From fb140c146b9e29db6f0ef0467a45567a72536a70 Mon Sep 17 00:00:00 2001 From: Shireesh Anjal <355479+anjalshireesh@users.noreply.github.com> Date: Thu, 3 Jun 2021 20:45:44 +0530 Subject: [PATCH] Redact sensitive values from config in health data (#12421) The health api returns the server configuration details. Redact sensitive values from the config values like URLs and credentials. --- cmd/admin-handlers.go | 2 +- internal/config/config.go | 24 ++++++++++++++++++++++ internal/config/etcd/help.go | 3 +++ internal/config/help.go | 4 ++++ internal/config/identity/ldap/help.go | 4 ++++ internal/config/notify/help.go | 29 +++++++++++++++++++++++++++ internal/config/policy/opa/help.go | 2 ++ internal/logger/help.go | 6 ++++++ 8 files changed, 73 insertions(+), 1 deletion(-) diff --git a/cmd/admin-handlers.go b/cmd/admin-handlers.go index 5451a63b9..0ec8d3c6b 100644 --- a/cmd/admin-handlers.go +++ b/cmd/admin-handlers.go @@ -1565,7 +1565,7 @@ func (a adminAPIHandlers) HealthInfoHandler(w http.ResponseWriter, r *http.Reque } } else { healthInfo.Minio.Config = madmin.MinioConfig{ - Config: config, + Config: config.RedactSensitiveInfo(), } } partialWrite(healthInfo) diff --git a/internal/config/config.go b/internal/config/config.go index 9cf8f6178..760b2069a 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -340,6 +340,30 @@ func (c Config) ReadConfig(r io.Reader) (dynOnly bool, err error) { return dynOnly, nil } +// RedactSensitiveInfo - removes sensitive information +// like urls and credentials from the configuration +func (c Config) RedactSensitiveInfo() Config { + nc := c.Clone() + + for configName, configVals := range nc { + for _, helpKV := range HelpSubSysMap[configName] { + if helpKV.Sensitive { + for name, kvs := range configVals { + for i := range kvs { + if kvs[i].Key == helpKV.Key && len(kvs[i].Value) > 0 { + kvs[i].Value = "*redacted*" + } + } + configVals[name] = kvs + } + } + } + nc[configName] = configVals + } + + return nc +} + type configWriteTo struct { Config filterByKey string diff --git a/internal/config/etcd/help.go b/internal/config/etcd/help.go index 670ec893b..33a2c0933 100644 --- a/internal/config/etcd/help.go +++ b/internal/config/etcd/help.go @@ -26,6 +26,7 @@ var ( Key: Endpoints, Description: `comma separated list of etcd endpoints e.g. "http://localhost:2379"`, Type: "csv", + Sensitive: true, }, config.HelpKV{ Key: PathPrefix, @@ -44,12 +45,14 @@ var ( Description: `client cert for mTLS authentication`, Optional: true, Type: "path", + Sensitive: true, }, config.HelpKV{ Key: ClientCertKey, Description: `client cert key for mTLS authentication`, Optional: true, Type: "path", + Sensitive: true, }, config.HelpKV{ Key: config.Comment, diff --git a/internal/config/help.go b/internal/config/help.go index e98fb62c5..19fc4be5b 100644 --- a/internal/config/help.go +++ b/internal/config/help.go @@ -25,6 +25,10 @@ type HelpKV struct { Description string `json:"description"` Optional bool `json:"optional"` + // Indicates if the value contains sensitive info + // that shouldn't be exposed in certain apis + Sensitive bool `json:"sensitive"` + // Indicates if sub-sys supports multiple targets. MultipleTargets bool `json:"multipleTargets"` } diff --git a/internal/config/identity/ldap/help.go b/internal/config/identity/ldap/help.go index fcc1d9c8e..ecf55e34b 100644 --- a/internal/config/identity/ldap/help.go +++ b/internal/config/identity/ldap/help.go @@ -26,6 +26,7 @@ var ( Key: ServerAddr, Description: `AD/LDAP server address e.g. "myldapserver.com:636"`, Type: "address", + Sensitive: true, }, config.HelpKV{ Key: STSExpiry, @@ -38,12 +39,14 @@ var ( Description: `DN for LDAP read-only service account used