Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

api: redact more fields. #9692

Merged
merged 3 commits into from
Jan 16, 2020
Merged

api: redact more fields. #9692

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
9390d93
api: redact more fields.
PiotrSikora Jan 15, 2020
8cde3a2
review: revert changes in jwt_authn.
PiotrSikora Jan 15, 2020
c85001a
Merge remote-tracking branch 'origin/master' into PiotrSikora/redact_…
PiotrSikora Jan 16, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions api/envoy/api/v2/auth/cert.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -118,9 +118,9 @@ message PrivateKeyProvider {

// Private key method provider specific configuration.
oneof config_type {
google.protobuf.Struct config = 2 [deprecated = true];
google.protobuf.Struct config = 2 [deprecated = true, (udpa.annotations.sensitive) = true];
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Doesn't this effectively not do anything since redaction doesn't work inside the struct?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, this works fine: it recursively redacts everything inside the struct.
The case that wouldn't work is if the struct weren't annotated as sensitive, but contained some field that, if it were part of a strongly-typed message, would have been annotated sensitive. That is, when we're looking inside the struct, we have no info about which fields should be redacted.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK got it. Since this is a struct that gets converted into a strongly typed message everything works. 👍


google.protobuf.Any typed_config = 3;
google.protobuf.Any typed_config = 3 [(udpa.annotations.sensitive) = true];
}
}

Expand Down
4 changes: 3 additions & 1 deletion api/envoy/api/v2/core/grpc_service.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,8 @@ import "google/protobuf/duration.proto";
import "google/protobuf/empty.proto";
import "google/protobuf/struct.proto";

import "udpa/annotations/sensitive.proto";

import "udpa/annotations/migrate.proto";
import "validate/validate.proto";

Expand Down Expand Up @@ -38,7 +40,7 @@ message GrpcService {
DataSource root_certs = 1;

// PEM encoded client private key.
DataSource private_key = 2;
DataSource private_key = 2 [(udpa.annotations.sensitive) = true];

// PEM encoded client certificate chain.
DataSource cert_chain = 3;
Expand Down
3 changes: 2 additions & 1 deletion api/envoy/config/core/v3alpha/grpc_service.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ import "google/protobuf/duration.proto";
import "google/protobuf/empty.proto";
import "google/protobuf/struct.proto";

import "udpa/annotations/sensitive.proto";
import "udpa/annotations/versioning.proto";

import "validate/validate.proto";
Expand Down Expand Up @@ -49,7 +50,7 @@ message GrpcService {
DataSource root_certs = 1;

// PEM encoded client private key.
DataSource private_key = 2;
DataSource private_key = 2 [(udpa.annotations.sensitive) = true];

// PEM encoded client certificate chain.
DataSource cert_chain = 3;
Expand Down
6 changes: 4 additions & 2 deletions api/envoy/config/filter/network/redis_proxy/v2/redis_proxy.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,8 @@ import "envoy/api/v2/core/base.proto";
import "google/protobuf/duration.proto";
import "google/protobuf/wrappers.proto";

import "udpa/annotations/sensitive.proto";

import "envoy/annotations/deprecation.proto";
import "udpa/annotations/migrate.proto";
import "validate/validate.proto";
Expand Down Expand Up @@ -229,7 +231,7 @@ message RedisProxy {
// password is set, then a "NOAUTH Authentication required." error response will be sent to the
// client. If an AUTH command is received when the password is not set, then an "ERR Client sent
// AUTH, but no password is set" error will be returned.
api.v2.core.DataSource downstream_auth_password = 6;
api.v2.core.DataSource downstream_auth_password = 6 [(udpa.annotations.sensitive) = true];
}

// RedisProtocolOptions specifies Redis upstream protocol options. This object is used in
Expand All @@ -238,5 +240,5 @@ message RedisProxy {
message RedisProtocolOptions {
// Upstream server password as defined by the `requirepass` directive
// <https://redis.io/topics/config>`_ in the server's configuration file.
api.v2.core.DataSource auth_password = 1;
api.v2.core.DataSource auth_password = 1 [(udpa.annotations.sensitive) = true];
}
5 changes: 4 additions & 1 deletion api/envoy/config/grpc_credential/v2alpha/BUILD
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,5 +5,8 @@ load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
licenses(["notice"]) # Apache 2

api_proto_package(
deps = ["//envoy/api/v2/core:pkg"],
deps = [
"//envoy/api/v2/core:pkg",
"@com_github_cncf_udpa//udpa/annotations:pkg",
],
)
4 changes: 3 additions & 1 deletion api/envoy/config/grpc_credential/v2alpha/file_based_metadata.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@ package envoy.config.grpc_credential.v2alpha;

