[BACKPORT 2024.1][PLAT-14788]mask SAS token in backup config response and logs

asharma-yb · asharma-yb · commit 4bcdb6ceea63 · 2024-09-04T05:10:06.000Z
Summary: Original commit: 920989b/D37715 Redact SAS token in backup response and v1 backup logs. SAS token is basically a bunch of query params, eg `sp=racwdli&st=2024-09-02T08:35:05Z&se=2024-12-31T16:35:05Z&sv=2022-11-02&sr=c&sig=****`. In v1 backups we are logging this token without redacting the sig. Test Plan: Manually reproduced the issue by taking v1 backups on a universe. verfied the sig is redacted after my changes. Also verified that the SAS token is masked on backup config UI. Reviewers: #yba-api-review!, vkumar, amalyshev, svarshney Reviewed By: svarshney Subscribers: yugaware Differential Revision: https://phorge.dev.yugabyte.com/D37729
diff --git a/managed/src/main/java/com/yugabyte/yw/common/RedactingService.java b/managed/src/main/java/com/yugabyte/yw/common/RedactingService.java
@@ -29,6 +29,9 @@ public class RedactingService {
           "$..ysqlCurrentPassword",
           "$..sshPrivateKeyContent");
 
+  public static final List<String> SECRET_QUERY_PARAMS_FOR_LOGS =
+      ImmutableList.of(/* SAS Token */ "sig");
+
   public static final List<String> SECRET_PATHS_FOR_LOGS =
       ImmutableList.<String>builder()
           .addAll(SECRET_PATHS_FOR_APIS)
@@ -131,6 +134,16 @@ public static String redactString(String input) {
     return output;
   }
 
+  public static String redactQueryParams(String input) {
+    String output = input;
+    for (String param : SECRET_QUERY_PARAMS_FOR_LOGS) {
+      String regex = "([?&]" + param + "=)([^&]+)";
+      String replacement = "$1" + SECRET_REPLACEMENT;
+      output = output.replaceAll(regex, replacement);
+    }
+    return output;
+  }
+
   public enum RedactionTarget {
     LOGS,
     APIS;
diff --git a/managed/src/main/java/com/yugabyte/yw/common/ShellProcessHandler.java b/managed/src/main/java/com/yugabyte/yw/common/ShellProcessHandler.java
@@ -275,13 +275,13 @@ private String getOutputLines(BufferedReader reader, boolean logOutput) {
             .peek(
                 line -> {
                   if (logOutput) {
-                    log.debug(fileMarker, line);
+                    log.debug(fileMarker, RedactingService.redactQueryParams(line));
                   }
                 })
             .collect(Collectors.joining("\n"))
             .trim();
     if (logOutput && cloudLoggingEnabled && lines.length() > 0) {
-      log.debug(consoleMarker, lines);
+      log.debug(consoleMarker, RedactingService.redactQueryParams(lines));
     }
     return lines;
   }
diff --git a/managed/src/main/java/com/yugabyte/yw/models/helpers/CommonUtils.java b/managed/src/main/java/com/yugabyte/yw/models/helpers/CommonUtils.java
@@ -84,7 +84,14 @@ public class CommonUtils {
   // Sensisitve field substrings
   private static final List<String> sensitiveFieldSubstrings =
       Arrays.asList(
-          "KEY", "SECRET", "CREDENTIALS", "API", "POLICY", "HC_VAULT_TOKEN", "vaultToken");
+          "KEY",
+          "SECRET",
+          "CREDENTIALS",
+          "API",
+          "POLICY",
+          "HC_VAULT_TOKEN",
+          "vaultToken",
+          "SAS_TOKEN");
   // Exclude following strings from being sensitive fields
   private static final List<String> excludedFieldNames =
       Arrays.asList(

Original file line number	Diff line number	Diff line change
`@@ -275,13 +275,13 @@ private String getOutputLines(BufferedReader reader, boolean logOutput) {`
`275`	`275`	`.peek(`
`276`	`276`	`line -> {`
`277`	`277`	`if (logOutput) {`
`278`		`- log.debug(fileMarker, line);`
	`278`	`+ log.debug(fileMarker, RedactingService.redactQueryParams(line));`
`279`	`279`	`}`
`280`	`280`	`})`
`281`	`281`	`.collect(Collectors.joining("\n"))`
`282`	`282`	`.trim();`
`283`	`283`	`if (logOutput && cloudLoggingEnabled && lines.length() > 0) {`
`284`		`- log.debug(consoleMarker, lines);`
	`284`	`+ log.debug(consoleMarker, RedactingService.redactQueryParams(lines));`
`285`	`285`	`}`
`286`	`286`	`return lines;`
`287`	`287`	`}`