Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x-pack/filebeat/input/internal/private: add field redaction package #40997

Merged
merged 3 commits into from
Oct 13, 2024
Merged

x-pack/filebeat/input/internal/private: add field redaction package #40997

merged 3 commits into from
Oct 13, 2024

Conversation

efd6
Copy link
Contributor

@efd6 efd6 commented Sep 25, 2024
edited
Loading

Proposed commit message

Initial donation of code from github.com/kortschak/dex/internal/private.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Disruptive User Impact

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Use cases

diff --git a/x-pack/filebeat/input/httpjson/input.go b/x-pack/filebeat/input/httpjson/input.go
index 67daa7ef84..41b46c1878 100644
--- a/x-pack/filebeat/input/httpjson/input.go
+++ b/x-pack/filebeat/input/httpjson/input.go
@@ -33,6 +33,7 @@ import (
        "github.com/elastic/beats/v7/libbeat/version"
        "github.com/elastic/beats/v7/x-pack/filebeat/input/internal/httplog"
        "github.com/elastic/beats/v7/x-pack/filebeat/input/internal/httpmon"
+       "github.com/elastic/beats/v7/x-pack/filebeat/input/internal/private"
        "github.com/elastic/elastic-agent-libs/logp"
        "github.com/elastic/elastic-agent-libs/mapstr"
        "github.com/elastic/elastic-agent-libs/monitoring"
@@ -82,6 +83,19 @@ func (log *retryLogger) Warn(msg string, keysAndValues ...interface{}) {
        log.log.Warnw(msg, keysAndValues...)
 }
 
+type redact struct {
+       value  mapstr.M
+       fields []string
+}
+
+func (r redact) MarshalLogObject(enc zapcore.ObjectEncoder) error {
+       v, err := private.Redact(r.value, "", r.fields)
+       if err != nil {
+               return fmt.Errorf("could not redact value: %v", err)
+       }
+       return v.MarshalLogObject(enc)
+}
+
 func Plugin(log *logp.Logger, store inputcursor.StateStore) v2.Plugin {
        return v2.Plugin{
                Name:       inputName,
diff --git a/x-pack/filebeat/input/httpjson/request.go b/x-pack/filebeat/input/httpjson/request.go
index 6cc46b27f2..5dfb91dbdb 100644
--- a/x-pack/filebeat/input/httpjson/request.go
+++ b/x-pack/filebeat/input/httpjson/request.go
@@ -465,7 +465,7 @@ func (rf *requestFactory) newRequest(ctx *transformContext) (transformable, erro
                }
        }
 
-       rf.log.Debugf("new request: %#v", req)
+       rf.log.Debugw("new request", "req", redact{value: mapstr.M(req), fields: []string{"header.Authorization"}})
 
        return req, nil
 }

Could also be used in place of the current redactor in CEL, though that has a non-deletion redaction that this does not have. Adding that requires thought since this will redact non-string values.

Screenshots

Logs

@efd6 efd6 added enhancement Filebeat Filebeat Team:Security-Service Integrations Security Service Integrations Team labels Sep 25, 2024
@efd6 efd6 self-assigned this Sep 25, 2024
@botelastic botelastic bot added needs_team Indicates that the issue/PR needs a Team:* label and removed needs_team Indicates that the issue/PR needs a Team:* label labels Sep 25, 2024
@mergify Mergify
Copy link
Contributor

mergify bot commented Sep 25, 2024

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @efd6? 🙏.
For such, you'll need to label your PR with:

  • The upcoming major version of the Elastic Stack
  • The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

  • backport-8./d is the label to automatically backport to the 8./d branch. /d is the digit

@mergify Mergify
Copy link
Contributor

mergify bot commented Sep 25, 2024

backport-8.x has been added to help with the transition to the new branch 8.x.
If you don't need it please use backport-skip label and remove the backport-8.x label.

@mergify mergify bot added the backport-8.x Automated backport to the 8.x branch with mergify label Sep 25, 2024
kortschak
kortschak approved these changes Sep 25, 2024
View reviewed changes
Copy link
Contributor

@kortschak kortschak left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving as copyright holder of the original code.