to perform DN and group lookups`, Optional: true, Type: "string", + Sensitive: true, }, config.HelpKV{ Key: LookupBindPassword, Description: `Password for LDAP read-only service account used to perform DN and group lookups`, Optional: true, Type: "string", + Sensitive: true, }, config.HelpKV{ Key: UserDNSearchBaseDN, @@ -62,6 +65,7 @@ var ( Description: `";" separated list of username bind DNs e.g. "uid=%s,cn=accounts,dc=myldapserver,dc=com"`, Optional: true, Type: "list", + Sensitive: true, }, config.HelpKV{ Key: GroupSearchFilter, diff --git a/internal/config/notify/help.go b/internal/config/notify/help.go index 95881c74e..f92495934 100644 --- a/internal/config/notify/help.go +++ b/internal/config/notify/help.go @@ -35,12 +35,14 @@ var ( Key: target.WebhookEndpoint, Description: "webhook server endpoint e.g. http://localhost:8080/minio/events", Type: "url", + Sensitive: true, }, config.HelpKV{ Key: target.WebhookAuthToken, Description: "opaque string or JWT authorization token", Optional: true, Type: "string", + Sensitive: true, }, config.HelpKV{ Key: target.WebhookQueueDir, @@ -65,12 +67,14 @@ var ( Description: "client cert for Webhook mTLS auth", Optional: true, Type: "string", + Sensitive: true, }, config.HelpKV{ Key: target.WebhookClientKey, Description: "client cert key for Webhook mTLS auth", Optional: true, Type: "string", + Sensitive: true, }, } @@ -79,6 +83,7 @@ var ( Key: target.AmqpURL, Description: "AMQP server endpoint e.g. `amqp://myuser:mypassword@localhost:5672`", Type: "url", + Sensitive: true, }, config.HelpKV{ Key: target.AmqpExchange, @@ -97,6 +102,7 @@ var ( Description: "routing key for publishing", Optional: true, Type: "string", + Sensitive: true, }, config.HelpKV{ Key: target.AmqpMandatory, @@ -171,12 +177,14 @@ var ( Description: "username for SASL/PLAIN or SASL/SCRAM authentication", Optional: true, Type: "string", + Sensitive: true, }, config.HelpKV{ Key: target.KafkaSASLPassword, Description: "password for SASL/PLAIN or SASL/SCRAM authentication", Optional: true, Type: "string", + Sensitive: true, }, config.HelpKV{ Key: target.KafkaSASLMechanism, @@ -213,12 +221,14 @@ var ( Description: "path to client certificate for mTLS auth", Optional: true, Type: "path", + Sensitive: true, }, config.HelpKV{ Key: target.KafkaClientTLSKey, Description: "path to client key for mTLS auth", Optional: true, Type: "path", + Sensitive: true, }, config.HelpKV{ Key: target.KafkaQueueDir, @@ -251,6 +261,7 @@ var ( Key: target.MqttBroker, Description: "MQTT server endpoint e.g. `tcp://localhost:1883`", Type: "uri", + Sensitive: true, }, config.HelpKV{ Key: target.MqttTopic, @@ -262,12 +273,14 @@ var ( Description: "MQTT username", Optional: true, Type: "string", + Sensitive: true, }, config.HelpKV{ Key: target.MqttPassword, Description: "MQTT password", Optional: true, Type: "string", + Sensitive: true, }, config.HelpKV{ Key: target.MqttQoS, @@ -312,6 +325,7 @@ var ( Key: target.PostgresConnectionString, Description: `Postgres server connection-string e.g. "host=localhost port=5432 dbname=minio_events user=postgres password=password sslmode=disable"`, Type: "string", + Sensitive: true, }, config.HelpKV{ Key: target.PostgresTable, @@ -355,6 +369,7 @@ var ( Description: `MySQL data-source-name connection string e.g. ":@tcp(:)/"`, Optional: true, Type: "string", + Sensitive: true, }, config.HelpKV{ Key: target.MySQLTable, @@ -397,6 +412,7 @@ var ( Key: target.NATSAddress, Description: "NATS server address e.g. '0.0.0.0:4222'", Type: "address", + Sensitive: true, }, config.HelpKV{ Key: target.NATSSubject, @@ -408,18 +424,21 @@ var ( Description: "NATS username", Optional: true, Type: "string", + Sensitive: