diff --git a/services/identity/src/client_service.rs b/services/identity/src/client_service.rs
--- a/services/identity/src/client_service.rs
+++ b/services/identity/src/client_service.rs
@@ -35,6 +35,7 @@
use crate::grpc_utils::{
DeviceKeyUploadActions, RegistrationActions, SignedNonce
};
+use crate::log::redact_sensitive_data;
use crate::nonce::generate_nonce_data;
use crate::reserved_users::{
validate_account_ownership_message_and_get_user_id,
@@ -721,7 +722,7 @@
.await
.map_err(handle_db_error)?
else {
- warn!("User {} does not have valid device list. Secondary device auth impossible.", user_id);
+ warn!("User {} does not have valid device list. Secondary device auth impossible.", redact_sensitive_data(&user_id));
return Err(tonic::Status::aborted(
tonic_status_messages::DEVICE_LIST_ERROR,
));
@@ -795,7 +796,10 @@
let device_list = device_list_response
.map_err(handle_db_error)?
.ok_or_else(|| {
- warn!("User {} does not have a valid device list.", user_id);
+ warn!(
+ "User {} does not have a valid device list.",
+ redact_sensitive_data(&user_id)
+ );
tonic::Status::aborted(tonic_status_messages::DEVICE_LIST_ERROR)
})?;
diff --git a/services/identity/src/database.rs b/services/identity/src/database.rs
--- a/services/identity/src/database.rs
+++ b/services/identity/src/database.rs
@@ -21,8 +21,8 @@
pub use crate::database::one_time_keys::OTKRow;
use crate::{
ddb_utils::EthereumIdentity, device_list::SignedDeviceList,
- grpc_services::shared::PlatformMetadata, reserved_users::UserDetail,
- siwe::SocialProof,
+ grpc_services::shared::PlatformMetadata, log::redact_sensitive_data,
+ reserved_users::UserDetail, siwe::SocialProof,
};
use crate::{
ddb_utils::{DBIdentity, OlmAccountType},
@@ -925,7 +925,7 @@
.transpose()
.map_err(|e| {
error!(
- user_id,
+ user_id = redact_sensitive_data(user_id),
errorType = error_types::GENERIC_DB_LOG,
"Database item is missing an identifier"
);
diff --git a/services/identity/src/database/device_list.rs b/services/identity/src/database/device_list.rs
--- a/services/identity/src/database/device_list.rs
+++ b/services/identity/src/database/device_list.rs
@@ -17,7 +17,6 @@
use serde::Serialize;
use tracing::{debug, error, trace, warn};
-use crate::error::consume_error;
use crate::{
client_service::FlattenedDeviceKeyUpload,
constants::{
@@ -33,6 +32,7 @@
grpc_utils::DeviceKeysInfo,
olm::is_valid_olm_key,
};
+use crate::{error::consume_error, log::redact_sensitive_data};
use super::DatabaseClient;
@@ -214,8 +214,8 @@
(Some(metadata_value), Some(key_upload_value)) => {
if metadata_value != key_upload_value {
warn!(
- "DeviceKeyUplaod device type ({}) mismatches request metadata platform ({}). {}",
- "Prefering value from key uplaod.",
+ "DeviceKeyUpload device type ({}) mismatches request metadata platform ({}). {}",
+ "Preferring value from key uplaod.",
key_upload_value.as_str_name(),
metadata_value.as_str_name()
);
@@ -575,7 +575,7 @@
type Error = DBItemError;
fn try_from(mut attrs: AttributeMap) -> Result<Self, Self::Error> {
- let user_id = attrs.take_attr(ATTR_USER_ID)?;
+ let user_id: String = attrs.take_attr(ATTR_USER_ID)?;
let DeviceListKeyAttribute(timestamp) =
attrs.remove(ATTR_ITEM_ID).try_into()?;
@@ -589,7 +589,7 @@
if !timestamps_match {
warn!(
"DeviceList timestamp mismatch for (userID={}, itemID={})",
- &user_id,
+ redact_sensitive_data(&user_id),
timestamp.to_rfc3339()
);
}
@@ -933,7 +933,7 @@
.and_then(|list| list.device_ids.first())
