Remove backend config JSON from update backend log (#341)

Remove backend config JSON from update backend log
NetApp · Jul 29, 2020 · e6c0251 · e6c0251
1 parent a9a26b8
commit e6c0251
Show file tree

Hide file tree

Showing 4 changed files with 128 additions and 17 deletions.
diff --git a/core/orchestrator_core.go b/core/orchestrator_core.go
@@ -1019,35 +1019,32 @@ func (o *TridentOrchestrator) updateBackendByBackendUUID(backendName, configJSON
 		backend *storage.Backend
 	)
 
-	defer func() {
-		log.WithFields(log.Fields{
-			"backendName": backendName,
-			"backendUUID": backendUUID,
-			"configJSON":  configJSON,
-		}).Debug("<<<<<< updateBackendByBackendUUID")
-		if backend != nil && err != nil {
-			backend.Terminate()
-		}
-	}()
-
-	log.WithFields(log.Fields{
-		"backendName": backendName,
-		"backendUUID": backendUUID,
-		"configJSON":  configJSON,
-	}).Debug(">>>>>> updateBackendByBackendUUID")
-
 	// Check whether the backend exists.
 	originalBackend, found := o.backends[backendUUID]
 	if !found {
 		return nil, utils.NotFoundError(fmt.Sprintf("backend %v was not found", backendUUID))
 	}
 
+	logFields := log.Fields{"backendName": backendName, "backendUUID": backendUUID, "configJSON":  "<suppressed>"}
+	if originalBackend.GetDebugTraceFlags()["sensitive"] {
+		logFields["configJSON"] = configJSON
+	}
+
 	log.WithFields(log.Fields{
 		"originalBackend.Name":        originalBackend.Name,
 		"originalBackend.BackendUUID": originalBackend.BackendUUID,
 		"GetExternalConfig":           originalBackend.Driver.GetExternalConfig(),
 	}).Debug("found original backend")
 
+	defer func() {
+		log.WithFields(logFields).Debug("<<<<<< updateBackendByBackendUUID")
+		if backend != nil && err != nil {
+			backend.Terminate()
+		}
+	}()
+
+	log.WithFields(logFields).Debug(">>>>>> updateBackendByBackendUUID")
+
 	// Second, validate the update.
 	backend, err = factory.NewStorageBackendForConfig(configJSON)
 	if err != nil {

diff --git a/core/orchestrator_core_test.go b/core/orchestrator_core_test.go
@@ -3,9 +3,11 @@
 package core
 
 import (
+	"bytes"
 	"encoding/json"
 	"flag"
 	"fmt"
+	"os"
 	"reflect"
 	"strings"
 	"testing"
@@ -1212,6 +1214,14 @@ func addBackendStorageClass(
 	}
 }
 
+func captureOutput(f func()) string {
+	var buf bytes.Buffer
+	log.SetOutput(&buf)
+	f()
+	log.SetOutput(os.Stdout)
+	return buf.String()
+}
+
 func TestBackendUpdateAndDelete(t *testing.T) {
 	const (
 		backendName       = "updateBackend"
@@ -1327,7 +1337,9 @@ func TestBackendUpdateAndDelete(t *testing.T) {
 			t.Errorf("%s:  unable to generate new backend config:  %v", c.name, err)
 			continue
 		}
+
 		_, err = orchestrator.UpdateBackend(backendName, newConfigJSON)
+
 		if err != nil {
 			t.Errorf("%s:  unable to update backend with a nonconflicting change:  %v", c.name, err)
 			continue
@@ -1509,6 +1521,57 @@ func TestBackendUpdateAndDelete(t *testing.T) {
 	cleanup(t, orchestrator)
 }
 
