Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New filter: maskAccessLogQuery #2674

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

New filter: maskAccessLogQuery #2674

wants to merge 3 commits into from

Conversation

remychantenay
Copy link
Contributor

@remychantenay remychantenay commented Oct 12, 2023
edited

Summary

Adding a new maskAccessLogQuery filter to mask/obfuscate values of specific – sensitive – query parameters.

Towards #2156

Testing

# skip
hello: Path("/hello") -> maskAccessLogQuery("key_2") -> "https://www.example.org"

curl "localhost:9090/hello?key_1=foo&key_2=bar"
127.0.0.1 - - [18/Oct/2023:08:10:33 +0200] "GET /hello?key_1=foo&key_2=5234164152756840025 HTTP/1.1" 404 1256 "-" "curl/8.1.2" 555 localhost:9090 - -

@remychantenay
New filter: maskAccessLogQuery
5ed79cb 
Signed-off-by: Remy Chantenay <remy.chantenay@gmail.com>
@remychantenay remychantenay force-pushed the feature/add-mask-access-log-query-filter branch from 9f9c667 to 5ed79cb Compare October 12, 2023 15:49
szuecs
szuecs reviewed Oct 17, 2023
View reviewed changes
go.mod Outdated Show resolved Hide resolved
szuecs
szuecs reviewed Oct 17, 2023
View reviewed changes
logging/access.go Outdated
// Logs an access event in Apache combined log format (with a minor customization with the duration).
// Additional allows to provide extra data that may be also logged, depending on the specific log format.
func LogAccess(entry *AccessEntry, additional map[string]interface{}) {
func LogAccess(entry *AccessEntry, additional map[string]interface{}, maskedQueryParams []string) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's an API change.
I would suggest to use additional map[string]interface{} and have a map entry like "maskedQueryParams": []string.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is an exported statebag key AccessLogAdditionalDataKey to provide additional data
and additional data can override predefined fields

skipper/logging/access.go

Lines 152 to 171 in 9b57097

logData := logrus.Fields{
"timestamp": ts,
"host": host,
"method": method,
"uri": uri,
"proto": proto,
"referer": referer,
"user-agent": userAgent,
"status": status,
"response-size": responseSize,
"requested-host": requestedHost,
"duration": duration,
"flow-id": flowId,
"audit": auditHeader,
"auth-user": authUser,
}
for k, v := range additional {
logData[k] = v
}

so another option is to create a filter that would mask request uri and put it into ctx.StateBag()[al.AccessLogAdditionalDataKey]["uri"].

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the feedback 👍

I updated the code and went with @szuecs's suggestion. Hope that's fine.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since we rely on additional data anyways lets use "uri" key - this way masking logic would belong to the filter and not to the access log package (e.g. there could be several ways to mask uri). The filter would need only to populate additional data in the statebag (i.e. does not have to return &AccessLogFilter).

You can export const UriAdditionalDataKey = "uri" if you want and use it everywhere instead of "uri" .

AlexanderYastrebov
AlexanderYastrebov reviewed Oct 17, 2023
View reviewed changes
filters/accesslog/control.go
}
}

return &AccessLogFilter{Enable: true, MaskedQueryParams: keys}, nil
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will override any preceding filter configuration.

Maybe we should think about supporting a usecase where we could specify default masked values

disableAccessLog(2,3,404,429) -> accessLogMaskQueryParams("access_token") -> fifo(2000,20,"1s")

and then user may specify additional values.
OTOH proposed solution is simple and in line with what already exists.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @AlexanderYastrebov

Yeah, I wanted to keep it simple. In hindsight, I am not sure my thinking is right.

If the current implementation is a no-go, I will try and spend a bit more time and see if I can come up with something when I get back from vacay (from tomorrow till the beginning of next month.)

@remychantenay
Replace murmur3 with xxhash for hashing
9f67c9f 
Signed-off-by: Remy Chantenay <remy.chantenay@gmail.com>
@remychantenay
Update approach to passing masked keys
94a5d3e 
Signed-off-by: Remy Chantenay <remy.chantenay@gmail.com>
@remychantenay remychantenay force-pushed the feature/add-mask-access-log-query-filter branch from f3c605d to 94a5d3e Compare October 18, 2023 08:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@szuecs szuecs szuecs left review comments

@AlexanderYastrebov AlexanderYastrebov AlexanderYastrebov left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@remychantenay @szuecs @AlexanderYastrebov