fix: don't log group claims unless log level is debug (#9549) (#9947)

* fix: don't log group claims unless log level is debug (#9549) Signed-off-by: CI <michael@crenshaw.dev> * ignore lint error Signed-off-by: CI <michael@crenshaw.dev>
argoproj · Jul 13, 2022 · 665d83e · 665d83e
1 parent e6a6cae
commit 665d83e
Show file tree

Hide file tree

Showing 2 changed files with 61 additions and 2 deletions.
diff --git a/util/grpc/logging.go b/util/grpc/logging.go
@@ -2,12 +2,13 @@ package grpc
 
 import (
 	"bytes"
+	"context"
 	"encoding/json"
 	"fmt"
 
-	"context"
 	"github.com/gogo/protobuf/jsonpb"
 	"github.com/gogo/protobuf/proto"
+	"github.com/golang-jwt/jwt/v4"
 	grpc_logging "github.com/grpc-ecosystem/go-grpc-middleware/logging"
 	ctx_logrus "github.com/grpc-ecosystem/go-grpc-middleware/tags/logrus"
 	"github.com/sirupsen/logrus"
@@ -16,7 +17,15 @@ import (
 
 func logRequest(entry *logrus.Entry, info string, pbMsg interface{}, ctx context.Context, logClaims bool) {
 	if logClaims {
-		if data, err := json.Marshal(ctx.Value("claims")); err == nil {
+		claims := ctx.Value("claims")
+		if !entry.Logger.IsLevelEnabled(logrus.DebugLevel) {
+			mapClaims, ok := claims.(jwt.MapClaims)
+			if ok {
+				delete(mapClaims, "groups")
+				claims = mapClaims
+			}
+		}
+		if data, err := json.Marshal(claims); err == nil {
 			entry = entry.WithField("grpc.request.claims", string(data))
 		}
 	}

diff --git a/util/grpc/logging_test.go b/util/grpc/logging_test.go
@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"testing"
 
+	"github.com/golang-jwt/jwt/v4"
 	"github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
 	"google.golang.org/grpc"
@@ -37,3 +38,52 @@ func Test_JSONLogging(t *testing.T) {
 	out := buf.String()
 	assert.Contains(t, out, fmt.Sprintf(`"grpc.request.content":{"name":"%s"`, req.Name))
 }
+
+func Test_logRequest(t *testing.T) {
+	c := context.Background()
+	//nolint:staticcheck
+	c = context.WithValue(c, "claims", jwt.MapClaims{"groups": []string{"expected-group-claim"}})
+	req := new(account.CreateTokenRequest)
+	req.Name = "create-token-name"
+	info := &grpc.UnaryServerInfo{}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return nil, nil
+	}
+	decider := func(ctx context.Context, fullMethodName string, servingObject interface{}) bool {
+		return true
+	}
+
+	t.Run("with debug enabled, group claims are logged", func(t *testing.T) {
+		l := logrus.New()
+		l.SetFormatter(&logrus.JSONFormatter{})
+		var buf bytes.Buffer
+		l.SetOutput(&buf)
+		l.SetLevel(logrus.DebugLevel)
+		entry := logrus.NewEntry(l)
+
+		interceptor := PayloadUnaryServerInterceptor(entry, true, decider)
+
+		_, err := interceptor(c, req, info, handler)
+		assert.NoError(t, err)
+
+		out := buf.String()
+		assert.Contains(t, out, "expected-group-claim")
+	})
+
+	t.Run("with debug not enabled, group claims aren't logged", func(t *testing.T) {
+		l := logrus.New()
+		l.SetFormatter(&logrus.JSONFormatter{})
+		var buf bytes.Buffer
+		l.SetOutput(&buf)
+		l.SetLevel(logrus.InfoLevel)
+		entry := logrus.NewEntry(l)
+
+		interceptor := PayloadUnaryServerInterceptor(entry, true, decider)
+
+		_, err := interceptor(c, req, info, handler)
+		assert.NoError(t, err)
+
+		out := buf.String()
+		assert.NotContains(t, out, "expected-group-claim")
+	})
+}