fix(restore): use custom type for sensitive fields

graphql/admin/admin.go

@@ -1079,7 +1079,7 @@ func response(code, msg string) map[string]interface{} {
 type DestinationFields struct {
 	Destination  string
 	AccessKey    string
-	SecretKey    string
-	SessionToken string
+	SecretKey    pb.Sensitive
+	SessionToken pb.Sensitive
 	Anonymous    bool
 }

graphql/admin/list_backups.go

@@ -24,15 +24,16 @@ import (
 
 	"github.com/dgraph-io/dgraph/graphql/resolve"
 	"github.com/dgraph-io/dgraph/graphql/schema"
+	"github.com/dgraph-io/dgraph/protos/pb"
 	"github.com/dgraph-io/dgraph/worker"
 	"github.com/dgraph-io/dgraph/x"
 )
 
 type lsBackupInput struct {
 	Location     string
 	AccessKey    string
-	SecretKey    string
-	SessionToken string
+	SecretKey    pb.Sensitive
+	SessionToken pb.Sensitive
 	Anonymous    bool
 	ForceFull    bool
 }

graphql/admin/restore.go

@@ -39,8 +39,8 @@ type restoreInput struct {
 	IsPartial         bool
 	EncryptionKeyFile string
 	AccessKey         string
-	SecretKey         string
-	SessionToken      string
+	SecretKey         pb.Sensitive
+	SessionToken      pb.Sensitive
 	Anonymous         bool
 	VaultAddr         string
 	VaultRoleIDFile   string

protos/pb.proto

@@ -304,8 +304,8 @@ message RestoreRequest {
 
   // Credentials when using a minio or S3 bucket as the backup location.
   string access_key = 5;
-  string secret_key = 6;
-  string session_token = 7;
+  string secret_key = 6 [(gogoproto.customtype) = "Sensitive", (gogoproto.nullable) = false];
+  string session_token = 7 [(gogoproto.customtype) = "Sensitive", (gogoproto.nullable) = false];
   bool anonymous = 8;
 
   // Info needed to process encrypted backups.
@@ -677,8 +677,8 @@ message BackupRequest {
   string unix_ts = 4;
   string destination = 5;
   string access_key = 6;
-  string secret_key = 7;
-  string session_token = 8;
+  string secret_key = 7 [(gogoproto.customtype) = "Sensitive", (gogoproto.nullable) = false];
+  string session_token = 8 [(gogoproto.customtype) = "Sensitive", (gogoproto.nullable) = false];
 
   // True if no credentials should be used to access the S3 or minio bucket.
   // For example, when using a bucket with a public policy.
@@ -718,8 +718,8 @@ message ExportRequest {
 
   // These credentials are used to access the S3 or minio bucket.
   string access_key = 6;
-  string secret_key = 7;
-  string session_token = 8;
+  string secret_key = 7 [(gogoproto.customtype) = "Sensitive", (gogoproto.nullable) = false];
+  string session_token = 8 [(gogoproto.customtype) = "Sensitive", (gogoproto.nullable) = false];
   bool anonymous = 9;
 
   uint64 namespace = 10;

protos/pb/sensitive.go

@@ -0,0 +1,26 @@
+/*
+ * Copyright 2023 Dgraph Labs, Inc. and Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package pb
+
+// Sensitive implements the Stringer interface to redact its contents.
+// Use this type for sensitive info such as keys, passwords, or secrets
+// so it doesn't leak as output such as logs.
+type Sensitive string
+
+func (Sensitive) String() string {
+	return "****"
+}

worker/backup.go

@@ -99,8 +99,8 @@ func (m *Manifest) getPredsInGroup(gid uint32) predicateSet {
 func GetCredentialsFromRequest(req *pb.BackupRequest) *x.MinioCredentials {
 	return &x.MinioCredentials{
 		AccessKey:    req.GetAccessKey(),
-		SecretKey:    req.GetSecretKey(),
-		SessionToken: req.GetSessionToken(),
+		SecretKey:    req.SecretKey,
+		SessionToken: req.SessionToken,
 		Anonymous:    req.GetAnonymous(),
 	}
 }

worker/backup_handler.go

@@ -226,16 +226,16 @@ func FillRestoreCredentials(location string, req *pb.RestoreRequest) error {
 
 	defaultCreds := credentials.Value{
 		AccessKeyID:     req.AccessKey,
-		SecretAccessKey: req.SecretKey,
-		SessionToken:    req.SessionToken,
+		SecretAccessKey: string(req.SecretKey),
+		SessionToken:    string(req.SessionToken),
 	}
 	provider := x.MinioCredentialsProvider(uri.Scheme, defaultCreds)
 
 	creds, _ := provider.Retrieve() // Error is always nil.
 
 	req.AccessKey = creds.AccessKeyID
-	req.SecretKey = creds.SecretAccessKey
-	req.SessionToken = creds.SessionToken
+	req.SecretKey = pb.Sensitive(creds.SecretAccessKey)
+	req.SessionToken = pb.Sensitive(creds.SessionToken)
 
 	return nil
 }

x/minioclient.go

@@ -12,6 +12,8 @@ import (
 	"github.com/minio/minio-go/v6/pkg/credentials"
 	"github.com/minio/minio-go/v6/pkg/s3utils"
 	"github.com/pkg/errors"
+
+	"github.com/dgraph-io/dgraph/protos/pb"
 )
 
 const (
@@ -30,8 +32,8 @@ const (
 // If these credentials are missing the default credentials will be used.
 type MinioCredentials struct {
 	AccessKey    string
-	SecretKey    string
-	SessionToken string
+	SecretKey    pb.Sensitive
+	SessionToken pb.Sensitive
 	Anonymous    bool
 }
 
@@ -71,8 +73,8 @@ func requestCreds(creds *MinioCredentials) credentials.Value {
 
 	return credentials.Value{
 		AccessKeyID:     creds.AccessKey,
-		SecretAccessKey: creds.SecretKey,
-		SessionToken:    creds.SessionToken,
+		SecretAccessKey: string(creds.SecretKey),
+		SessionToken:    string(creds.SessionToken),
 	}
 }