Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix!: gate logging intermediate signing results which may contain sensitive information #984

Merged
merged 5 commits into from
Oct 21, 2023

Conversation

aajtodd
Copy link
Contributor

@aajtodd aajtodd commented Oct 19, 2023

Issue #

n/a

Description of changes

We gate logging HTTP requests and responses because headers and query parameters (and the body) could have sensitive information bound to them from the model. We currently log canonical request during signing which may contain many of the same details (headers, query params, etc). This PR adds LogMode.LogSigning which gates logging these details unless explicitly opted into.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@aajtodd aajtodd requested a review from a team as a code owner October 19, 2023 16:23
* level. This is an opt-in configuration because these intermediate outputs may contain sensitive fields bound
* to headers, URI, or query parmaeters.
*/
public val enableTraceLogging: Boolean = builder.enableTraceLogging
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure what we wanted to call this, let the 🚲 🏚️ commence!

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like this name if we were controlling all logger.trace calls with it, but we always log the "string to sign" at the trace level regardless of this flag. I think we should either rename this to better describe exactly what gets logged, or block the string-to-sign logging with this flag too.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah this is why I wanted to bikeshed over it because I had a similar feeling. I don't want to call it something too specific like logCanonicalRequests in the event there are other signing steps or calculations that we may want to put behind this flag.

Open to suggestions

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

enableSensitiveTraceLogging?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In tandem with my feedback above about LogSigning controlling all signing logging, I think this should just be called enableLogging.

{
"id": "b1a1bee4-e3e4-4520-ae8e-48d3b0e94ae9",
"type": "bugfix",
"description": "Do not log intermediate signature calculations without explicit opt-in via `LogMode.LogSignging`."
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

typo: LogSigning

@@ -164,6 +164,14 @@ public class AwsSigningConfig(builder: Builder) {
*/
public val expiresAfter: Duration? = builder.expiresAfter

/**
* Flag enabling whether detailed trace logging is enabled (if the signer implementation supports it). When true
* signers should emit intermediate logging details such as the canonical request and string to sign at the trace
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

and string to sign

It looks the string to sign always gets logged (which I think is what we agreed to do). So should we only reference the canonical request in these docs?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd go the other way, actually. The SdkLogMode option is named LogSigning. At a glance, that indicates to me that all signing logging will be enabled/disabled by that flag. (The KDocs add some nuance but I think they actually undermine the name.)

I think we should just make that the case: canonical request, string to sign, and final signature should be gated by LogSigning.

* level. This is an opt-in configuration because these intermediate outputs may contain sensitive fields bound
* to headers, URI, or query parmaeters.
*/
public val enableTraceLogging: Boolean = builder.enableTraceLogging
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like this name if we were controlling all logger.trace calls with it, but we always log the "string to sign" at the trace level regardless of this flag. I think we should either rename this to better describe exactly what gets logged, or block the string-to-sign logging with this flag too.

@@ -33,7 +33,7 @@ class LogModeTest {
fun testToString() {
val mode = LogMode.allModes().reduce { acc, curr -> acc + curr }
assertTrue { LogMode.allModes().all { mode.isEnabled(it) } }
val expected = "LogRequest|LogRequestWithBody|LogResponse|LogResponseWithBody"
val expected = "LogRequest|LogRequestWithBody|LogResponse|LogResponseWithBody|LogSigning"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you also add this value to the composite string test on L46? (tests the reverse of this, String->LogMode)

sdkVersion=0.27.8-SNAPSHOT
sdkVersion=0.28.0-SNAPSHOT
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Question: Why did this necessitate a major version bump?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It didn't, it fixes a previous commit where it should have been bumped: 681379d

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was expecting the nullability PR to land with everything else which bumped the version, that won't land until next week (hopefully with the name changes which would have also bumped it)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Blerg, it's causing downstream CI issues though so I'm reverting. @lauzadis we just need to remember to bump this before release.

@@ -164,6 +164,14 @@ public class AwsSigningConfig(builder: Builder) {
*/
public val expiresAfter: Duration? = builder.expiresAfter

/**
* Flag enabling whether detailed trace logging is enabled (if the signer implementation supports it). When true
* signers should emit intermediate logging details such as the canonical request and string to sign at the trace
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd go the other way, actually. The SdkLogMode option is named LogSigning. At a glance, that indicates to me that all signing logging will be enabled/disabled by that flag. (The KDocs add some nuance but I think they actually undermine the name.)

I think we should just make that the case: canonical request, string to sign, and final signature should be gated by LogSigning.

* level. This is an opt-in configuration because these intermediate outputs may contain sensitive fields bound
* to headers, URI, or query parmaeters.
*/
public val enableTraceLogging: Boolean = builder.enableTraceLogging
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In tandem with my feedback above about LogSigning controlling all signing logging, I think this should just be called enableLogging.

@sonarqubecloud
Copy link

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
0.0% 0.0% Duplication

@aajtodd aajtodd merged commit ed49a46 into main Oct 21, 2023
13 of 14 checks passed
@aajtodd aajtodd deleted the gate-signing branch October 21, 2023 14:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants