Add credentials exposure test & fix STS + SSO #2603
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rcoh
force-pushed
the
credentials-exposure-test
branch
from
a777342
to
e750d89
Compare
|
A new generated diff is ready to view.
A new doc preview is ready to view. |
jdisanti
reviewed
Apr 20, 2023
aws/rust-runtime/aws-config/test-data/profile-provider/credential_process/fs/home/.aws/config
Outdated
Show resolved
Hide resolved
aws/sdk-codegen/src/main/kotlin/software/amazon/smithy/rustsdk/customize/sso/SSODecorator.kt
Show resolved
Hide resolved
This adds a test to aws-config that looks for leaked credentials in all of our provider integration tests—since these test use AWS APIs under the hood, this also serves to test AWS services in general. To support this, `sensitive` was added to the ParseHttpResponse trait and code was generated to take action based on this change.
…ial_process/fs/home/.aws/config Co-authored-by: John DiSanti <jdisanti@amazon.com>
rcoh
force-pushed
the
credentials-exposure-test
branch
from
cd1a864
to
75461b9
Compare
|
A new generated diff is ready to view.
A new doc preview is ready to view. |
ysaito1001
approved these changes
Apr 20, 2023
| @@ -132,7 +134,15 @@ where | |||
| }; | |||
|
|
|||
| let http_response = http::Response::from_parts(parts, Bytes::from(body)); | |||
| trace!(http_response = ?http_response, "read HTTP response body"); | |||
| if !handler.sensitive() | |||
| || std::env::var(LOG_SENSITIVE_BODIES) | |||
There was a problem hiding this comment.
Nice to provide an escape hatch to still be able to print.
Velfi
approved these changes
Apr 20, 2023
| @@ -417,7 +417,7 @@ mod loader { | |||
| /// | |||
| /// # Example: Using a custom profile name | |||
| /// | |||
| /// ``` | |||
| /// ```no_run | |||
There was a problem hiding this comment.
Why don't we want to run these anymore?
There was a problem hiding this comment.
we shouldn't be running doc tests ever, these were misses. They should only be compiled—running them will try to load up an SSL chain etc. and makes them very slow
There was a problem hiding this comment.
We should probably do a pass (as a separate PR) and check that we aren't running them elsewhere.
Comment on lines
+148
to
+149
| /// *Why use this instead of traced_test?* | ||
| /// This captures _all_ logs, not just logs produced by the current crate. |
There was a problem hiding this comment.
ty for adding this comment! It's exactly what I would have asked.
| @@ -256,7 +256,7 @@ fn calculate_signing_headers<'a>( | |||
| // Step 4: https://docs.aws.amazon.com/en_pv/general/latest/gr/sigv4-add-signature-to-request.html | |||
| let values = creq.values.as_headers().expect("signing with headers"); | |||
| let mut headers = HeaderMap::new(); | |||
| add_header(&mut headers, header::X_AMZ_DATE, &values.date_time); | |||
| add_header(&mut headers, header::X_AMZ_DATE, &values.date_time, false); | |||
There was a problem hiding this comment.
It may be worth creating an enum for is_sensitive in order to make this easier to understand.
jdisanti
reviewed
Apr 20, 2023
Comment on lines
+132
to
+137
| [[aws-sdk-rust]] | ||
| message = """Reduce several instances of credential exposure in the SDK logs: | ||
| - IMDS now suppresses the body of the response from logs | ||
| - `aws-sigv4` marks the `x-amz-session-token` header as sensitive | ||
| - STS & SSO credentials have been manually marked as sensitive which suppresses logging of response bodies for relevant operations | ||
| """ |
There was a problem hiding this comment.
