api: add 'redacted' option for protobuf messages, and redact SSL certs

[mergeconflict]

Implement MessageUtil::redact() to redact proto fields with the udpa.annotations.sensitive option set. Apply this to SSL certs in the admin config_dump.

Risk Level: low
Testing: unit tests
Docs Changes: n/a
Release Notes: n/a

Signed-off-by: Dan Rosen mergeconflict@google.com

[repokitteh-read-only]

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to api/.

🐱

Caused by: #9315 was opened by mergeconflict.

see: more, trace.

[mergeconflict]

/review @htuch

[jmarantz]

WDYT of simply populating the cert with a hashed version of the cert? It might be a lot less code. What're the pros & cons?

[PiotrSikora]

Please take a look at the discussion for when we redacted SDS values in /config_dump:
#7365

[mergeconflict]

WDYT of simply populating the cert with a hashed version of the cert? It might be a lot less code. What're the pros & cons?

@jmarantz: I think my current approach isn't a tremendous amount of code, and it's general purpose: anything else in the config dump that needs to be redacted can use this mechanism. See e.g. https://github.com/envoyproxy/envoy/blob/master/source/common/secret/secret_manager_impl.cc#L118.

[mattklein123]

Big +1 for implementing this. We need this for tapping and other general data exfiltration issues.

[incfly]

/cc @incfly

[incfly]

WDYT of simply populating the cert with a hashed version of the cert? It might be a lot less code. What're the pros & cons?

Istio builds some tooling to actually get the cert and parse out the expiration time for troubleshooting.

Only clearing the private key and password is good enough and above tooling would still work.

[htuch]

Nice, this is a very clean approach to the problem, happy to see it landing.
/wait

[htuch]

Can we add check_format support to ban all the likely candidates (e.g. DebugString, PrintToString) and force safe uses?

[mergeconflict]

Let's chat about that tomorrow; I'm not sure how big a hammer we want to use, if any.

[htuch]

I feel we also want this in various logs, e.g. trace level xDS logs, where this has come up previously as an issue.

[mergeconflict]

Yes, definitely. I'm thinking to just target this one spot in this PR, as a proof of concept, and then track down others (e.g. #4757) as a follow-up.

[htuch]

Sure, I'm good with keeping the issue open for follow-up.

[mergeconflict]

@htuch thanks for your help; I think this is ready for a second look.

[mergeconflict]

/retest

[repokitteh-read-only]

🙀 Error while processing event:

evaluation error
error: function error error: user: combined status is failure, but no failed builds.

🐱

Caused by: a #9315 (comment) was created by @mergeconflict.

see: more, trace.

[htuch]

LGTM modulo two minor comments.
/wait

[htuch]

LGTM, needs master merge. Epic work, thanks for this contribution.

[htuch]

Thanks!

[mergeconflict]

@htuch merged master