GitHub#454 Sanitise HTTP message logs #457
Conversation
components/client/src/main/java/com/hotels/styx/client/StyxHttpClient.java
Outdated
Show resolved
Hide resolved
...s/client/src/main/java/com/hotels/styx/client/netty/connectionpool/HttpRequestOperation.java
Outdated
Show resolved
Hide resolved
components/common/src/main/java/com/hotels/styx/common/format/HttpHeaderFormatter.java
Outdated
Show resolved
Hide resolved
components/client/src/main/java/com/hotels/styx/client/StyxHttpClient.java
Outdated
Show resolved
Hide resolved
components/api/src/main/java/com/hotels/styx/api/HttpRequest.java
Outdated
Show resolved
Hide resolved
components/api/src/main/java/com/hotels/styx/api/HttpHeader.java
Outdated
Show resolved
Hide resolved
components/api/src/main/java/com/hotels/styx/api/LiveHttpRequest.java
Outdated
Show resolved
Hide resolved
components/api/src/test/java/com/hotels/styx/api/HttpHeaderTest.java
Outdated
Show resolved
Hide resolved
...s/server/src/test/java/com/hotels/styx/server/netty/codec/NettyToStyxRequestDecoderTest.java
Show resolved
Hide resolved
- removed formatting from everywhere except HttpErrorStatusCauseLogger and HttpRequestMessageLogger - removed singleton - static import for emptyList
|
Fixes #454. |
components/common/src/main/java/com/hotels/styx/common/format/HttpHeaderFormatter.java
Outdated
Show resolved
Hide resolved
components/api/src/main/java/com/hotels/styx/api/LiveHttpRequest.java
Outdated
Show resolved
Hide resolved
...s/client/src/main/java/com/hotels/styx/client/netty/connectionpool/HttpRequestOperation.java
Show resolved
Hide resolved
components/client/src/main/java/com/hotels/styx/client/StyxHttpClient.java
Outdated
Show resolved
Hide resolved
components/common/src/main/java/com/hotels/styx/common/format/HttpHeaderFormatter.java
Outdated
Show resolved
Hide resolved
components/common/src/main/java/com/hotels/styx/common/format/HttpHeaderFormatter.java
Outdated
Show resolved
Hide resolved
components/proxy/src/main/java/com/hotels/styx/Environment.java
Outdated
Show resolved
Hide resolved
components/proxy/src/main/java/com/hotels/styx/proxy/BackendServicesRouter.java
Outdated
Show resolved
Hide resolved
components/proxy/src/main/java/com/hotels/styx/proxy/HttpErrorStatusCauseLogger.java
Show resolved
Hide resolved
components/proxy/src/main/java/com/hotels/styx/startup/StyxServerComponents.java
Outdated
Show resolved
Hide resolved
header toString reverted to use '=' instead of ':' request toString reverted to use 'uri' instead of 'url' added null checks for HttpMessageFormatter made HttpMessageFormatter an interface and added default implementation some other general tidying
- added null checks for HttpMessageFormatter - added default value for HttpMessageFormatter - removed redundant null checks
- removed redundant HttpMessageFormatter - general tidying
- removed formatting from everywhere except HttpErrorStatusCauseLogger and HttpRequestMessageLogger - removed singleton - static import for emptyList
header toString reverted to use '=' instead of ':' request toString reverted to use 'uri' instead of 'url' added null checks for HttpMessageFormatter made HttpMessageFormatter an interface and added default implementation some other general tidying
- added null checks for HttpMessageFormatter - added default value for HttpMessageFormatter - removed redundant null checks
- removed redundant HttpMessageFormatter - general tidying
…itise-http-messages # Conflicts: # components/common/src/main/java/com/hotels/styx/common/format/DefaultHttpMessageFormatter.java
There was a problem hiding this comment.
Hi. It is pretty good. However I spotted an issue with access logging I feel we need to address before merging.
