shm
[2024/01/25 15:30:30.067] tmpfs 800K 653 800K 1% /run
[2024/01/25 15:30:30.067] tmpfs 2.0M 3 2.0M 1% /run/lock
[2024/01/25 15:30:30.067] /dev/xvda15 0 0 0 - /boot/efi
[2024/01/25 15:30:30.067] /dev/xvdb 150M <redacted:num_hosts>6 150M 1% /data
[2024/01/25 15:30:30.129] Cleaning up task because task is starting
[2024/01/25 15:30:30.129] Cleaning up processes for task: 'evg_ubuntu220<redacted:num_hosts>_echo_variable_patch_<redacted:num_hosts>225ee2a<redacted:num_hosts>9a89afcd2b3deec7bb1c68c9810262b_65b27e5c97b1d3<redacted:num_hosts>e31fe8<redacted:num_hosts>ae_2<redacted:num_hosts>_01_25_15_29_5<redacted:num_hosts>'.
[2024/01/25 15:30:30.142] Cleaned up processes for task: 'evg_ubuntu220<redacted:num_hosts>_echo_variable_patch_<redacted:num_hosts>225ee2a<redacted:num_hosts>9a89afcd2b3deec7bb1c68c9810262b_65b27e5c97b1d3<redacted:num_hosts>e31fe8<redacted:num_hosts>ae_2<redacted:num_hosts>_01_25_15_29_5<redacted:num_hosts>'. |
You are right. If someone has a project variable like |
| // Skip since the key is already in the redacted list. | ||
| continue |
There was a problem hiding this comment.
could it work to not continue here and to omit L200-202?
There was a problem hiding this comment.
There is no guarantee that a redacted project variable will have a suspicious pattern so we definitely want the full list of those and then any additional project vars that are not private but have a suspicious pattern.
| conf.Expansions.Put(AWSSecretAccessKey, credValues.SecretAccessKey) | ||
| conf.Expansions.Put(AWSSessionToken, credValues.SessionToken) | ||
| conf.Expansions.Put(AWSRoleExpiration, expTime.String()) | ||
| conf.NewExpansions.Put(AWSAccessKeyId, credValues.AccessKeyID) |
There was a problem hiding this comment.
do we need to Put into both?
There was a problem hiding this comment.
No because it is wraps the same underlying map so doing it once is ok. I think eventually we would want to move everything in the agent to just use the the new DynamicExpansions.
| @@ -647,6 +647,11 @@ level on the project configuration page or on a build variant level | |||
| within the project. They can be used **as inputs to commands**, | |||
| including shell scripts. | |||
|
|
|||
| Expansion values defined on the project configurations page that | |||
| (1) are marked as private OR | |||
| (2) with key names containing any of the following case-insensitive patterns: `key`, `pass`, `pw`, `token`, `auth`, `private` | |||
There was a problem hiding this comment.
Should we add a blurb about how this shouldn't be relied on and it should be thought of as a last line of defense?
| } | ||
|
|
||
| for _, pattern := range suspiciousPatterns { | ||
| if strings.Contains(strings.ToLower(key), pattern) { |
There was a problem hiding this comment.
Why don't we also check the values for suspicious patterns? For example, we can look for things that are often at the start of certain keys like ghs_ for github.
There was a problem hiding this comment.
To get this out and deployed I think we should just start with this set of patterns and expand as we see fit.
There was a problem hiding this comment.
My suggestion is not just to expand the set of patterns, but to scan both keys and values. If getting this out quickly is the priority, would it maybe make sense to do this in a separate ticket?
There was a problem hiding this comment.
Yep, that can be done here as well. We can add more scanning but the hope is that users will also rotate their secrets and mark their sensitive vars private.
| @@ -116,6 +118,8 @@ func (a *Agent) prepLogger(tc *taskContext, c *model.LoggerConfig, commandName s | |||
| SendToGlobalSender: a.opts.SendTaskLogsToGlobalSender, | |||
| AWSCredentials: pail.CreateAWSCredentials(tc.taskConfig.TaskSync.Key, tc.taskConfig.TaskSync.Secret, ""), | |||
| } | |||
| config.Expansions = tc.taskConfig.NewExpansions | |||
| config.ExpansionsToRedact = redactList(tc.taskConfig.ProjectVars, tc.taskConfig.Redacted) | |||
There was a problem hiding this comment.
We should probably also check during expansions.write and expansions.update if the new expansion needs to be redacted?
There was a problem hiding this comment.
Expansions to redact are already checked in expansions.write.
I left the work to redact new private expansions created in expansions.update for DEVPROD-4107; I imagine that it will be much cleaner to implement that functionality together.
I will leave that up to the app team to implement since it will require some thought around how to further extend the expansions class. This is really a first pass to introduce redaction since some is better than none. |
That makes sense. Can you please create a ticket for the follow up work? |
|
DEVPROD-4025
Description
Redact sensitive default variables, private project variables, and suspicious (non-private) project variables.
Testing
On staging the logs had a redacted value for
jonathans_super_secret_variablewhich is private andjulian_passwordwhich is not private but has a suspicious pattern.Successful race detector patch
Documentation
Added a line to the expansions section of the configuration file doc.