fix(core): cleanup sensitive info being logged from configuration

go.work

@@ -3,8 +3,8 @@ go 1.21
 use (
 	./examples
 	./lib/fixtures
-	./lib/ocrypto
 	./lib/flattening
+	./lib/ocrypto
 	./protocol/go
 	./sdk
 	./service

service/authorization/authorization.go

@@ -49,9 +49,9 @@ type Config struct {
 
 type CustomRego struct {
 	// Path to Rego file
-	Path string `mapstructure:"path"`
+	Path string `mapstructure:"path" json:"path"`
 	// Rego Query
-	Query string `mapstructure:"query" default:"data.opentdf.entitlements.attributes"`
+	Query string `mapstructure:"query" json:"query" default:"data.opentdf.entitlements.attributes"`
 }
 
 func NewRegistration() serviceregistry.Registration {
@@ -102,7 +102,7 @@ func NewRegistration() serviceregistry.Registration {
 				}
 			}
 
-			logger.Debug("authorization service config", slog.Any("config", authZCfg))
+			logger.Debug("authorization service config", slog.Any("config", *authZCfg))
 
 			// Build Rego PreparedEvalQuery
 
@@ -151,7 +151,7 @@ func (as AuthorizationService) IsReady(ctx context.Context) error {
 }
 
 func (as *AuthorizationService) GetDecisionsByToken(ctx context.Context, req *authorization.GetDecisionsByTokenRequest) (*authorization.GetDecisionsByTokenResponse, error) {
-	var decisionsRequests = []*authorization.DecisionRequest{}
+	decisionsRequests := []*authorization.DecisionRequest{}
 	// for each token decision request
 	for _, tdr := range req.GetDecisionRequests() {
 		ecResp, err := as.sdk.EntityResoution.CreateEntityChainFromJwt(ctx, &entityresolution.CreateEntityChainFromJwtRequest{Tokens: tdr.GetTokens()})
@@ -171,7 +171,6 @@ func (as *AuthorizationService) GetDecisionsByToken(ctx context.Context, req *au
 	resp, err := as.GetDecisions(ctx, &authorization.GetDecisionsRequest{
 		DecisionRequests: decisionsRequests,
 	})
-
 	if err != nil {
 		return nil, err
 	}
@@ -264,7 +263,7 @@ func (as *AuthorizationService) GetDecisions(ctx context.Context, req *authoriza
 
 				//nolint:nestif // handle empty entity / attr list
 				if len(entities) == 0 || len(allPertinentFqnsRA.GetAttributeValueFqns()) == 0 {
-					as.logger.WarnContext(ctx, "Empty entity list and/or entity data attribute list")
+					as.logger.WarnContext(ctx, "empty entity list and/or entity data attribute list")
 				} else {
 					ecEntitlements, err := as.GetEntitlements(ctx, &req)
 					if err != nil {
@@ -304,7 +303,7 @@ func (as *AuthorizationService) GetDecisions(ctx context.Context, req *authoriza
 				)
 				if err != nil {
 					// TODO: should all decisions in a request fail if one entity entitlement lookup fails?
-					return nil, db.StatusifyError(err, db.ErrTextGetRetrievalFailed, slog.String("extra", "DetermineAccess request to Access PDP failed"))
+					return nil, db.StatusifyError(errors.New("could not determine access"), "could not determine access", slog.String("error", err.Error()))
 				}
 				// check the decisions
 				decision := authorization.DecisionResponse_DECISION_PERMIT
@@ -500,22 +499,22 @@ func (as *AuthorizationService) GetEntitlements(ctx context.Context, req *author
 
 	// I am not sure how we would end up with multiple results but lets return an empty entitlement set for now
 	if len(results) > 1 {
-		as.logger.WarnContext(ctx, "multiple entitlement results", slog.String("results", fmt.Sprintf("%+v", results)))
+		as.logger.WarnContext(ctx, "multiple entitlement results", slog.Any("results", results))
 		return rsp, nil
 	}
 