Also, please add a small Kotlin functional test to exercise this feature. Something as simple as configuring this feature to remove a header and a cookie, and then checking the access logs that they has been masked.
| @@ -112,10 +112,10 @@ class HttpOutboundMessageLoggingSpec extends FunSpec | |||
| assertThat(logger.log.size(), is(2)) | |||
|
|
|||
| assertThat(logger.log(), hasItem(loggingEvent(INFO, | |||
| "requestId=[-a-z0-9]+, request=\\{method=GET, uri=http://localhost:[0-9]+/foobar, origin=\"localhost:[0-9]+\", headers=\\[.*\\]}"))) | |||
| "requestId=[-a-z0-9]+, request=LiveHttpRequest\\{version=HTTP/1.1, method=GET, uri=http://localhost:[0-9]+/foobar, headers=\\[.*\\], id=[-a-z0-9]+}, origin=appOne:generic-app-01:localhost:[0-9]+"))) | |||
There was a problem hiding this comment.
I see we are now exposing class names (implementation detail) in our access logs (a documented feature).
Let's remove them from the access logs. The class names are okay for error logs etc but not here. As a documented feature we need to consider the access logs like any other external interface with possible backwards compatibility implications.
Therefore please remove the class name from this message.
Also, I'd move the origin either in its original place, or in front of the request message. My reasoning is:
-
Trying to keep the message format as similar as possible
-
Headers field is often really large, and therefore should appear after all "fixed size" attributes. This is because it is difficult to find and see the fixed size attributes after a large body of header text.
There was a problem hiding this comment.
The origin isn't part of the request, so I moved it out. Good point about long headers field. I'll move it to in front.
There was a problem hiding this comment.
The origin isn't part of the request, so I moved it out.
Yeah, it was a right thing to do.
There was a problem hiding this comment.
moved to front and removed class name
components/proxy/src/main/java/com/hotels/styx/proxy/BackendServicesRouter.java
Show resolved
Hide resolved
components/common/src/main/java/com/hotels/styx/common/format/DefaultHttpMessageFormatter.java
Show resolved
Hide resolved
…order of logging items so request is at end - added headers to StaticResponseHandler to support kotlin test
| return new StaticResponseHandler(config.status, config.response, nettyHeaders); | ||
| } | ||
|
|
||
| private HttpHeaders buildNettyHeaders(StaticResponseConfig config) { |
There was a problem hiding this comment.
A small comment: "Netty headers".
| feature("Styx request/response logging") { | ||
|
|
||
| scenario("Logger should hide cookies and headers") { | ||
| val proxyHost = "${styxServer.proxyHttpAddress().hostName}:${styxServer.proxyHttpAddress().port}" |
There was a problem hiding this comment.
Use StyxServer.proxyHttpHostHeader extension method from support/styxServerProvider.kt to simplify proxyHost.
| val proxyHost = "${styxServer.proxyHttpAddress().hostName}:${styxServer.proxyHttpAddress().port}" | ||
|
|
||
| client.send(HttpRequest.get("/a/path") | ||
| .header(HttpHeaderNames.HOST, proxyHost) |
|
|
||
| val styxServer = StyxServer(StyxServerComponents.Builder() | ||
| .styxConfig(StyxConfig.fromYaml(yamlText)) | ||
| .build()) |
There was a problem hiding this comment.
There is a class called StyxServerProvider in support/StyxServerProvider.kt. It provides a unique reference point to a Styx server while allowing it to be restarted, and thus cleared from any acquired state`, between the tests.
You don't really have to use it in this test, but could make this more consistent with others.
| .header("cookie", "cookie1=c1;cookie2=c2") | ||
| .build()) | ||
| .toMono() | ||
| .block()!! |
There was a problem hiding this comment.
There is also a wait extension method that combines .toMono().block()!!.
Added two new configuration options to hide headers and cookies in request logging:
The hideHeaders and hideCookies options take a list of header or cookie names. Any header or cookie in these lists will be obfuscated in the logged message output e.g.