Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement fmt.Stringer on rest.Config to sanitize sensitive fields #71149

Merged
merged 1 commit into from Jan 16, 2019

Conversation

@awly
Copy link
Contributor

awly commented Nov 16, 2018

It's very easy to add glog.Info(config) calls for debugging (or actual
logging). In some scenarios those configs will carry sensitive tokens
and those tokens will end up in logs or response bodies.
Leaking of those stringified configs compromises the cluster.

What type of PR is this?

Uncomment only one, leave it on its own line:

/kind api-change
/kind bug
/kind cleanup
/kind design
/kind documentation
/kind failing-test
/kind feature
/kind flake

What this PR does / why we need it:

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

NONE
@awly

This comment has been minimized.

Copy link
Contributor Author

awly commented Nov 16, 2018

/assign @mikedanese
/assign @liggitt

@awly awly force-pushed the awly:rest-config-stringer branch from f513654 to e4e28cf Nov 19, 2018

@awly

This comment has been minimized.

Copy link
Contributor Author

awly commented Nov 19, 2018

PTAL

@mikedanese

This comment has been minimized.

Copy link
Member

mikedanese commented Nov 20, 2018

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm label Nov 20, 2018

@mikedanese mikedanese removed the lgtm label Nov 20, 2018

@mikedanese

This comment has been minimized.

Copy link
Member

mikedanese commented Nov 20, 2018

Actually, can you also implement a safe GoStringer?

https://godoc.org/fmt#GoStringer

@@ -120,6 +120,30 @@ type Config struct {
// Version string
}

// String implements fmt.Stringer and sanitizes sensitive fields of Config to

This comment has been minimized.

Copy link
@enj

enj Nov 20, 2018

Member

Needs type assertion.

This comment has been minimized.

Copy link
@awly

awly Nov 20, 2018

Author Contributor

Done

@awly

This comment has been minimized.

Copy link
Contributor Author

awly commented Nov 20, 2018

Actually, can you also implement a safe GoStringer?

I want to let people still log the entire thing for debugging. They need to specifically use %#v to get that.

@awly awly force-pushed the awly:rest-config-stringer branch from e4e28cf to 4fb0180 Nov 20, 2018

@enj

This comment has been minimized.

Copy link
Member

enj commented Nov 20, 2018

Actually, can you also implement a safe GoStringer?

I want to let people still log the entire thing for debugging. They need to specifically use %#v to get that.

I always use %#v to log structs and I imagine others do too (all of our API types embed TypeMeta and thus print useless things via %s). Since the desire is to prevent mistakes, I believe intercepting %#v is required for this to be valuable. go-spew should still be usable for debugging (and does a far better job than fmt anyway).

@awly awly force-pushed the awly:rest-config-stringer branch from 4fb0180 to d77e76c Nov 20, 2018

@awly

This comment has been minimized.

Copy link
Contributor Author

awly commented Nov 20, 2018

Ok, implemented GoStringer too, with identical output.
PTAL.

@enj
Copy link
Member

enj left a comment

Some minor comments, LGTM.

cc.BearerToken = "--- REDACTED ---"
}

// Note: below format string skips Impersonate, AuthProvider,

This comment has been minimized.

Copy link
@enj

enj Nov 20, 2018

Member

Is Impersonate sensitive? I could see an argument for Extra...

This comment has been minimized.

Copy link
@awly

awly Nov 21, 2018

Author Contributor

It is according to AnonymousClientConfig:

// this is the list of known security related fields, add to this list if a new field
// is added to Config, update AnonymousClientConfig to preserve the field otherwise.
expected.Impersonate = ImpersonationConfig{}
expected.BearerToken = ""
expected.Username = ""
expected.Password = ""
expected.AuthProvider = nil
expected.AuthConfigPersister = nil
expected.ExecProvider = nil
expected.TLSClientConfig.CertData = nil
expected.TLSClientConfig.CertFile = ""
expected.TLSClientConfig.KeyData = nil
expected.TLSClientConfig.KeyFile = ""

This comment has been minimized.

Copy link
@enj

This comment has been minimized.

Copy link
@liggitt

liggitt Nov 24, 2018

Member

Impersonate doesn't carry credentials, it is security-related in the same way username is. We should not omit it when logging

}
want := c.String()

for _, f := range []string{"%v", "%+v", "%#v"} {

This comment has been minimized.

Copy link
@enj

enj Nov 20, 2018

Member

Add %s?

This comment has been minimized.

Copy link
@awly

awly Nov 21, 2018

Author Contributor

Done

@@ -373,3 +374,98 @@ func TestCopyConfig(t *testing.T) {
}
}
}

This comment has been minimized.

