[Bug] CSM Authorization module if not put in error mode ends up putting password in plain text all over the logs

Question

[Bug] CSM Authorization module if not put in error mode ends up putting password in plain text all over the logs

Closed this issue 3 months ago · 8 comments

randhikpurwalam commented 3 months ago

Bug Description

CSM Authorization module if not put in error mode ends up putting password in plain text all over the logs

Logs

CSM Authorization module if not put in error mode ends up putting password in plain text all over the logs

Screenshots

No response

Additional Environment Information

No response

Steps to Reproduce

Set info as LOG_LEVEL

Expected Behavior

Password should never be printed in logs

CSM Driver(s)

CSM 1.7.1

Installation Type

No response

Container Storage Modules Enabled

Powermax, reverseproxy,authorization

Container Orchestrator

Openshift

Operating System

Core OS

gallacher commented 3 months ago

/sync

Answer 1 · 2024-06-29T07:50:07.000Z

@gloriousbao: Thank you for submitting this issue!

The issue is currently awaiting triage. Please make sure you have given us as much context as possible.

If the maintainers determine this is a relevant issue, they will remove the needs-triage label and respond appropriately.

We want your feedback! If you have any questions or suggestions regarding our contributing process/workflow, please reach out to us at container.storage.modules@dell.com.

Answer 2 · 2024-07-01T13:09:12.000Z

Followed up with @coulof for sanitized log examples.

Answer 3 · 2024-07-04T12:34:39.000Z

link: 25977

Answer 4 · 2024-07-05T16:19:07.000Z

Defaulted container "proxy-server" out of: proxy-server, opa, kube-mgmt
time="2024-07-05T16:15:58Z" level=info msg="Config: {Version: Zipkin:{CollectorURI: ServiceName:proxy-server Probability:0.8} Certificate:{CrtFile: KeyFile: RootCertificate:} Proxy:{Host::8080 ReadTimeout:30s WriteTimeout:30s} Web:{ShowDebugHTTP:false DebugHost::9090 ShutdownTimeout:15s JWTSigningSecret:xxxxxx} Database:{Host:redis.karavi.svc.cluster.local:6379 Password:} OpenPolicyAgent:{Host:127.0.0.1:8181}}"
time="2024-07-05T16:15:58Z" level=info msg="configuration has been set" LOG_LEVEL=debug
time="2024-07-05T16:15:58Z" level=info msg="configuration has been set" LOG_LEVEL=debug
time="2024-07-05T16:15:58Z" level=info msg="main: started application version "develop""
time="2024-07-05T16:15:58Z" level=info msg="main: initializing debugging support"
time="2024-07-05T16:15:58Z" level=debug msg="main: debug listening" debug host=":9090"
time="2024-07-05T16:15:58Z" level=info msg="main: initializing proxy service"
time="2024-07-05T16:15:58Z" level=info msg="main: proxy listening" proxy host=":8080"

Answer 5 · 2024-07-08T14:45:45.000Z

@randhikpurwalam @coulof

I don't see any username or password information in the logs provided in the previous comment. Could you replicate the behavior where you saw plain text passwords and send those logs?

Answer 6 · 2024-07-08T14:52:49.000Z

I already shared the log where jwtsigning secret is part of the proxy server logs. Is it okay to have the secret in the log? Moiz R Sr Technology Engineer Group Information Technology Emirates NBD M +971 (0) 58 8622370 [ENBD_Logo] From: Aaron Tye ***@***.***> Sent: Monday, July 8, 2024 6:46 PM To: dell/csm ***@***.***> Cc: Moiz Ibrahim Randhikpurwala (IT) ***@***.***>; Mention ***@***.***> Subject: Re: [dell/csm] [Bug] CSM Authorization module if not put in error mode ends up putting password in plain text all over the logs (Issue #1352) CAUTION: This email originated from outside the Emirates NBD Group. Do not click links or open attachments unless you recognize the sender and know the content is safe. @randhikpurwalam<https://github.com/randhikpurwalam> @coulof<https://github.com/coulof> I don't see any username or password information in the logs provided in the previous comment. Could you replicate the behavior where you saw plain text passwords and send those logs? - Reply to this email directly, view it on GitHub<#1352 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AXS3IUGW43S4BCNTSBKKTULZLKQ27AVCNFSM6AAAAABKC7TF4KVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMJUGI4TGOJUGU>. You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>> DISCLAIMER: This e-mail message including any of its attachments is intended solely for the addressee(s) and may contain privileged information. If you are not the addressee or you have received this email message in error, please notify the sender who will remove your details from its database. You are not authorized to read, copy, disseminate, distribute or use this e-mail message or any attachment to it in any manner and must delete the email and destroy any hard copies of it. This e-mail message does not contain financial instructions or commitments of any kind. Any views expressed in this message are those of the individual sender and do not necessarily reflect the views of Emirates NBD PJSC, or any other related subsidiaries, entities or persons. Emirates NBD Bank (P.J.S.C.) is licensed by the Central Bank of the UAE. .??? ???????? ??? ?????? ?.?.?. ?? ??? ????? ?? ??? ???? ???????? ??????? ??????? ???????

Answer 7 · 2024-07-08T18:40:06.000Z

@randhikpurwalam I misunderstood that the JWT Signing Secret was in question. A fix was just put in to not print the configuration. This will be available in the next nightly image and when the 1.11 image is released.