 	// If we get no expressions then we assume that the entity is not entitled to anything
 	if len(results[0].Expressions) == 0 {
-		as.logger.WarnContext(ctx, "no entitlement expressions", slog.String("results", fmt.Sprintf("%+v", results)))
+		as.logger.WarnContext(ctx, "no entitlement expressions", slog.Any("results", results))
 		return rsp, nil
 	}
 
 	resultsEntitlements, entitlementsMapOk := results[0].Expressions[0].Value.(map[string]interface{})
 	if !entitlementsMapOk {
-		as.logger.ErrorContext(ctx, "entitlements is not a map[string]interface", slog.String("value", fmt.Sprintf("%+v", resultsEntitlements)))
+		as.logger.ErrorContext(ctx, "entitlements is not a map[string]interface", slog.Any("value", resultsEntitlements))
 		return rsp, nil
 	}
-	as.logger.DebugContext(ctx, "opa results", "results", fmt.Sprintf("%+v", results))
+	as.logger.DebugContext(ctx, "rego results", slog.Any("results", results))
 	for idx, entity := range req.GetEntities() {
 		// Ensure the entity has an ID
 		entityID := entity.GetId()
@@ -525,14 +524,14 @@ func (as *AuthorizationService) GetEntitlements(ctx context.Context, req *author
 		// Check to maksure if the value is a list. Good validation if someone customizes the rego policy
 		entityEntitlements, valueListOk := resultsEntitlements[entityID].([]interface{})
 		if !valueListOk {
-			as.logger.ErrorContext(ctx, "entitlements is not a map[string]interface", slog.String("value", fmt.Sprintf("%+v", resultsEntitlements)))
+			as.logger.ErrorContext(ctx, "entitlements is not a map[string]interface", slog.Any("value", resultsEntitlements))
 			return rsp, nil
 		}
 
 		// map for attributes for optional comprehensive
 		attributesMap := make(map[string]*policy.Attribute)
 		// Build array with length of results
-		var entitlements = make([]string, len(entityEntitlements))
+		entitlements := make([]string, len(entityEntitlements))
 
 		// Build entitlements list
 		for valueIDX, value := range entityEntitlements {

service/entityresolution/entityresolution.go

@@ -2,9 +2,9 @@ package entityresolution
 
 import (
 	"context"
-	"encoding/json"
 
 	"github.com/grpc-ecosystem/grpc-gateway/v2/runtime"
+	"github.com/mitchellh/mapstructure"
 	"github.com/opentdf/platform/protocol/go/entityresolution"
 	keycloak "github.com/opentdf/platform/service/entityresolution/keycloak"
 	"github.com/opentdf/platform/service/logger"
@@ -23,14 +23,13 @@ func NewRegistration() serviceregistry.Registration {
 		ServiceDesc: &entityresolution.EntityResolutionService_ServiceDesc,
 		RegisterFunc: func(srp serviceregistry.RegistrationParams) (any, serviceregistry.HandlerServer) {
 			var inputIdpConfig keycloak.KeycloakConfig
-			confJSON, err := json.Marshal(srp.Config)
-			if err != nil {
-				panic(err)
-			}
-			err = json.Unmarshal(confJSON, &inputIdpConfig)
-			if err != nil {
+
+			if err := mapstructure.Decode(srp.Config, &inputIdpConfig); err != nil {
 				panic(err)
 			}
+
+			srp.Logger.Debug("entity_resolution configuration", "config", inputIdpConfig)
+
 			return &EntityResolutionService{idpConfig: inputIdpConfig, logger: srp.Logger}, func(ctx context.Context, mux *runtime.ServeMux, server any) error {
 				return entityresolution.RegisterEntityResolutionServiceHandlerServer(ctx, mux, server.(entityresolution.EntityResolutionServiceServer)) //nolint:forcetypeassert // allow type assert, following other services
 			}
@@ -39,13 +38,11 @@ func NewRegistration() serviceregistry.Registration {
 }
 
 func (s EntityResolutionService) ResolveEntities(ctx context.Context, req *entityresolution.ResolveEntitiesRequest) (*entityresolution.ResolveEntitiesResponse, error) {
-	s.logger.Debug("request", "", req)
 	resp, err := keycloak.EntityResolution(ctx, req, s.idpConfig, s.logger)
 	return &resp, err
 }
 
 func (s EntityResolutionService) CreateEntityChainFromJwt(ctx context.Context, req *entityresolution.CreateEntityChainFromJwtRequest) (*entityresolution.CreateEntityChainFromJwtResponse, error) {
-	s.logger.Debug("request", "", req)
 	resp, err := keycloak.CreateEntityChainFromJwt(ctx, req, s.idpConfig, s.logger)
 	return &resp, err
 }