Is this going to render correctly? Seems like the sub bullet points might become top-level bullet points in the rendered changelog.
unexge
pushed a commit
that referenced
this pull request
Apr 24, 2023
## Motivation and Context - credentials providers may leak credentials in the HTTP body at the debug level ## Description This adds a test to aws-config that looks for leaked credentials in all of our provider integration tests—since these test use AWS APIs under the hood, this also serves to test AWS services in general. To support this, `sensitive` was added to the ParseHttpResponse trait and code was generated to take action based on this change. - [x] Add environment variable to force logging of the body - [x] consider if we want to suppress request body logging as well ## Testing <!--- Please describe in detail how you tested your changes --> <!--- Include details of your testing environment, and the tests you ran to --> <!--- see how your change affects other areas of the code, etc. --> ## Checklist <!--- If a checkbox below is not applicable, then please DELETE it rather than leaving it unchecked --> - [x] I have updated `CHANGELOG.next.toml` if I made changes to the smithy-rs codegen or runtime crates - [x] I have updated `CHANGELOG.next.toml` if I made changes to the AWS SDK, generated SDK code, or SDK runtime crates ---- _By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice._ --------- Co-authored-by: John DiSanti <jdisanti@amazon.com>
rcoh
added a commit
that referenced
this pull request
Apr 24, 2023
## Motivation and Context - credentials providers may leak credentials in the HTTP body at the debug level ## Description This adds a test to aws-config that looks for leaked credentials in all of our provider integration tests—since these test use AWS APIs under the hood, this also serves to test AWS services in general. To support this, `sensitive` was added to the ParseHttpResponse trait and code was generated to take action based on this change. - [x] Add environment variable to force logging of the body - [x] consider if we want to suppress request body logging as well ## Testing <!--- Please describe in detail how you tested your changes --> <!--- Include details of your testing environment, and the tests you ran to --> <!--- see how your change affects other areas of the code, etc. --> ## Checklist <!--- If a checkbox below is not applicable, then please DELETE it rather than leaving it unchecked --> - [x] I have updated `CHANGELOG.next.toml` if I made changes to the smithy-rs codegen or runtime crates - [x] I have updated `CHANGELOG.next.toml` if I made changes to the AWS SDK, generated SDK code, or SDK runtime crates ---- _By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice._ --------- Co-authored-by: John DiSanti <jdisanti@amazon.com>
This was referenced Sep 1, 2023
github-merge-queue bot
pushed a commit
that referenced
this pull request
Sep 8, 2023
## Motivation and Context Fixes #2926 ## Description This PR ports logic implemented in #2603. Thankfully, even though we did not port this at the time of the orchestrator launch, the orchestrator has not logged sensitive bodies because we have never logged response bodies in the orchestrator code. The code changes in this PR - now logs response bodies in `try_attempt` - ports the logic from the previous PR in question to the orchestrator, via an interceptor Now, when credentials providers in `aws_config` need to say "I want to redact a response body" ([example](https://github.com/awslabs/smithy-rs/blob/2c27834f90b0585dba60606f9da6246b341227d6/aws/rust-runtime/aws-config/src/http_credential_provider.rs#L48)) when middleware is gone, they can pass an interceptor `SensitiveOutputInterceptor` to `Config` of whatever clients they are using. ## Testing Depends on the existing tests. Without the logic ported over the orchestrator and by logging response bodies unconditionally in `try_attempt`, we got the following failures. After we've ported the logic, they now pass. ``` default_provider::credentials::test::ecs_assume_role default_provider::credentials::test::imds_assume_role default_provider::credentials::test::sso_assume_role default_provider::credentials::test::web_identity_token_env default_provider::credentials::test::web_identity_token_profile default_provider::credentials::test::web_identity_token_source_profile profile::credentials::test::e2e_assume_role profile::credentials::test::region_override profile::credentials::test::retry_on_error ``` ## Checklist <!--- If a checkbox below is not applicable, then please DELETE it rather than leaving it unchecked --> - [x] I have updated `CHANGELOG.next.toml` if I made changes to the smithy-rs codegen or runtime crates - [x] I have updated `CHANGELOG.next.toml` if I made changes to the AWS SDK, generated SDK code, or SDK runtime crates ---- _By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice._ --------- Co-authored-by: ysaito1001 <awsaito@amazon.com> Co-authored-by: John DiSanti <jdisanti@amazon.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation and Context
Description
This adds a test to aws-config that looks for leaked credentials in all of our provider integration tests—since these test use AWS APIs under the hood, this also serves to test AWS services in general.
To support this,
sensitivewas added to the ParseHttpResponse trait and code was generated to take action based on this change.Testing
Checklist
CHANGELOG.next.tomlif I made changes to the smithy-rs codegen or runtime cratesCHANGELOG.next.tomlif I made changes to the AWS SDK, generated SDK code, or SDK runtime cratesBy submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.