Diagnostics file writes use RedactSecretPaths #5745
Conversation
michel-laterman
added
enhancement
|
This pull request does not have a backport label. Could you fix it @michel-laterman? 🙏
|
|
|
mergify
bot
added
the
backport-8.x
| @@ -327,12 +327,13 @@ func writeRedacted(errOut, resultWriter io.Writer, fullFilePath string, fileResu | |||
|
|
|||
| // Should we support json too? | |||
| if fileResult.ContentType == "application/yaml" { | |||
| unmarshalled := map[interface{}]interface{}{} | |||
There was a problem hiding this comment.
I think unmarshaling to map[interface{}]interface{} was a restriction with yaml.v2 which is not a part of yaml.v3, see go-yaml/yaml#139 (comment)
| @@ -579,7 +580,6 @@ func saveLogs(name string, logPath string, zw *zip.Writer) error { | |||
| func RedactSecretPaths(mapStr map[string]any, errOut io.Writer) map[string]any { | |||
| v, ok := mapStr["secret_paths"] | |||
| if !ok { | |||
| fmt.Fprintln(errOut, "No output redaction: secret_paths attribute not found.") | |||
There was a problem hiding this comment.
When a diagnostics action is ran secrets in the component related files are not redacted (structure does not match, and secret_paths is not passed)
This line causes extra noise in the output
| "inputs": [ | ||
| { | ||
| "id": "fake-input", | ||
| "secret_key": "secretValue", | ||
| "custom_attr": "secretValue", |
There was a problem hiding this comment.
I've renamed to custom_attr to ensurue redactKey does not match the attribute key
|
Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane) |
| @@ -20,11 +20,14 @@ import ( | |||
|
|
|||
| "github.com/stretchr/testify/assert" | |||
| "github.com/stretchr/testify/require" | |||
| "gopkg.in/yaml.v2" | |||
There was a problem hiding this comment.
Above you where talking about yaml.v3 but here you import yaml.v2? Which one is being used here? We should unify our yaml usage to a single library.
There was a problem hiding this comment.
I've updated this and all the integration test uses, and have made #5750 to do the rest
| inputs: | ||
| - type: test_input | ||
| redactKey: secretValue | ||
| outputs: | ||
| default: | ||
| type: elasticsearch | ||
| api_key: secretKey | ||
| redactOtherKey: secretOutputValue | ||
| `), | ||
| expect: `id: test-policy | ||
| inputs: | ||
| - redactKey: secretValue | ||
| type: test_input | ||
| outputs: | ||
| default: | ||
| api_key: <REDACTED> | ||
| redactOtherKey: secretOutputValue | ||
| type: elasticsearch |
There was a problem hiding this comment.
I think these would be more readable if inputs and outputs used the same indentation.
|
Looks like tests are panicking, weirdly enough this seems to be related to the yaml.V3 bump. |
|
I'm going to roll back some of the updates to yaml.v3 |
ycombinator
force-pushed
the
redact-secret-paths-diag
branch
from
e0b0651 to
0cb68e5
Compare
|
|
Not sure why SonarQube is reporting 0% coverage on new code. The unit test |
* Diagnostics file writes use RedactSecretPaths * Add integration test * Change to yaml.v3 in integration tests * revert update to yaml.v3 across other testing files (cherry picked from commit 1f3ade3)
* Diagnostics file writes use RedactSecretPaths * Add integration test * Change to yaml.v3 in integration tests * revert update to yaml.v3 across other testing files (cherry picked from commit 1f3ade3) Co-authored-by: Michel Laterman <[email protected]>
What does this PR do?
The elastic-agent will use redact secret paths in files written in diagnostics bundles. Secret paths are expected to be specified as a top-level attribute in yaml data being written.
Why is it important?
Secrets that the fleet-server injects into policies can appear in diagnostics bundles.
Checklist
I have made corresponding changes to the documentationI have made corresponding change to the default configuration files./changelog/fragmentsusing the changelog toolDisruptive User Impact
Secrets in diagnostics bundles will be redacted, as our public documentation discloses.
How to test this PR locally
Enrol in a fleet policy with secrets and collect a diagnostics bundle.