-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add secret masking functions to be called in logger and directly #345
Conversation
212ee56
to
d6be4ca
Compare
d6be4ca
to
63b46d0
Compare
d9054d6
to
5de655e
Compare
} | ||
|
||
|
||
# TODO: move to its own file so it can be used by plugins and before/after hooks |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree and was thinking of mentioning that this would be best in the utilities module. The trick is that would create a cyclic dependency.
If we really want to make this function available, then I'd recommend we create a bare-utilities.py file that strictly maintains a "no app specific import" rule. This would mean that it would be imported by all other app-specific modules.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@PhillypHenning do you mind creating an issue for this?
@mickmcgrath13 I'm going to merge this unless you stop me within the next hour |
I ran into this issue
I've added the following to the
This is fixed in #347 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Left my opinions about this feature, but it works in optimistic examples and is a nice start! 👍
Outside of heuristics and rules from 3rd party libs we may also want to define a list of secrets, take the ENV var value and replace it in the output too so it catches the real secret string.
From the evident next steps we're missing other secret vars for all the plugins (AWS, etc) in the fleet https://github.com/bitops-plugins/ and it is worth adding some minimal documentation.
|
||
res_str = message | ||
for config_item in BITOPS_logging_masks: | ||
# TODO: use a library here? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, totally.
It's good to have something initially working, but IMO it doesn't solve the secrets problem technically with such approach, but rather creates a visibility of solving it which is dangerous in security context.
Trying to mask the secrets this way might be not production ready, and also hard to call user-friendly with the new bitops config.
We might leverage external rules like: https://github.com/Yelp/detect-secrets/tree/master/detect_secrets/plugins and heuristics from the tool that might already having secrets detection.
Ex: https://github.com/Yelp/detect-secrets/blob/master/detect_secrets/plugins/github_token.py#L15
- # regex to search | ||
# looks for `BITOPS_KUBECONFIG_BASE64={string}` | ||
search: (.*BITOPS_KUBECONFIG_BASE64.*\=)(.*\n) | ||
# replace the value part | ||
replace: '\1*******\n' | ||
- # regex to search | ||
# looks for `The namespace kube-system exists` | ||
search: (.*The namespace )(kube-system)( exists.*) | ||
#replace kube-system | ||
replace: '\1*******\3' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does it really close the #208?
Was the BITOPS_KUBECONFIG_BASE64
the only available secret we're passing or are there any other secret vars from the plugins?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
masks: | ||
- # regex to search | ||
# looks for `BITOPS_KUBECONFIG_BASE64={string}` | ||
search: (.*BITOPS_KUBECONFIG_BASE64.*\=)(.*\n) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we're targeting beginners, I wouldn't expose regex setting in the BitOps config as it brings complexity to the user's side. It's enough to list 10 regex rules to make everything look complicated and repell someone using it.
Other options:
- Just list the secret vars in bitops core or config. No regex, just BITOPS_KUBECONFIG_BASE64, AWS_SECRET_KEY, etc. and do the rest filtering on the BitOps side.
- auto-detect secrets in log via heuristics and rules from libs like https://github.com/Yelp/detect-secrets/tree/master/detect_secrets/plugins
- allow specifying extra secret names on top of default/hardcoded
secrets:
- BITOPS_KUBECONFIG_BASE64
- AWS_SECRET_ACCESS_KEY
- AWS_ACCESS_KEY_ID
- AWS_SESSION_TOKEN
Alternatively, allow defining secrets on BitOps Plugin level and process in the code so the secret definition is pluggable.
# looks for `BITOPS_KUBECONFIG_BASE64={string}` | ||
search: (.*BITOPS_KUBECONFIG_BASE64.*\=)(.*\n) | ||
# replace the value part | ||
replace: '\1*******\n' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it makes sense to omit the "replace" part, defaulting it to just ****
.
@@ -13,6 +13,18 @@ bitops: | |||
filename: bitops-run # log filename | |||
err: bitops.logs # error logs filename | |||
path: /var/logs/bitops # path to log folder | |||
# Define the secrets to mask | |||
masks: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
secrets:
Description
Add configuration in the bitops-level bitops.config to add masks based on regular expressions.
Todo
Fixes #208
Type of change
Please delete options that are not relevant.
How Has This Been Tested?
Tested locally with
BITOPS_KUBECONFIG_BASE64
(see this pr for the local development setup used)Logs
without change:
with changes:
Test Configuration: (see below)
mask config: modified the omnibus
bitops.config.yaml
to include new mask configurationcommand:
Checklist: