fix: Filter out cust. AssumeRole Token for audit (#19646)

The `Token` parameter is a sensitive value that should not be output in the Audit log for STS AssumeRoleWithCustomToken API.

Bonus: Add a simple tool that echoes audit logs to the console.

cmd/sts-handlers.go

@@ -929,7 +929,9 @@ func (sts *stsAPIHandlers) AssumeRoleWithCustomToken(w http.ResponseWriter, r *h
 	ctx := newContext(r, w, "AssumeRoleWithCustomToken")
 
 	claims := make(map[string]interface{})
-	defer logger.AuditLog(ctx, w, r, claims)
+
+	auditLogFilterKeys := []string{stsToken}
+	defer logger.AuditLog(ctx, w, r, claims, auditLogFilterKeys...)
 
 	if !globalIAMSys.Initialized() {
 		writeSTSErrorResponse(ctx, w, ErrSTSIAMNotInitialized, errIAMNotInitialized)

docs/auditlog/auditlog-echo.go

@@ -0,0 +1,62 @@
+//go:build ignore
+// +build ignore
+
+// Copyright (c) 2015-2024 MinIO, Inc.
+//
+// This file is part of MinIO Object Storage stack
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package main
+
+import (
+	"bytes"
+	"encoding/json"
+	"flag"
+	"fmt"
+	"io"
+	"log"
+	"net/http"
+)
+
+var port int
+
+func init() {
+	flag.IntVar(&port, "port", 8080, "Port to listen on")
+}
+
+func mainHandler(w http.ResponseWriter, r *http.Request) {
+	body, err := io.ReadAll(r.Body)
+	defer r.Body.Close()
+	if err != nil {
+		log.Printf("Error reading request body: %v", err)
+		w.WriteHeader(http.StatusBadRequest)
+		return
+	}
+
+	log.Printf(">>> %s %s\n", r.Method, r.URL.Path)
+	var out bytes.Buffer
+	json.Indent(&out, body, "", "    ")
+	log.Printf("%s\n", out.String())
+
+	w.WriteHeader(http.StatusOK)
+}
+
+func main() {
+	flag.Parse()
+	http.HandleFunc("/", mainHandler)
+
+	log.Printf("Listening on :%d\n", port)
+	log.Fatal(http.ListenAndServe(fmt.Sprintf(":%d", port), nil))
+}

docs/auditlog/auditlog-echo.md

@@ -0,0 +1,17 @@
+# `auditlog-echo`: A tool to view MinIO Audit logs on the console
+
+1. Run the tool with:
+
+```
+go run docs/auditlog/auditlog-echo.go
+```
+
+The listen port has a default value (8080), but can be set with the `-port` flag.
+
+2. Configure audit logging in MinIO with for example:
+
+```
+mc admin config set myminio audit_webhook enable=on endpoint=http://localhost:8080
+```
+
+3. Make any requests to MinIO and see audit logs printed to the tool's console.

docs/iam/identity-manager-plugin.go

@@ -81,6 +81,6 @@ func mainHandler(w http.ResponseWriter, r *http.Request) {
 func main() {
 	http.HandleFunc("/", mainHandler)
 
-	log.Print("Listing on :8081")
+	log.Print("Listening on :8081")
 	log.Fatal(http.ListenAndServe(":8081", nil))
 }