Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not log sensitive data #2083

Merged
merged 23 commits into from
Sep 21, 2023
Merged

Do not log sensitive data #2083

merged 23 commits into from
Sep 21, 2023

Conversation

kziemianek
Copy link
Member

@kziemianek kziemianek commented Aug 30, 2023
edited
Loading

No sensitive data should be present in logs for production mode workers.

  • Removes for example Identity content from the logs for production build
  • Hardcodes enclave logger to INFO - it doesn't read configuration from env for production build anymore as third party libraries might log sensitive data on various levels
  • Changes several log statements to not log sensitive data in production build

Example of hidding Identity contents

Non Production

[2023-08-30T10:59:48Z DEBUG itp_top_pool_author::api] [Pool] creating hash of direct_call(TrustedCallSigned { call: set_user_shielding_key(Substrate(Address32([212, 53, 147, 199, 21, 253, 211, 28, 97, 20, 26, 189, 4, 169, 159, 214, 130, 44, 133, 88, 133, 76, 205, 227, 154, 86, 132, 231, 165, 109, 162, 125])), Substrate(Address32([212, 53, 147, 199, 21, 253, 211, 28, 97, 20, 26, 189, 4, 169, 159, 214, 130, 44, 133, 88, 133, 76, 205, 227, 154, 86, 132, 231, 165, 109, 162, 125])), [34, 252, 130, 219, 91, 96, 105, 152, 173, 69, 9, 155, 121, 120, 181, 180, 249, 221, 78, 166, 1, 126, 87, 55, 10, 197, 97, 65, 202, 170, 189, 18], 0xf457c8d9ec835e2ec0cbdb2c03ad77e33416ccc1e91939a3863fa57e55eb09a8), nonce: 0, signature: Sr25519() })

[2023-08-30T11:00:36Z DEBUG itp_top_pool_author::api] [Pool] creating hash of direct_call(TrustedCallSigned { call: link_identity(Substrate(Address32([212, 53, 147, 199, 21, 253, 211, 28, 97, 20, 26, 189, 4, 169, 159, 214, 130, 44, 133, 88, 133, 76, 205, 227, 154, 86, 132, 231, 165, 109, 162, 125])), Substrate(Address32([212, 53, 147, 199, 21, 253, 211, 28, 97, 20, 26, 189, 4, 169, 159, 214, 130, 44, 133, 88, 133, 76, 205, 227, 154, 86, 132, 231, 165, 109, 162, 125])), Twitter(IdentityString { inner: BoundedVec([109, 111, 99, 107, 95, 117, 115, 101, 114], 64) }), Web2(Twitter(TwitterValidationData { tweet_id: BoundedVec([49], 64) })), [], [1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1], 0x4b9cf34a5837837847974a92246bbfe1f5c8ab8d36ef2d013d465ca36e168723), nonce: 1, signature: Sr25519() })

[2023-08-30T11:00:36Z DEBUG itp_top_pool_author::api] [Pool] creating hash of direct_call(TrustedCallSigned { call: link_identity_callback(Substrate(Address32([35, 112, 254, 25, 116, 130, 30, 154, 197, 190, 131, 101, 191, 1, 240, 119, 210, 117, 129, 225, 240, 223, 148, 35, 184, 162, 98, 205, 235, 187, 238, 211])), Substrate(Address32([212, 53, 147, 199, 21, 253, 211, 28, 97, 20, 26, 189, 4, 169, 159, 214, 130, 44, 133, 88, 133, 76, 205, 227, 154, 86, 132, 231, 165, 109, 162, 125])), Twitter(IdentityString { inner: BoundedVec([109, 111, 99, 107, 95, 117, 115, 101, 114], 64) }), [], 0x4b9cf34a5837837847974a92246bbfe1f5c8ab8d36ef2d013d465ca36e168723), nonce: 0, signature: Ed25519() })

Production

[2023-08-30T10:46:24Z DEBUG itp_top_pool_author::api] [Pool] creating hash of direct_call(TrustedCallSigned { call: set_user_shielding_key(Substrate(Address32), Substrate(Address32), [34, 252, 130, 219, 91, 96, 105, 152, 173, 69, 9, 155, 121, 120, 181, 180, 249, 221, 78, 166, 1, 126, 87, 55, 10, 197, 97, 65, 202, 170, 189, 18], 0x4ed294ad4725d4c3904ddf15dd7934cf0f1f6f2fd749c0c6a0600c279cb17813), nonce: 0, signature: Sr25519() })

[2023-08-30T10:46:48Z DEBUG itp_top_pool_author::api] [Pool] creating hash of direct_call(TrustedCallSigned { call: link_identity(Substrate(Address32), Substrate(Address32), Twitter(IdentityString), Web2(Twitter(TwitterValidationData { tweet_id: BoundedVec([49], 64) })), [], [1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1], 0x3d8c863948ca59c3be8d2804e53c56c2e151ddec369ea4af43e4d707d489cf2f), nonce: 1, signature: Sr25519() })

