plugins/rest: masks more headers in decision logs #6421
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
✅ Deploy Preview for openpolicyagent ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
Decision logs had previously been configured to hide the value of the Authorization header, as that is considered sensitive information. However, there are cases when additional headers are provided that contain sensitive information, such as the X-AMZ-SECURITY-TOKEN header. This PR creates an internal map of headers that should be masked, which can be expanded if additional headers are required. It then loops over the headers in a request, and performs a lookup on the internal map to see if any of them match those that should be masked. If so, it replaces their values with "REDACTED". An existing test was added to check both the header keys that should be masked, as well as a key that should not. Additional work, out of scope for this PR, would be to open a config setting that would allow users to pass in a list of headers that should be masked. Fixes: open-policy-agent#5848 Signed-off-by: Colin Lacy <[email protected]>
Add two environment variable tests which illustrate how an environment variable can be used in OPA to verify a JWT. Signed-off-by: Robert Hafner <[email protected]> Signed-off-by: Colin Lacy <[email protected]>
Bumps the go-opentelemetry-io group with 3 updates: [go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp](https://github.com/open-telemetry/opentelemetry-go-contrib), [go.opentelemetry.io/otel/exporters/otlp/otlptrace](https://github.com/open-telemetry/opentelemetry-go) and [go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc](https://github.com/open-telemetry/opentelemetry-go). Updates `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` from 0.46.0 to 0.46.1 - [Release notes](https://github.com/open-telemetry/opentelemetry-go-contrib/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go-contrib@zpages/v0.46.0...zpages/v0.46.1) Updates `go.opentelemetry.io/otel/exporters/otlp/otlptrace` from 1.20.0 to 1.21.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go@v1.20.0...v1.21.0) Updates `go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc` from 1.20.0 to 1.21.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go@v1.20.0...v1.21.0) --- updated-dependencies: - dependency-name: go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go-opentelemetry-io - dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlptrace dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-opentelemetry-io - dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-opentelemetry-io ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Colin Lacy <[email protected]>
… render templated strings This adds support for rendering of templated strings utilizing Golang's text/template library. For a given templated string and key/value mapping of template var inputs, this builtin will inject the values into the template where they are referenced by key. Fixes open-policy-agent#6371 Signed-off-by: Rohan Vasavada <[email protected]> Signed-off-by: Colin Lacy <[email protected]>
Signed-off-by: Colin Lacy <[email protected]>
Signed-off-by: Colin Lacy <[email protected]>
colinjlacy
force-pushed
the
issue-5848-mask-amzn-header
branch
from
126ce81
to
5fc2b2e
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Why the changes in this PR are needed?
Decision logs had previously been configured to hide the value of the Authorization header, as that is considered sensitive information. However, there are cases when additional headers are provided that contain sensitive information, such as the X-AMZ-SECURITY-TOKEN header. These values were being logged in plaintext, despite being equally sensitive.
What are the changes in this PR?
This PR creates an internal map of headers that should be masked, which can be expanded if additional headers are required. It then loops over the headers in a request, and performs a lookup on the internal map to see if any of them match those that should be masked. If so, it replaces their values with "REDACTED". An existing test was added to check both the header keys that should be masked, as well as a key that should not.
An existing test was modified to check both the header keys that should be masked, as well as a test key that should not.
Notes to assist PR review:
Implementation for this change was discussed in this comment.
Nothing else comes to mind. I've got the basics - tests pass,
make checkwent well, etc. If I'm missing something, please let me know.Further comments:
Additional work, out of scope for this PR, would be to open a config setting that would allow users to pass in a list of headers that should be masked.
Fixes: #5848