plugins/rest: masks X-AMZ-SECURITY-TOKEN header in decision logs #6423
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
✅ Deploy Preview for openpolicyagent ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
colinjlacy
added a commit
to colinjlacy/opa
that referenced
this pull request
Nov 22, 2023
This commit addresses the comments in PR open-policy-agent#6423: - cleans up the test for the modified functionality - changes method names to better match new functionality - sets header values with a more explicit hedaer method - changes the value type in the header key map for better memory usage Signed-off-by: Colin Lacy <[email protected]>
colinjlacy
added a commit
to colinjlacy/opa
that referenced
this pull request
Nov 22, 2023
This commit addresses the comments in PR open-policy-agent#6423: - cleans up the test for the modified functionality - changes method names to better match new functionality - sets header values with a more explicit hedaer method - changes the value type in the header key map for better memory usage Signed-off-by: Colin Lacy <[email protected]>
colinjlacy
force-pushed
the
issue-5848-mask-amzn-header
branch
from
216c799 to
b9bef65
Compare
Decision logs had previously been configured to hide the value of the Authorization header, as that is considered sensitive information. However, there are cases when additional headers are provided that contain sensitive information, such as the X-AMZ-SECURITY-TOKEN header. This PR creates an internal map of headers that should be masked, which can be expanded if additional headers are required. It then loops over the headers in a request, and performs a lookup on the internal map to see if any of them match those that should be masked. If so, it replaces their values with "REDACTED". An existing test was added to check both the header keys that should be masked, as well as a key that should not. Additional work, out of scope for this PR, would be to open a config setting that would allow users to pass in a list of headers that should be masked. Fixes: open-policy-agent#5848 Signed-off-by: Colin Lacy <[email protected]>
This commit addresses the comments in PR open-policy-agent#6423: - cleans up the test for the modified functionality - changes method names to better match new functionality - sets header values with a more explicit hedaer method - changes the value type in the header key map for better memory usage Signed-off-by: Colin Lacy <[email protected]>
anderseknert
force-pushed
the
issue-5848-mask-amzn-header
branch
from
b9bef65 to
7a4824e
Compare
anderseknert
approved these changes
Nov 29, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Why the changes in this PR are needed?
Decision logs had previously been configured to hide the value of the Authorization header, as that is considered sensitive information. However, there are cases when additional headers are provided that contain sensitive information, such as the X-AMZ-SECURITY-TOKEN header. These values were being logged in plaintext, despite being equally sensitive.
What are the changes in this PR?
This PR creates an internal map of headers that should be masked, which can be expanded if additional headers are required. It then loops over the headers in a request, and performs a lookup on the internal map to see if any of them match those that should be masked. If so, it replaces their values with "REDACTED". An existing test was added to check both the header keys that should be masked, as well as a key that should not.
An existing test was modified to check both the header keys that should be masked, as well as a test key that should not.
Notes to assist PR review:
Implementation for this change was discussed in this comment.
Nothing else comes to mind. I've got the basics - tests pass,
make checkwent well, etc. If I'm missing something, please let me know.Further comments:
Additional work, out of scope for this PR, would be to open a config setting that would allow users to pass in a list of headers that should be masked.
Fixes: #5848
(Replaces #6421)