-
Notifications
You must be signed in to change notification settings - Fork 351
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New filter: maskAccessLogQuery #2674
base: master
Are you sure you want to change the base?
New filter: maskAccessLogQuery #2674
Conversation
Signed-off-by: Remy Chantenay <remy.chantenay@gmail.com>
9f9c667
to
5ed79cb
Compare
logging/access.go
Outdated
// Logs an access event in Apache combined log format (with a minor customization with the duration). | ||
// Additional allows to provide extra data that may be also logged, depending on the specific log format. | ||
func LogAccess(entry *AccessEntry, additional map[string]interface{}) { | ||
func LogAccess(entry *AccessEntry, additional map[string]interface{}, maskedQueryParams []string) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's an API change.
I would suggest to use additional map[string]interface{}
and have a map entry like "maskedQueryParams": []string
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is an exported statebag key AccessLogAdditionalDataKey to provide additional data
and additional data can override predefined fields
Lines 152 to 171 in 9b57097
logData := logrus.Fields{ | |
"timestamp": ts, | |
"host": host, | |
"method": method, | |
"uri": uri, | |
"proto": proto, | |
"referer": referer, | |
"user-agent": userAgent, | |
"status": status, | |
"response-size": responseSize, | |
"requested-host": requestedHost, | |
"duration": duration, | |
"flow-id": flowId, | |
"audit": auditHeader, | |
"auth-user": authUser, | |
} | |
for k, v := range additional { | |
logData[k] = v | |
} |
so another option is to create a filter that would mask request uri and put it into ctx.StateBag()[al.AccessLogAdditionalDataKey]["uri"]
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for the feedback 👍
I updated the code and went with @szuecs's suggestion. Hope that's fine.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since we rely on additional data anyways lets use "uri"
key - this way masking logic would belong to the filter and not to the access log package (e.g. there could be several ways to mask uri). The filter would need only to populate additional data in the statebag (i.e. does not have to return &AccessLogFilter
).
You can export const UriAdditionalDataKey = "uri"
if you want and use it everywhere instead of "uri"
.
} | ||
} | ||
|
||
return &AccessLogFilter{Enable: true, MaskedQueryParams: keys}, nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This will override any preceding filter configuration.
Maybe we should think about supporting a usecase where we could specify default masked values
disableAccessLog(2,3,404,429) -> accessLogMaskQueryParams("access_token") -> fifo(2000,20,"1s")
and then user may specify additional values.
OTOH proposed solution is simple and in line with what already exists.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I wanted to keep it simple. In hindsight, I am not sure my thinking is right.
If the current implementation is a no-go, I will try and spend a bit more time and see if I can come up with something when I get back from vacay (from tomorrow till the beginning of next month.)
Signed-off-by: Remy Chantenay <remy.chantenay@gmail.com>
Signed-off-by: Remy Chantenay <remy.chantenay@gmail.com>
f3c605d
to
94a5d3e
Compare
Summary
Adding a new
maskAccessLogQuery
filter to mask/obfuscate values of specific – sensitive – query parameters.Towards #2156
Testing