never log secrets #1
Conversation
Just adds the usual all/clean/test targets for whatever packages are going to be added later.
k8s-ci-robot
added
cncf-cla: yes
|
Note that I have added support for maps and oneof fields in another commit, see the full branch here: But my proposal is to use the version that has been reviewed already, or at least mostly: 111cbba is new and of course the whole integration into this repo is also different. The best solution would be to extend the text marshaller in https://github.com/golang/protobuf/blob/master/proto/text.go, ideally upstream, such that it injects the "stripped" message for fields that the caller wants to filter out. I can work on that next. |
Let me take this back. I thought that code already used information from protobuf and that therefore adding filtering via the Grafting field filtering onto that code won't be easy. Neither is it any easier to handle all cases correctly when starting from scratch (the approach that @sbezverk has taken in his revised PR kubernetes/kubernetes#71336). Therefore I don't intend to work on this further. If we want a truly generic, future-proof solution, then let's take also the last commit from https://github.com/pohly/csi-lib-utils/commits/secrets. The output can be made similar (or even identical) to the original gRPC text marshaller without much work. That's the biggest drawback that I see with using |
|
@msau42, @saad-ali: please let me know what you want in this PR: |
test/pkg/csi-spec/csi.proto
Outdated
| @@ -0,0 +1,1203 @@ | |||
| // Code generated by make; DO NOT EDIT. | |||
There was a problem hiding this comment.
Yes, it is need for the csitest.proto -> csitest.pb.go creation because csitest.proto has to import it.
| @@ -0,0 +1,5326 @@ | |||
| // Code generated by protoc-gen-go. DO NOT EDIT. | |||
There was a problem hiding this comment.
Do you want to include a Makefile for generating csitest.pb.go from cistest.proto file?
There was a problem hiding this comment.
I think I did? ;-)
csi-lib-utils/test/pkg/csi-spec/Makefile
Lines 85 to 89 in c276171
pkg/csigrpc/doc.go
Outdated
| @@ -0,0 +1,19 @@ | |||
| /* | |||
There was a problem hiding this comment.
Instead of putting this library under pkg/csigrpc/... please move this to the top under protosanitizer/... (similar to packages in https://github.com/kubernetes/utils).
Since this is a util only repo, it does not need cmd, pkg, etc directories. It will contain 1 or more go packages that other consumers will import and build in to binaries to ship.
There was a problem hiding this comment.
Having it at the top make sense.
I wanted to grow the content of the package over time and also include other gRPC-related functions (hence the current package name), but I can't really come up with an argument why that has to be in the same package.
So protosanitizer it is.
test/pkg/csi-spec/.gitignore
Outdated
| @@ -0,0 +1,5 @@ | |||
| /protoc | |||
There was a problem hiding this comment.
let's move all the contents of test/* to protosanitizer/test/...
This is a good starting point. Left a few minor comments. We want to finish this before end of week. Let's get it merged, create a After all that is done, we can come back and refactor this: ideally remove JSON marshaling/unmarshalling, and any other simplifications. @sbezverk can hopefully help with that. |
|
@saad-ali I am working on a version which is not using Marshal/Unmarshal. Once complete I will push pr against new repo. |
There was a problem hiding this comment.
Marshal/Unmarhal does not work for structs which have OneOf proto elements, could you please add to unit test that at least one of test cases has this struct:
v := csipb.VolumeCapability{
AccessType: &csipb.VolumeCapability_Mount{
Mount: &csipb.VolumeCapability_MountVolume{
FsType: "ext4",
MountFlags: []string{"flag1", "flag2", "flag3"},
},
},
AccessMode: &csipb.VolumeCapability_AccessMode{
Mode: csipb.VolumeCapability_AccessMode_MULTI_NODE_MULTI_WRITER,
},
}
var msg = csipb.CreateVolumeRequest{
Name: "test-volume",
CapacityRange: &csipb.CapacityRange{
RequiredBytes: int64(1024),
LimitBytes: int64(1024),
},
VolumeCapabilities: []*csipb.VolumeCapability{ &v },
Secrets: map[string]string{"secret1": "secret1", "secret2": "secret2"},
Parameters: map[string]string{"param1": "param1", "param2": "param2"},
VolumeContentSource: &csipb.VolumeContentSource{},
AccessibilityRequirements: &csipb.TopologyRequirement{},
}
I doubt it will be successfully unmarshaled.
When running at glog level >= 5, CSI sidecar apps log the full CreateVolumeRequest, including the secrets. Secrets should never be logged at any level to avoid accidentally exposing them. We need to filter out the secrets. With older CSI versions, that could have been done based on the field name, which is still an option should this get backported. With CSI 1.0, a custom field option marks fields as secret. Using that option has the advantage that the code will continue to work also when new secret fields get added in the future. For the sake of simplicity, JSON is now used as representation of the string instead of the former compact text format from gRPC. That makes it possible to strip values from a map with generic types, instead of having to copy and manipulate the real generated structures. Another option would have been to copy https://github.com/golang/protobuf/blob/master/proto/text.go and modify it so that it skips secret fields, but that's over 800 lines of code. This version of the code is identical to the one reviewed in kubernetes-csi/external-provisioner#171 with the backwards parameters in assert.NotContains (kubernetes-csi/external-provisioner#171 (review)) fixed.
No code changes required because json handles those types for us, but it's still good to have a test case for it.
During PR review there were concerns about support for oneof fields, with this example suggested as test case.
The previous version was adding "secrets: *** strippped ***" even when the "secrets" field was unset.
This is a copy of the CSI 1.0.0 spec and build rules with more fields added that test various special cases, in particular the addition of secrets in nested data structures (simple structs, lists, maps).
|
@sbezverk wrote:
The existing test already has AccessType, a OneOf proto element. Your example doesn't seem to be that different from it, but for the sake of expedience I have added it anyway. That works fine, no changes in the code needed. Why did you expect it to fail? |
|
@saad-ali force-pushed, PTAL |
|
@pohly Interesting, sometime ago on another project we hit the issue that since proto |
|
Serguei Bezverkhi <[email protected]> writes:
@pohly Interesting, sometime ago on another project we hit the issue
that since proto `OneOf` was generated as an interface, Unmarshalling
process was failing as it could not determine which struct to
use. OneOf has two possibilities, 2 structs. Maybe we were using
different json package, not sure..
I can see that this happens when trying to unmarshal into a gRPC
message. But that's not what this code uses JSON for: the whole point is
to convert into generic types because that's then easier to iterate
over.
|
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: pohly, saad-ali The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
I merged this, created a new Please remember to cherry pick any future bug fixes to the |
initial content
connection: add tests
This is the utility code that can be used to avoid logging secrets at loglevel >= 5 in the following apps:
csi_secretin CSI 1.0 driver-registrar#72csi_secretin CSI 1.0 external-provisioner#167csi_secretin CSI 1.0 external-provisioner#167This is the first code being added to the repo and therefore the PR also adds a Makefile.
It was previously located and discussed in kubernetes-csi/external-provisioner#171, which also shows how the function would be used.