+func backendPasswordsInLogsHelper(t *testing.T, debugTraceFlags map[string]bool) {
+
+	backendName := "passwordBackend"
+	backendProtocol := config.File
+
+	orchestrator := getOrchestrator()
+
+	fakeConfig, err := fakedriver.NewFakeStorageDriverConfigJSONWithDebugTraceFlags(backendName, backendProtocol,
+		debugTraceFlags, "prefix1_")
+	if err != nil {
+		t.Fatalf("Unable to generate config JSON for %s:  %v", backendName, err)
+	}
+
+	_, err = orchestrator.AddBackend(fakeConfig)
+	if err != nil {
+		t.Errorf("Unable to add backend %s:  %v", backendName, err)
+	}
+
+	newConfigJSON, err := fakedriver.NewFakeStorageDriverConfigJSONWithDebugTraceFlags(backendName, backendProtocol,
+		debugTraceFlags,"prefix2_")
+	if err != nil {
+		t.Errorf("%s:  unable to generate new backend config:  %v", backendName, err)
+	}
+
+	output := captureOutput(func() {
+		_, err = orchestrator.UpdateBackend(backendName, newConfigJSON)
+	})
+
+	if err != nil {
+		t.Errorf("%s:  unable to update backend with a nonconflicting change:  %v", backendName, err)
+	}
+
+	assert.Contains(t, output, "configJSON")
+	outputArr := strings.Split(output, "configJSON")
+	outputArr = strings.Split(outputArr[1], "=\"")
+	outputArr = strings.Split(outputArr[1], "\"")
+
+	if debugTraceFlags == nil || !debugTraceFlags["sensitive"]{
+		assert.Equal(t, outputArr[0], "<suppressed>")
+	} else {
+		assert.NotContains(t, outputArr[0], "<suppressed>")
+	}
+	cleanup(t, orchestrator)
+}
+
+func TestBackendPasswordsInLogs(t *testing.T) {
+	backendPasswordsInLogsHelper(t, nil)
+	backendPasswordsInLogsHelper(t, map[string]bool{"method": true,"sensitive":false})
+	backendPasswordsInLogsHelper(t, map[string]bool{"method": true,"sensitive":true})
+}
+
 func TestEmptyBackendDeletion(t *testing.T) {
 	const (
 		backendName     = "emptyBackend"

diff --git a/storage/backend.go b/storage/backend.go
@@ -6,6 +6,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"reflect"
 	"strconv"
 	"time"
 
@@ -269,6 +270,34 @@ func (b *Backend) AddVolume(
 	return vol, nil
 }
 
+func (b *Backend) GetDebugTraceFlags() map[string]bool {
+
+	var emptyMap map[string]bool
+	if b == nil {
+		return emptyMap
+	}
+
+	defer func() {
+		if r := recover(); r != nil {
+			log.Warn("Panicked while getting debug trace flags.")
+		}
+	}()
+
+	// The backend configs are all different, so use reflection to pull out the debug trace flags map
+	cfg := b.ConstructExternal().Config
+	v := reflect.ValueOf(cfg)
+	field := v.FieldByName("DebugTraceFlags")
+	if field.IsZero() {
+		return emptyMap
+	} else if flags, ok := field.Interface().(map[string]bool); !ok {
+		return emptyMap
+	} else {
+		return flags
+	}
+
+	return emptyMap
+}
+
 func (b *Backend) CloneVolume(volConfig *VolumeConfig, storagePool *Pool, retry bool) (*Volume, error) {
 
 	log.WithFields(log.Fields{

diff --git a/storage_drivers/fake/fake.go b/storage_drivers/fake/fake.go
@@ -157,6 +157,28 @@ func NewFakeStorageDriverConfigJSONWithVirtualPools(
 	return string(jsonBytes), nil
 }
 
+func NewFakeStorageDriverConfigJSONWithDebugTraceFlags(name string, protocol tridentconfig.Protocol,
+	debugTraceFlags map[string]bool, storagePrefix string) (string, error) {
+
+	jsonBytes, err := json.Marshal(
+		&drivers.FakeStorageDriverConfig{
+			CommonStorageDriverConfig: &drivers.CommonStorageDriverConfig{
+				Version:           1,
+				StorageDriverName: drivers.FakeStorageDriverName,
+				StoragePrefixRaw:  json.RawMessage("\"\""),
+				StoragePrefix:     &storagePrefix,
+				DebugTraceFlags:   debugTraceFlags,
+			},
+			Protocol:              protocol,
+			InstanceName:          name,
+		},
+	)
+	if err != nil {
+		return "", err
+	}
+	return string(jsonBytes), nil
+}
+
 func (d *StorageDriver) Name() string {
 	return drivers.FakeStorageDriverName
 }