else {
error!(
- user_id,
+ user_id = redact_sensitive_data(&user_id),
errorType = error_types::DEVICE_LIST_DB_LOG,
"Device list is empty. Cannot fetch primary device"
);
@@ -1156,7 +1156,7 @@
warn!(
"Tried creating initial device list for already existing user
(userID={})",
- &user_id,
+ redact_sensitive_data(&user_id),
);
return Err(Error::DeviceList(DeviceListError::DeviceAlreadyExists));
}
@@ -1217,7 +1217,8 @@
warn!(
"Device already exists in user's device list \
(userID={}, deviceID={})",
- &user_id, &new_device.device_id
+ redact_sensitive_data(&user_id),
+ redact_sensitive_data(&new_device.device_id)
);
return Err(Error::DeviceList(DeviceListError::DeviceAlreadyExists));
}
@@ -1265,7 +1266,8 @@
warn!(
"Device doesn't exist in user's device list \
(userID={}, deviceID={})",
- &user_id, device_id
+ redact_sensitive_data(&user_id),
+ redact_sensitive_data(device_id)
);
return Err(Error::DeviceList(DeviceListError::DeviceNotFound));
}
diff --git a/services/identity/src/grpc_services/authenticated.rs b/services/identity/src/grpc_services/authenticated.rs
--- a/services/identity/src/grpc_services/authenticated.rs
+++ b/services/identity/src/grpc_services/authenticated.rs
@@ -5,6 +5,7 @@
use crate::device_list::validation::DeviceListValidator;
use crate::device_list::SignedDeviceList;
use crate::error::consume_error;
+use crate::log::redact_sensitive_data;
use crate::{
client_service::{handle_db_error, WorkflowInProgress},
constants::{error_types, request_metadata, tonic_status_messages},
@@ -396,7 +397,7 @@
.await
.map_err(|err| {
error!(
- user_id,
+ user_id = redact_sensitive_data(&user_id),
errorType = error_types::GRPC_SERVICES_LOG,
"Failed fetching device list: {err}"
);
@@ -405,7 +406,7 @@
let Some(device_list) = device_list else {
error!(
- user_id,
+ user_id = redact_sensitive_data(&user_id),
errorType = error_types::GRPC_SERVICES_LOG,
"User has no device list!"
);
@@ -745,7 +746,10 @@
match task_result {
Ok((user_id, Ok((device_list, devices_data)))) => {
let Some(device_list_row) = device_list else {
- warn!(user_id, "User has no device list, skipping!");
+ warn!(
+ user_id = redact_sensitive_data(&user_id),
+ "User has no device list, skipping!"
+ );
continue;
};
let signed_list = SignedDeviceList::try_from(device_list_row)?;
@@ -765,7 +769,7 @@
}
Ok((user_id, Err(err))) => {
error!(
- user_id,
+ user_id = redact_sensitive_data(&user_id),
errorType = error_types::GRPC_SERVICES_LOG,
"Failed fetching device list: {err}"
);
@@ -940,7 +944,7 @@
.await
.map_err(|err| {
error!(
- user_id,
+ user_id = redact_sensitive_data(user_id),
errorType = error_types::GRPC_SERVICES_LOG,
"Failed fetching device list: {err}"
);
@@ -949,7 +953,7 @@
let Some(device_list) = device_list else {
error!(
- user_id,
+ user_id = redact_sensitive_data(user_id),
errorType = error_types::GRPC_SERVICES_LOG,
"User has no device list!"
);
diff --git a/services/identity/src/log.rs b/services/identity/src/log.rs
new file mode 100644
--- /dev/null
+++ b/services/identity/src/log.rs
@@ -0,0 +1,9 @@
+use crate::config::CONFIG;
+
+pub fn redact_sensitive_data(sensitive_data: &str) -> &str {
+ if CONFIG.redact_sensitive_data {
+ "REDACTED"
+ } else {
+ sensitive_data
+ }
+}
diff --git a/services/identity/src/main.rs b/services/identity/src/main.rs
--- a/services/identity/src/main.rs
+++ b/services/identity/src/main.rs
@@ -18,6 +18,7 @@
mod http;
mod id;
mod keygen;
+mod log;
mod nonce;
mod olm;
mod regex;