@efd6 efd6 marked this pull request as ready for review September 26, 2024 05:00
@efd6 efd6 requested review from a team as code owners September 26, 2024 05:00
@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@efd6 efd6 marked this pull request as draft September 30, 2024 06:19
@efd6 efd6 marked this pull request as ready for review September 30, 2024 06:24
@pierrehilbert pierrehilbert added the Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team label Sep 30, 2024
@elasticmachine
Copy link
Collaborator

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

@efd6
x-pack/filebeat/input/internal/private: add field redaction package
9af1b5d 
Initial donation of code from github.com/kortschak/dex/internal/private.
@efd6
x-pack/filebeat/input/internal/private: add global path redaction
94b35a8 
The original package was not designed to deal with values that could not
have sibling fields to mark privacy. This adds the capacity to redact
such types.
@efd6 efd6 marked this pull request as draft October 9, 2024 09:32
@efd6

This comment was marked as resolved.

Sign in to view
@efd6 efd6 marked this pull request as ready for review October 9, 2024 19:41
kcreddy
kcreddy approved these changes Oct 10, 2024
View reviewed changes
Copy link
Contributor

@kcreddy kcreddy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall LGTM.

x-pack/filebeat/input/internal/private/private_test.go Show resolved Hide resolved
x-pack/filebeat/input/internal/private/private_test.go Show resolved Hide resolved
@cmacknz
Copy link
Member

cmacknz commented Oct 10, 2024

FYI @michel-laterman in case this can help with the secrets redaction work you're doing in agent diagnostics.

@cmacknz
Copy link
Member

cmacknz commented Oct 10, 2024

Is there a reason this is in the x-pack/filebeat/input directory instead of say libbeat?

Or is this intended to be specific to an input that doesn't quite exist yet? On that note, it'd be helpful to have this used somewhere in Beats but I'm not opposed to merging this despite that.

@efd6
Copy link
Contributor Author

efd6 commented Oct 10, 2024

@cmacknz This is intended to be used by the httpjson (and to replace the cel redact code). If it wants to be made more widely used, I'm ok with that, but I'd like to let it soak with httpjson and cel first if that's OK (I have some ideas to improve the ergonomics of the API and I'd like to have the freedom that internal gives to allow that work to happen more easily).

@michel-laterman
Copy link
Contributor

Very interesting approach, I think we should get something in elastic-agent-libs to redact structs for us (in the future).

For context, we've added a secret_paths field that is injected into policies that fleet-server sends to the elastic-agent, these are paths that the agent should redact when logging. fleet-server pr.
The agent redaction logic (PR here) uses go-ucfg to replace strings.

@efd6 efd6 merged commit 9fde7b0 into elastic:main Oct 13, 2024
19 of 22 checks passed
mergify bot pushed a commit that referenced this pull request Oct 13, 2024
@efd6 @mergify
x-pack/filebeat/input/internal/private: add field redaction package (#…
80b3373 
…40997)

This package supports zeroing arbitrary fields based on a set of redaction
paths or field sibling marks.

(cherry picked from commit 9fde7b0)
@mergify mergify bot mentioned this pull request Oct 13, 2024
Merged
6 tasks
efd6 added a commit that referenced this pull request Oct 14, 2024
@mergify @efd6
x-pack/filebeat/input/internal/private: add field redaction package (#…
e885a50 
…40997) (#41210)

This package supports zeroing arbitrary fields based on a set of redaction
paths or field sibling marks.

(cherry picked from commit 9fde7b0)

Co-authored-by: Dan Kortschak <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rowlandgeoff rowlandgeoff rowlandgeoff approved these changes

@kcreddy kcreddy kcreddy approved these changes

@cmacknz cmacknz cmacknz approved these changes

@kortschak kortschak kortschak approved these changes

@faec faec Awaiting requested review from faec faec was automatically assigned from elastic/elastic-agent-data-plane

@VihasMakwana VihasMakwana Awaiting requested review from VihasMakwana VihasMakwana was automatically assigned from elastic/elastic-agent-data-plane

Assignees

@efd6 efd6

Labels
backport-8.x Automated backport to the 8.x branch with mergify enhancement Filebeat Filebeat Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team Team:Security-Service Integrations Security Service Integrations Team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
8 participants
@efd6 @elasticmachine @cmacknz @michel-laterman @kortschak @kcreddy @rowlandgeoff @pierrehilbert