fix: azure sas token visible in logs (#6323)

apache · Sep 2, 2024 · 97ae9d7 · 97ae9d7
1 parent ffd216d
commit 97ae9d7
Show file tree

Hide file tree

Showing 2 changed files with 55 additions and 4 deletions.
diff --git a/object_store/src/azure/client.rs b/object_store/src/azure/client.rs
@@ -226,11 +226,16 @@ impl<'a> PutRequest<'a> {
 
  async fn send(self) -> Result<Response> {
  let credential = self.config.get_credential().await?;
+ let sensitive = credential
+ .as_deref()
+ .map(|c| c.sensitive_request())
+ .unwrap_or_default();
  let response = self
  .builder
  .header(CONTENT_LENGTH, self.payload.content_length())
  .with_azure_authorization(&credential, &self.config.account)
  .retryable(&self.config.retry_config)
+ .sensitive(sensitive)
  .idempotent(self.idempotent)
  .payload(Some(self.payload))
  .send()
@@ -356,12 +361,18 @@ impl AzureClient {
  let credential = self.get_credential().await?;
  let url = self.config.path_url(path);
 
+ let sensitive = credential
+ .as_deref()
+ .map(|c| c.sensitive_request())
+ .unwrap_or_default();
  self.client
  .request(Method::DELETE, url)
  .query(query)
  .header(&DELETE_SNAPSHOTS, "include")
  .with_azure_authorization(&credential, &self.config.account)
- .send_retry(&self.config.retry_config)
+ .retryable(&self.config.retry_config)
+ .sensitive(sensitive)
+ .send()
  .await
  .context(DeleteRequestSnafu {
  path: path.as_ref(),
@@ -392,9 +403,14 @@ impl AzureClient {
  builder = builder.header(IF_NONE_MATCH, "*");
  }
 
+ let sensitive = credential
+ .as_deref()
+ .map(|c| c.sensitive_request())
+ .unwrap_or_default();
  builder
  .with_azure_authorization(&credential, &self.config.account)
  .retryable(&self.config.retry_config)
+ .sensitive(sensitive)
  .idempotent(overwrite)
  .send()
  .await
@@ -423,13 +439,18 @@ impl AzureClient {
  ));
  body.push_str("</KeyInfo>");
 
+ let sensitive = credential
+ .as_deref()
+ .map(|c| c.sensitive_request())
+ .unwrap_or_default();
  let response = self
  .client
  .request(Method::POST, url)
  .body(body)
  .query(&[("restype", "service"), ("comp", "userdelegationkey")])
  .with_azure_authorization(&credential, &self.config.account)
  .retryable(&self.config.retry_config)
+ .sensitive(sensitive)
  .idempotent(true)
  .send()
  .await
@@ -482,12 +503,18 @@ impl AzureClient {
  pub async fn get_blob_tagging(&self, path: &Path) -> Result<Response> {
  let credential = self.get_credential().await?;
  let url = self.config.path_url(path);
+ let sensitive = credential
+ .as_deref()
+ .map(|c| c.sensitive_request())
+ .unwrap_or_default();
  let response = self
  .client
  .request(Method::GET, url)
  .query(&[("comp", "tags")])
  .with_azure_authorization(&credential, &self.config.account)
- .send_retry(&self.config.retry_config)
+ .retryable(&self.config.retry_config)
+ .sensitive(sensitive)
+ .send()
  .await
  .context(GetRequestSnafu {
  path: path.as_ref(),
@@ -536,10 +563,16 @@ impl GetClient for AzureClient {
  builder = builder.query(&[("versionid", v)])
  }
 
+ let sensitive = credential
+ .as_deref()
+ .map(|c| c.sensitive_request())
+ .unwrap_or_default();
  let response = builder
  .with_get_options(options)
  .with_azure_authorization(&credential, &self.config.account)
- .send_retry(&self.config.retry_config)
+ .retryable(&self.config.retry_config)
+ .sensitive(sensitive)
+ .send()
  .await
  .context(GetRequestSnafu {
  path: path.as_ref(),
@@ -590,12 +623,18 @@ impl ListClient for AzureClient {
  query.push(("marker", token))
  }
 
+ let sensitive = credential
+ .as_deref()
+ .map(|c| c.sensitive_request())
+ .unwrap_or_default();
  let response = self
  .client
  .request(Method::GET, url)
  .query(&query)
  .with_azure_authorization(&credential, &self.config.account)
- .send_retry(&self.config.retry_config)
+ .retryable(&self.config.retry_config)
+ .sensitive(sensitive)
+ .send()
  .await
  .context(ListRequestSnafu)?
  .bytes()

diff --git a/object_store/src/azure/credential.rs b/object_store/src/azure/credential.rs
@@ -130,6 +130,18 @@ pub enum AzureCredential {
  BearerToken(String),
 }
 
+impl AzureCredential {
+ /// Determines if the credential requires the request be treated as sensitive
+ pub fn sensitive_request(&self) -> bool {
+ match self {
+ Self::AccessKey(_) => false,
+ Self::BearerToken(_) => false,
+ // SAS tokens are sent as query parameters in the url
+ Self::SASToken(_) => true,
+ }
+ }
+}
+
 /// A list of known Azure authority hosts
 pub mod authority_hosts {
  /// China-based Azure Authority Host