Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

logs with redacted password in URL #379

Merged
merged 1 commit into from
Oct 10, 2024
Merged

logs with redacted password in URL #379

merged 1 commit into from
Oct 10, 2024

Conversation

eguzki
Copy link
Contributor

@eguzki eguzki commented Oct 7, 2024
edited
Loading

What

Fixes #360 and also configuration dump on boot stage is also redacted.

Verification steps for starting with a wrong password

The verification steps will be using existing sandbox with limitador configured to connect to redis using pass.

  • Let's set a wrong password
git checkout 360-logs-show-plaintext-redis-password-when-theres-connection-errors

patch -p1 -N <<EOF
diff --git a/limitador-server/sandbox/docker-compose-limitador-redis-tls.yaml b/limitador-server/sandbox/docker-compose-limitador-redis-tls.yaml
index 5c603a5..e14d187 100644
--- a/limitador-server/sandbox/docker-compose-limitador-redis-tls.yaml
+++ b/limitador-server/sandbox/docker-compose-limitador-redis-tls.yaml
@@ -22,7 +22,7 @@ services:
       - --grpc-reflection-service
       - /opt/kuadrant/limits/limits.yaml
       - redis
-      - rediss://:foobared@redis:6379/#insecure
+      - rediss://:wrongpassword@redis:6379/#insecure
     expose:
       - "8080"
       - "8081"
EOF

then prepare and boot the environment

# clean any pre-existing images to enforce building a new one
docker rmi limitador-testing:latest
cd limitador-server/sandbox
make deploy-redis-tls 2>&1 | grep limitador

The logs will show some loglines from limitador with the configuration redacted

limitador-1  | 2024-10-09T08:54:55.871860Z  INFO limitador_server: Using config: Configuration { limits_file: "/opt/kuadrant/limits/limits.yaml", storage: Redis(Foo { cache: None, url: rediss://:****@redis:6379/#insecure }), rls_host: "0.0.0.0", rls_port: 8081, http_host: "0.0.0.0", http_port: 8080, limit_name_in_labels: false, tracing_endpoint: "", log_level: Some(LevelFilter::DEBUG), rate_limit_headers: None, grpc_reflection_service: true }

And the error is also redacted

limitador-1  | Failed to connect to Redis at rediss://:****@redis:6379/#insecure: Password authentication failed- AuthenticationFailed

Verification steps for re-connections with a wrong password

The verification steps will be using existing sandbox with limitador configured to connect to redis using pass. The main idea is that, initially, limitador connects correctly with the right password. Then, Redis changes it's own password, so limitador no longer can access redis. The limitador logs should never show the password being used.

  • clean the previous environment
make clean
# revert previous patch
git checkout .
  • prepare and boot the environment
make deploy-redis-tls 2>&1 | grep limitador
  • Send some traffic
curl -i -H "Host: example.com" http://127.0.0.1:18000/get

It should return 200 OK, and after few more request, it should return 429 Too Many Requests. That would mean that limitador can connect to redis successfully.

  • Let's change redis password and restart only redis service
cd ${LIMITADOR_PROJECT_PATH}

patch -p1 -N <<EOF
diff --git a/limitador-server/sandbox/redis-tls/redis-config.conf b/limitador-server/sandbox/redis-tls/redis-config.conf
index b478e76..1bae31a 100644
--- a/limitador-server/sandbox/redis-tls/redis-config.conf
+++ b/limitador-server/sandbox/redis-tls/redis-config.conf
@@ -1,4 +1,4 @@
-requirepass foobared
+requirepass otherpassword
 port 0
 tls-port 6379
 tls-cert-file /usr/local/etc/redis/certs/redis.crt
EOF

then restart only the redis service

cd limitador-server/sandbox
docker compose -p sandbox restart redis
  • Send some traffic
curl -i -H "Host: example.com" http://127.0.0.1:18000/get

The logs will show some loglines from limitador reporting about connection errors

limitador-1  | 2024-10-10T09:23:01.753896Z ERROR should_rate_limit: limitador_server::envoy_rls::server: Error: Storage("broken pipe")
limitador-1  | 2024-10-10T09:23:35.960749Z ERROR should_rate_limit: limitador_server::envoy_rls::server: Error: Storage("Password authentication failed- AuthenticationFailed")

Logs should not reveal any URL or password.

@eguzki
logs with redacted password in URL
046d5d1 
Signed-off-by: Eguzki Astiz Lezaun <[email protected]>
@eguzki eguzki self-assigned this Oct 7, 2024
@eguzki eguzki linked an issue Oct 7, 2024 that may be closed by this pull request
Logs show plaintext redis password when there's connection errors #360
Closed
@eguzki eguzki requested a review from alexsnaps October 7, 2024 21:58
alexsnaps
alexsnaps reviewed Oct 8, 2024
View reviewed changes
limitador-server/src/main.rs
@@ -139,7 +140,8 @@ impl Limiter {
.response_timeout(Duration::from_millis(cache_cfg.response_timeout));

cached_redis_storage.build().await.unwrap_or_else(|err| {
eprintln!("Failed to connect to Redis at {redis_url}: {err}");
let redacted_redis_url = redacted_url(String::from(redis_url));
eprintln!("Failed to connect to Redis at {redacted_redis_url}: {err}");
Copy link
Member

@alexsnaps alexsnaps Oct 8, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The down side is that if err ever contains that password, we'd "reintroduce" the bug. Or do we know that is guarantee provided by the crate?
E.g. what if redis is restarted with a new password and the reconnect path fails? That might be worth a quick (even manual) test.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added verification steps with a manual test.

I would never expect the crate to return the url of the connection serialized in the error string, but who knows maybe one day. Today, according to my tests, it is not doing so. Would you suggest to apply some regex replace to the string before writing it to stderr?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, I would have possibly dealt with that error differently... but if this is fine, well... it's fine 🙌

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

let me know how you would dealt with the error otherwise. Happy to consider it

@eguzki eguzki marked this pull request as ready for review October 9, 2024 10:02
@eguzki eguzki requested a review from alexsnaps October 9, 2024 10:32
@eguzki eguzki merged commit 4631aa8 into main Oct 10, 2024
10 checks passed
@eguzki eguzki deleted the 360-logs-show-plaintext-redis-password-when-theres-connection-errors branch October 10, 2024 09:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alexsnaps alexsnaps alexsnaps approved these changes

Assignees

@eguzki eguzki

Labels
area/server enhancement kind/enhancement New feature or request size/small
Projects
Kuadrant
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Logs show plaintext redis password when there's connection errors
2 participants
@eguzki @alexsnaps