config icon indicating copy to clipboard operation
config copied to clipboard

Published 20 hours ago verified publisher icon lightbend

Support naive masking of config values

Open norrs opened this issue 3 years ago • 6 comments

You can supply a regex pattern to match against Config key names that it will mask it corresponding config value. If the config value is a config reference, it will keep the config reference.

This is a naive approach, and secrets will not be masked if the config reference key is also not matching the maskRegex.

This is useful for printing configuration "safely" (read: best effort) without exposing secrets.

First version for feature: https://github.com/lightbend/config/issues/145

norrs avatar Jan 27 '21 13:01 norrs

Hi @norrs,

Thank you for your contribution! We really value the time you've taken to put this together.

Before we proceed with reviewing this pull request, please sign the Lightbend Contributors License Agreement:

https://www.lightbend.com/contribute/cla

lightbend-cla-validator avatar Jan 27 '21 13:01 lightbend-cla-validator

This comes rather late (only ~7 years) according to #145 , but would this be good enough for first iteration? @gregsymons @havocp

norrs avatar Jan 27 '21 13:01 norrs

It would be nice if we could plug a sanitizer that takes a key/value and returns the masked value.

This would let us use something similar to the Spring Boot Sanitizer: https://github.com/spring-projects/spring-boot/blob/v2.5.0-M3/spring-boot-project/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/Sanitizer.java

I really like that it can also mask passwords inside URLs, like http://user:******@localhost:8080 or amqp://username:******@host/

eneveu avatar Apr 02 '21 12:04 eneveu

@eneveu : Shouldn't be harder than adding the logic of the following lines:

if (keyIsUriWithUserInfo(pattern)) {
  return sanitizeUris(value.toString());
}
return "******";

But I'd first like to see if upstream even cares about this feature or not, and if they do, we can follow up with a version 2. The joy of software development, we can always improve step by step ;-)

norrs avatar Apr 08 '21 16:04 norrs

What I meant is that, instead of an API that exposes a specific implementation detail (a masking Regex), it would be cool if the API allowed the end-user to customise the way values are sanitized.

So, instead of passing a "Pattern maskRegex" to the "ConfigRenderOptions", we could pass a "ValueRenderer":

trait ValueRenderer {
  def render(key: String, value: ConfigValue): ConfigValue
}

And then provide a simple ValueRenderer that masks values when the key matches a regex. And then end-users can pass their own ValueRenderer with more complex masking behaviour.

Maybe "ValueRenderer" is not the best name. It could be "ValuePrinter" or "ValueSanitizer" if we want to make it explicit that the goal is to sanitize values.

Also, the "key" should probably be the full path, to let people match against the full path in their regex.

eneveu avatar Apr 26 '21 18:04 eneveu

Another option would be to add a way to create a ConfigValue while passing the origin and comments of a previous value. If we do this, we can create an external Sanitizer that walks the Config tree and sanitizes values as needed. More info here: https://github.com/lightbend/config/issues/145#issuecomment-827059275

eneveu avatar Apr 27 '21 08:04 eneveu

We do not intend to extend the functionality of "Typesafe Config" further. See https://github.com/lightbend/config#maintained-by

ennru avatar Jul 06 '23 08:07 ennru