[2023-08-30T10:49:00Z DEBUG itp_top_pool_author::api] [Pool] creating hash of direct_call(TrustedCallSigned { call: link_identity_callback(Substrate(Address32), Substrate(Address32), Twitter(IdentityString), [], 0x53551a9cbaa903110d2037c1b97bc0dd28d2e7a4eb1aa64e6a23814529b17f3a), nonce: 1, signature: Ed25519() })

relates: #2040
fixes: #1514

@kziemianek kziemianek requested a review from a team August 30, 2023 11:16
@kziemianek kziemianek changed the title Hide Identity content in logs Hide Identity content in logs Aug 30, 2023
@kziemianek kziemianek changed the title Hide Identity content in logs [WIP] do not log sensitive data Sep 1, 2023
@kziemianek kziemianek changed the title [WIP] do not log sensitive data Do not log sensitive data Sep 4, 2023
@BillyWooo
Copy link
Collaborator

Hi @kziemianek , do you think it's better to design a local wrapper of crate log ? Then only change the toml dependency and keep the coding style like, debug!(), info!(), etc. That would be much easier. Otherwise all the log info needs to add extra if_production_or or if_not_production.
My original idea would be: we can have log crate local override and switch between production and non-production mode.
How do you think so?

@kziemianek
Copy link
Member Author

Hi @kziemianek , do you think it's better to design a local wrapper of crate log ? Then only change the toml dependency and keep the coding style like, debug!(), info!(), etc. That would be much easier. Otherwise all the log info needs to add extra if_production_or or if_not_production. My original idea would be: we can have log crate local override and switch between production and non-production mode. How do you think so?

Good idea, i can wrap it with another macro.

BillyWooo
BillyWooo reviewed Sep 11, 2023
View reviewed changes
tee-worker/core/direct-rpc-server/src/rpc_ws_handler.rs Outdated
@@ -20,8 +20,8 @@ use crate::sgx_reexport_prelude::*;

use crate::{DetermineWatch, RpcConnectionRegistry, RpcHash};
use itc_tls_websocket_server::{error::WebSocketResult, ConnectionToken, WebSocketMessageHandler};
use itp_utils::debug as lit_debug;
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we just use debug, without prefix lit_ ? Will it introduce any conflict?
If no conflict, I would suggest only debug is sufficient.
so we will only change:
use log::* to use itp_utils::*

We may need to take care of sgx vs std.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes we can but I prefer different names from log crate macros.
What do you think about renaming our macros, example debug -> lit_debug ?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I actually prefer renaming the macros to lit_ prefixed, to clearly differ from the known log macros.

And it seems we are using alias anyway in most of the cases

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kziemianek let's renaming our macros directly to lit_***. And then merge this PR.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll remove them as they seems to be redundant since we locked log level for production build at INFO.

@kziemianek
Copy link
Member Author

kziemianek commented Sep 11, 2023
edited
Loading

I set enclave logger's base filter level to INFO for production build.
It might be worth to consider disabling the logging for 3rd crates.

Kailai-Wang
Kailai-Wang reviewed Sep 18, 2023
View reviewed changes
Copy link
Collaborator

@Kailai-Wang Kailai-Wang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good from my side, thanks :)

tee-worker/litentry/primitives/src/identity.rs

#[derive(Eq, PartialEq, Clone, MaxEncodedLen, Default)]
#[cfg_attr(feature = "std", derive(Serialize, Deserialize))]
pub struct IdentityString {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do I understand it correctly that we need such a flattened struct because of prod/non-prod Debug implementation?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, the actual reason is just to not introduce any breaking changes and to not pollute api contract with this implementation detail.
This struct will be serialized/deserialized the same as it was before so for the consumers there would be no change.

tee-worker/core/direct-rpc-server/src/rpc_ws_handler.rs Outdated
@@ -20,8 +20,8 @@ use crate::sgx_reexport_prelude::*;

use crate::{DetermineWatch, RpcConnectionRegistry, RpcHash};
use itc_tls_websocket_server::{error::WebSocketResult, ConnectionToken, WebSocketMessageHandler};
use itp_utils::debug as lit_debug;
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I actually prefer renaming the macros to lit_ prefixed, to clearly differ from the known log macros.

And it seems we are using alias anyway in most of the cases

@kziemianek
Copy link
Member Author

@BillyWooo , @Kailai-Wang I've removed log macros because they seem to be redundant since we locked log level for production build at INFO.

@BillyWooo
Copy link
Collaborator

@BillyWooo , @Kailai-Wang I've removed log macros because they seem to be redundant since we locked log level for production build at INFO.

Good idea. Mindset was trapped in before.
If so, we need to apply to all of our logs. enclave_runtime and worker in general. Then we check all INFO level logs to make sure no sensitive info leak.

BillyWooo
BillyWooo approved these changes Sep 21, 2023
View reviewed changes
Copy link
Collaborator

@BillyWooo BillyWooo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. LGTM

@kziemianek kziemianek merged commit 1bec274 into dev Sep 21, 2023
28 checks passed
@kziemianek kziemianek deleted the 2040-anonymyze-data branch September 27, 2023 21:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Kailai-Wang Kailai-Wang Kailai-Wang left review comments

@BillyWooo BillyWooo BillyWooo approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Remove logs in the enclave in runtime
3 participants
@kziemianek @BillyWooo @Kailai-Wang