[v23.1.x] cloud_roles: redact fields from request string representation

src/v/cloud_roles/signature.cc

@@ -12,6 +12,7 @@
 
 #include "bytes/bytes.h"
 #include "cloud_roles/logger.h"
+#include "config/base_property.h"
 #include "hashing/secure.h"
 #include "ssx/sformat.h"
 #include "utils/base64.h"
@@ -20,6 +21,8 @@
 #include <seastar/core/lowres_clock.hh>
 #include <seastar/core/sstring.hh>
 
+#include <absl/strings/str_join.h>
+#include <absl/strings/str_split.h>
 #include <boost/algorithm/string/compare.hpp>
 #include <boost/algorithm/string/split.hpp>
 #include <boost/algorithm/string/trim.hpp>
@@ -372,6 +375,36 @@ ss::sstring signature_v4::sha256_hexdigest(std::string_view payload) {
     return sha_256(payload);
 }
 
+ss::sstring redact_headers_from_string(const std::string_view original) {
+    std::set<std::string_view> redacted{};
+    const auto redacted_fields = http::redacted_fields();
+    for (const auto& rf : redacted_fields) {
+        redacted.insert(ss::visit(
+          rf,
+          [](const boost::beast::http::field& f) {
+              const auto view = to_string(f);
+              return std::string_view{view.data(), view.size()};
+          },
+          [](const std::string& s) { return std::string_view{s}; }));
+    }
+
+    const auto lines = absl::StrSplit(original, "\n");
+    std::vector<ss::sstring> result{};
+    for (const auto& line : lines) {
+        if (line.find(':') != std::string_view::npos) {
+            const auto tokens = absl::StrSplit(line, ":");
+            const auto key = *tokens.begin();
+            if (redacted.contains(key)) {
+                result.emplace_back(fmt::format(
+                  "{}:{}", *tokens.begin(), config::secret_placeholder));
+                continue;
+            }
+        }
+        result.emplace_back(line.data(), line.size());
+    }
+    return absl::StrJoin(result, "\n");
+}
+
 std::error_code signature_v4::sign_header(
   http::client::request_header& header, std::string_view sha256) const {
     ss::sstring date_str = _sig_time.format_date();
@@ -392,7 +425,14 @@ std::error_code signature_v4::sign_header(
     if (!canonical_req) {
         return canonical_req.error();
     }
-    vlog(clrl_log.trace, "\n[canonical-request]\n{}\n", canonical_req.value());
+
+    if (clrl_log.is_enabled(seastar::log_level::trace)) {
+        vlog(
+          clrl_log.trace,
+          "\n[canonical-request]\n{}\n",
+          redact_headers_from_string(canonical_req.value()));
+    }
+
     auto str_to_sign = get_string_to_sign(
       amz_date, cred_scope, canonical_req.value());
     auto digest = hmac(sign_key, str_to_sign);

src/v/cloud_roles/signature.h

@@ -180,4 +180,6 @@ time_source::time_source(Fn&& fn, int)
 
 ss::sstring uri_encode(const ss::sstring& input, bool encode_slash);
 
+ss::sstring redact_headers_from_string(const std::string_view original);
+
 } // namespace cloud_roles

src/v/cloud_roles/tests/signature_test.cc

@@ -14,6 +14,8 @@
 #include <seastar/core/temporary_buffer.hh>
 #include <seastar/testing/thread_test_case.hh>
 
+#include <absl/strings/str_join.h>
+#include <absl/strings/str_split.h>
 #include <boost/test/unit_test.hpp>
 
 #include <chrono>
@@ -237,3 +239,27 @@ SEASTAR_THREAD_TEST_CASE(test_gnutls) {
       to_hex(bytes_view{result.data(), 32}),
       "c4afb1cc5771d871763a393e44b703571b55cc28424d1a5e86da6ed3c154a4b9");
 }
+
+SEASTAR_THREAD_TEST_CASE(test_redact_headers_from_string) {
+    std::vector<ss::sstring> lines{};
+    lines.emplace_back(fmt::format("{}:{}", "x-amz-security-token", "abcd"));
+    lines.emplace_back(fmt::format("{}:{}", "x-amz-content-sha256", "secret"));
+    lines.emplace_back(
+      fmt::format("{}:{}", "x-amz-security-token111", "abcd111"));
+    lines.emplace_back(
+      fmt::format("{}:{}", "x-amz-security-token222", "abcd222"));
+    lines.emplace_back(
+      fmt::format("{}:{}", "x-amz-security-token", "abcdabcd"));
+
+    const std::string redacted = cloud_roles::redact_headers_from_string(
+      absl::StrJoin(lines, "\n"));
+
+    const auto redacted_lines = absl::StrSplit(redacted, "\n");
+    auto it = redacted_lines.begin();
+
+    BOOST_REQUIRE_EQUAL(*(it++), "x-amz-security-token:[secret]");
+    BOOST_REQUIRE_EQUAL(*(it++), "x-amz-content-sha256:[secret]");
+    BOOST_REQUIRE_EQUAL(*(it++), "x-amz-security-token111:abcd111");
+    BOOST_REQUIRE_EQUAL(*(it++), "x-amz-security-token222:abcd222");
+    BOOST_REQUIRE_EQUAL(*(it++), "x-amz-security-token:[secret]");
+}

src/v/http/client.cc

@@ -39,17 +39,16 @@
 #include <limits>
 #include <stdexcept>
 
-namespace {
-using field_type = std::variant<boost::beast::http::field, std::string>;
-
-const std::unordered_set<field_type> redacted_fields{
-  boost::beast::http::field::authorization,
-  "x-amz-content-sha256",
-  "x-amz-security-token"};
-} // namespace
-
 namespace http {
 
+const std::unordered_set<std::variant<boost::beast::http::field, std::string>>
+redacted_fields() {
+    return {
+      boost::beast::http::field::authorization,
+      "x-amz-content-sha256",
+      "x-amz-security-token"};
+}
+
 // client implementation //
 static constexpr ss::lowres_clock::duration default_max_idle_time = 1s;
 
@@ -627,7 +626,7 @@ ss::input_stream<char> client::response_stream::as_input_stream() {
 
 client::request_header redacted_header(client::request_header original) {
     auto h{std::move(original)};
-    for (const auto& field : redacted_fields) {
+    for (const auto& field : redacted_fields()) {
         std::visit(
           [&h](const auto& f) {
               if (h.find(f) != h.end()) {

src/v/http/client.h

@@ -267,6 +267,9 @@ auto with_client(client&& cl, Func func) {
       });
 }
 
+const std::unordered_set<std::variant<boost::beast::http::field, std::string>>
+redacted_fields();
+
 } // namespace http
 
 template<>