true, }, config.HelpKV{ Key: target.NATSPassword, Description: "NATS password", Optional: true, Type: "string", + Sensitive: true, }, config.HelpKV{ Key: target.NATSToken, Description: "NATS token", Optional: true, Type: "string", + Sensitive: true, }, config.HelpKV{ Key: target.NATSTLS, @@ -468,18 +487,21 @@ var ( Description: "path to certificate chain of the target NATS server", Optional: true, Type: "string", + Sensitive: true, }, config.HelpKV{ Key: target.NATSClientCert, Description: "client cert for NATS mTLS auth", Optional: true, Type: "string", + Sensitive: true, }, config.HelpKV{ Key: target.NATSClientKey, Description: "client cert key for NATS mTLS auth", Optional: true, Type: "string", + Sensitive: true, }, config.HelpKV{ Key: target.NATSQueueDir, @@ -506,6 +528,7 @@ var ( Key: target.NSQAddress, Description: "NSQ server address e.g. '127.0.0.1:4150'", Type: "address", + Sensitive: true, }, config.HelpKV{ Key: target.NSQTopic, @@ -549,6 +572,7 @@ var ( Key: target.ElasticURL, Description: "Elasticsearch server's address, with optional authentication info", Type: "url", + Sensitive: true, }, config.HelpKV{ Key: target.ElasticIndex, @@ -577,12 +601,14 @@ var ( Description: "username for Elasticsearch basic-auth", Optional: true, Type: "string", + Sensitive: true, }, config.HelpKV{ Key: target.ElasticPassword, Description: "password for Elasticsearch basic-auth", Optional: true, Type: "string", + Sensitive: true, }, config.HelpKV{ Key: config.Comment, @@ -597,11 +623,13 @@ var ( Key: target.RedisAddress, Description: "Redis server's address. For example: `localhost:6379`", Type: "address", + Sensitive: true, }, config.HelpKV{ Key: target.RedisKey, Description: "Redis key to store/update events, key is auto-created", Type: "string", + Sensitive: true, }, config.HelpKV{ Key: target.RedisFormat, @@ -613,6 +641,7 @@ var ( Description: "Redis server password", Optional: true, Type: "string", + Sensitive: true, }, config.HelpKV{ Key: target.RedisQueueDir, diff --git a/internal/config/policy/opa/help.go b/internal/config/policy/opa/help.go index 18a09e408..a77d33261 100644 --- a/internal/config/policy/opa/help.go +++ b/internal/config/policy/opa/help.go @@ -26,12 +26,14 @@ var ( Key: URL, Description: `[DEPRECATED] OPA HTTP(s) endpoint e.g. "http://localhost:8181/v1/data/httpapi/authz/allow"`, Type: "url", + Sensitive: true, }, config.HelpKV{ Key: AuthToken, Description: "[DEPRECATED] authorization token for OPA endpoint", Optional: true, Type: "string", + Sensitive: true, }, config.HelpKV{ Key: config.Comment, diff --git a/internal/logger/help.go b/internal/logger/help.go index 0bbbf4b1e..99281cfba 100644 --- a/internal/logger/help.go +++ b/internal/logger/help.go @@ -28,12 +28,14 @@ var ( Key: Endpoint, Description: `HTTP(s) endpoint e.g. "http://localhost:8080/minio/logs/server"`, Type: "url", + Sensitive: true, }, config.HelpKV{ Key: AuthToken, Description: `opaque string or JWT authorization token`, Optional: true, Type: "string", + Sensitive: true, }, config.HelpKV{ Key: config.Comment, @@ -48,12 +50,14 @@ var ( Key: Endpoint, Description: `HTTP(s) endpoint e.g. "http://localhost:8080/minio/logs/audit"`, Type: "url", + Sensitive: true, }, config.HelpKV{ Key: AuthToken, Description: `opaque string or JWT authorization token`, Optional: true, Type: "string", + Sensitive: true, }, config.HelpKV{ Key: config.Comment, @@ -66,12 +70,14 @@ var ( Description: "mTLS certificate for Audit Webhook authentication", Optional: true, Type: "string", + Sensitive: true, }, config.HelpKV{ Key: ClientKey, Description: "mTLS certificate key for Audit Webhook authentication", Optional: true, Type: "string", + Sensitive: true, }, } )