-
Notifications
You must be signed in to change notification settings - Fork 5.5k
api: add 'redacted' option for protobuf messages, and redact SSL certs #9315
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from 3 commits
e95cafb
794aa85
4948c4b
927d875
848b869
cf6ebc2
2f261f6
186a8b3
bd56dba
782d092
0f493fa
8013dbe
3552086
b4c9bf9
af5a7df
32673ff
09d70fc
11f9d43
2bf220f
f6e49c6
d9e836c
5dc3c06
29a6172
403fdd2
208e9b4
77f295b
2488863
769e817
891da34
e996e29
b690640
e77cb8f
7a6b20c
f8167a0
5f1211e
358bac9
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| # DO NOT EDIT. This file is generated by tools/proto_sync.py. | ||
|
|
||
| load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") | ||
|
|
||
| licenses(["notice"]) # Apache 2 | ||
|
|
||
| api_proto_package() | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| syntax = "proto3"; | ||
|
|
||
| package envoy.protobuf; | ||
|
mergeconflict marked this conversation as resolved.
Outdated
|
||
|
|
||
| option java_outer_classname = "DescriptorProto"; | ||
| option java_multiple_files = true; | ||
| option java_package = "io.envoyproxy.envoy.protobuf"; | ||
|
|
||
| import "google/protobuf/descriptor.proto"; | ||
|
|
||
| extend google.protobuf.FieldOptions { | ||
| // This option indicates that a field contains personally-identifying or otherwise sensitive data, | ||
| // such as a private key or a password. It is used by `MessageUtil::redact` to determine which | ||
| // fields need to be sanitized. Please note that this has no effect on standard Protobuf functions | ||
| // such as `TextFormat::PrintToString`; you must explicitly call `MessageUtil::redact` wherever | ||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Can we add
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Let's chat about that tomorrow; I'm not sure how big a hammer we want to use, if any. |
||
| // you need to sanitize sensitive data. | ||
| bool redacted = 50000; | ||
| } | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -539,9 +539,10 @@ Http::Code AdminImpl::handlerConfigDump(absl::string_view, Http::HeaderMap& resp | |
| auto& any_message = *(dump.add_configs()); | ||
| any_message.PackFrom(*message); | ||
| } | ||
| const auto redacted = MessageUtil::redact(dump); | ||
|
mergeconflict marked this conversation as resolved.
Outdated
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Thanks. Given the limitations that are now spelled out around Ultimately I'm wondering how we're going to document the effective result of this process in version history in a way that end users can grok and get predictable behavior from.
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yeah, this is tough. On the one hand, usage of I think I'd like to move forward with this anyways, just so we can have something in place, but I definitely agree it's dissatisfying having this limitation.
mergeconflict marked this conversation as resolved.
Outdated
|
||
|
|
||
| response_headers.setReferenceContentType(Http::Headers::get().ContentTypeValues.Json); | ||
| response.add(MessageUtil::getJsonStringFromMessage(dump, true)); // pretty-print | ||
| response.add(MessageUtil::getJsonStringFromMessage(*redacted, true)); // pretty-print | ||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I feel we also want this in various logs, e.g. trace level xDS logs, where this has come up previously as an issue.
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yes, definitely. I'm thinking to just target this one spot in this PR, as a proof of concept, and then track down others (e.g. #4757) as a follow-up.
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Sure, I'm good with keeping the issue open for follow-up. |
||
| return Http::Code::OK; | ||
| } | ||
|
|
||
|
|
||
Uh oh!
There was an error while loading. Please reload this page.