Copy link
@enj

enj Nov 20, 2018

Member

I realize that it would break easily, but a test that has a config with every field filled out and the associated hard coded value for String() may be useful, if only to know what the "full string" actually looks like.

This comment has been minimized.

Copy link
@awly

awly Nov 21, 2018

Author Contributor

Added to TestConfigSprint

@thockin

This comment has been minimized.

Copy link
Member

thockin commented Dec 19, 2018

/approve

@awly awly force-pushed the awly:rest-config-stringer branch from 1885c51 to d7f7319 Jan 10, 2019

@awly awly force-pushed the awly:rest-config-stringer branch from d7f7319 to c73d1fa Jan 11, 2019

@awly

This comment has been minimized.

Copy link
Contributor Author

awly commented Jan 11, 2019

Ping @liggitt for re-LGTM after rebase

@liggitt

This comment has been minimized.

Copy link
Member

liggitt commented Jan 11, 2019

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm label Jan 11, 2019

@fejta-bot

This comment has been minimized.

Copy link

fejta-bot commented Jan 11, 2019

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

1 similar comment
@fejta-bot

This comment has been minimized.

Copy link

fejta-bot commented Jan 11, 2019

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

@awly awly force-pushed the awly:rest-config-stringer branch from c73d1fa to d572ec4 Jan 12, 2019

@k8s-ci-robot k8s-ci-robot removed the lgtm label Jan 12, 2019

@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

k8s-ci-robot commented Jan 12, 2019

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: awly, liggitt, mikedanese, thockin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@awly

This comment has been minimized.

Copy link
Contributor Author

awly commented Jan 12, 2019

OK, so between my last rebase and tests running, 371d866#diff-6b978f2ff1ddbaaecbd3e39618522192 happened removing spew from one of the staging repos.
I re-rebased and re-added spew to that repo so pull-kubernetes-godeps should be happy now.

@awly

This comment has been minimized.

Copy link
Contributor Author

awly commented Jan 12, 2019

/retest

1 similar comment
@awly

This comment has been minimized.

Copy link
Contributor Author

awly commented Jan 14, 2019

/retest

@awly awly force-pushed the awly:rest-config-stringer branch from d572ec4 to cd4e36c Jan 15, 2019

@awly

This comment has been minimized.

Copy link
Contributor Author

awly commented Jan 15, 2019

/retest

Implement fmt.Stringer on rest.Config to sanitize sensitive fields
It's very easy to add glog.Info(config) calls for debugging (or actual
logging). In some scenarios those configs will carry sensitive tokens
and those tokens will end up in logs or response bodies.
Leaking of those stringified configs compromises the cluster.

Also implement fmt.GoStringer.

@awly awly force-pushed the awly:rest-config-stringer branch from cd4e36c to c9ad1d7 Jan 15, 2019

@awly

This comment has been minimized.

Copy link
Contributor Author

awly commented Jan 15, 2019

/retest

@awly

This comment has been minimized.

Copy link
Contributor Author

awly commented Jan 15, 2019

4 rebases later, tests finally pass.
Ping @liggitt for another re-LGTM

@liggitt

This comment has been minimized.

Copy link
Member

liggitt commented Jan 15, 2019

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm label Jan 15, 2019

@awly

This comment has been minimized.

Copy link
Contributor Author

awly commented Jan 16, 2019

/retest

@fejta-bot

This comment has been minimized.

Copy link

fejta-bot commented Jan 16, 2019

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

@k8s-ci-robot k8s-ci-robot merged commit 914e383 into kubernetes:master Jan 16, 2019

18 checks passed

cla/linuxfoundation awly authorized
Details
pull-kubernetes-bazel-build Job succeeded.
Details
pull-kubernetes-bazel-test Job succeeded.
Details
pull-kubernetes-cross Skipped
pull-kubernetes-e2e-gce Job succeeded.
Details
pull-kubernetes-e2e-gce-100-performance Job succeeded.
Details
pull-kubernetes-e2e-gce-device-plugin-gpu Job succeeded.
Details
pull-kubernetes-e2e-kops-aws Job succeeded.
Details
pull-kubernetes-e2e-kubeadm-gce Skipped
pull-kubernetes-godeps Job succeeded.
Details
pull-kubernetes-integration Job succeeded.
Details
pull-kubernetes-kubemark-e2e-gce-big Job succeeded.
Details
pull-kubernetes-local-e2e Skipped
pull-kubernetes-local-e2e-containerized Skipped
pull-kubernetes-node-e2e Job succeeded.
Details
pull-kubernetes-typecheck Job succeeded.
Details
pull-kubernetes-verify Job succeeded.
Details
tide In merge pool.
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.