import "envoy/api/v2/core/base.proto";

import "udpa/annotations/sensitive.proto";

option java_package = "io.envoyproxy.envoy.config.grpc_credential.v2alpha";
option java_outer_classname = "FileBasedMetadataProto";
option java_multiple_files = true;
Expand All @@ -15,7 +17,7 @@ option java_multiple_files = true;
message FileBasedMetadataConfig {
// Location or inline data of secret to use for authentication of the Google gRPC connection
// this secret will be attached to a header of the gRPC connection
api.v2.core.DataSource secret_data = 1;
api.v2.core.DataSource secret_data = 1 [(udpa.annotations.sensitive) = true];

// Metadata header key to use for sending the secret data
// if no header key is set, "authorization" header will be used
Expand Down
3 changes: 2 additions & 1 deletion api/envoy/config/grpc_credential/v3alpha/file_based_metadata.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ package envoy.config.grpc_credential.v3alpha;

import "envoy/config/core/v3alpha/base.proto";

import "udpa/annotations/sensitive.proto";
import "udpa/annotations/versioning.proto";

option java_package = "io.envoyproxy.envoy.config.grpc_credential.v3alpha";
Expand All @@ -20,7 +21,7 @@ message FileBasedMetadataConfig {

// Location or inline data of secret to use for authentication of the Google gRPC connection
// this secret will be attached to a header of the gRPC connection
core.v3alpha.DataSource secret_data = 1;
core.v3alpha.DataSource secret_data = 1 [(udpa.annotations.sensitive) = true];

// Metadata header key to use for sending the secret data
// if no header key is set, "authorization" header will be used
Expand Down
5 changes: 3 additions & 2 deletions api/envoy/extensions/filters/network/redis_proxy/v3alpha/redis_proxy.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ import "envoy/config/core/v3alpha/base.proto";
import "google/protobuf/duration.proto";
import "google/protobuf/wrappers.proto";

import "udpa/annotations/sensitive.proto";
import "udpa/annotations/versioning.proto";

import "envoy/annotations/deprecation.proto";
Expand Down Expand Up @@ -231,7 +232,7 @@ message RedisProxy {
// password is set, then a "NOAUTH Authentication required." error response will be sent to the
// client. If an AUTH command is received when the password is not set, then an "ERR Client sent
// AUTH, but no password is set" error will be returned.
config.core.v3alpha.DataSource downstream_auth_password = 6;
config.core.v3alpha.DataSource downstream_auth_password = 6 [(udpa.annotations.sensitive) = true];
}

// RedisProtocolOptions specifies Redis upstream protocol options. This object is used in
Expand All @@ -243,5 +244,5 @@ message RedisProtocolOptions {

// Upstream server password as defined by the `requirepass` directive
// <https://redis.io/topics/config>`_ in the server's configuration file.
config.core.v3alpha.DataSource auth_password = 1;
config.core.v3alpha.DataSource auth_password = 1 [(udpa.annotations.sensitive) = true];
}
2 changes: 1 addition & 1 deletion api/envoy/extensions/transport_sockets/tls/v3alpha/cert.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -125,7 +125,7 @@ message PrivateKeyProvider {

// Private key method provider specific configuration.
oneof config_type {
google.protobuf.Any typed_config = 3;
google.protobuf.Any typed_config = 3 [(udpa.annotations.sensitive) = true];
}
}

Expand Down
4 changes: 2 additions & 2 deletions generated_api_shadow/envoy/api/v2/auth/cert.proto
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 3 additions & 1 deletion generated_api_shadow/envoy/api/v2/core/grpc_service.proto
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 2 additions & 1 deletion generated_api_shadow/envoy/config/core/v3alpha/grpc_service.proto
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 4 additions & 2 deletions generated_api_shadow/envoy/config/filter/network/redis_proxy/v2/redis_proxy.proto
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 4 additions & 1 deletion generated_api_shadow/envoy/config/grpc_credential/v2alpha/BUILD
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 3 additions & 1 deletion generated_api_shadow/envoy/config/grpc_credential/v2alpha/file_based_metadata.proto
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 2 additions & 1 deletion generated_api_shadow/envoy/config/grpc_credential/v3alpha/file_based_metadata.proto
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 3 additions & 2 deletions generated_api_shadow/envoy/extensions/filters/network/redis_proxy/v3alpha/redis_proxy.proto
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 3 additions & 2 deletions generated_api_shadow/envoy/extensions/transport_sockets/tls/v3alpha/cert.proto
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.