diff --git a/services/identity/src/client_service.rs b/services/identity/src/client_service.rs --- a/services/identity/src/client_service.rs +++ b/services/identity/src/client_service.rs @@ -35,6 +35,7 @@ use crate::grpc_utils::{ DeviceKeyUploadActions, RegistrationActions, SignedNonce }; +use crate::log::redact_sensitive_data; use crate::nonce::generate_nonce_data; use crate::reserved_users::{ validate_account_ownership_message_and_get_user_id, @@ -721,7 +722,7 @@ .await .map_err(handle_db_error)? else { - warn!("User {} does not have valid device list. Secondary device auth impossible.", user_id); + warn!("User {} does not have valid device list. Secondary device auth impossible.", redact_sensitive_data(&user_id)); return Err(tonic::Status::aborted( tonic_status_messages::DEVICE_LIST_ERROR, )); @@ -795,7 +796,10 @@ let device_list = device_list_response .map_err(handle_db_error)? .ok_or_else(|| { - warn!("User {} does not have a valid device list.", user_id); + warn!( + "User {} does not have a valid device list.", + redact_sensitive_data(&user_id) + ); tonic::Status::aborted(tonic_status_messages::DEVICE_LIST_ERROR) })?; diff --git a/services/identity/src/database.rs b/services/identity/src/database.rs --- a/services/identity/src/database.rs +++ b/services/identity/src/database.rs @@ -21,8 +21,8 @@ pub use crate::database::one_time_keys::OTKRow; use crate::{ ddb_utils::EthereumIdentity, device_list::SignedDeviceList, - grpc_services::shared::PlatformMetadata, reserved_users::UserDetail, - siwe::SocialProof, + grpc_services::shared::PlatformMetadata, log::redact_sensitive_data, + reserved_users::UserDetail, siwe::SocialProof, }; use crate::{ ddb_utils::{DBIdentity, OlmAccountType}, @@ -925,7 +925,7 @@ .transpose() .map_err(|e| { error!( - user_id, + user_id = redact_sensitive_data(user_id), errorType = error_types::GENERIC_DB_LOG, "Database item is missing an identifier" ); diff --git a/services/identity/src/database/device_list.rs b/services/identity/src/database/device_list.rs --- a/services/identity/src/database/device_list.rs +++ b/services/identity/src/database/device_list.rs @@ -17,7 +17,6 @@ use serde::Serialize; use tracing::{debug, error, trace, warn}; -use crate::error::consume_error; use crate::{ client_service::FlattenedDeviceKeyUpload, constants::{ @@ -33,6 +32,7 @@ grpc_utils::DeviceKeysInfo, olm::is_valid_olm_key, }; +use crate::{error::consume_error, log::redact_sensitive_data}; use super::DatabaseClient; @@ -214,8 +214,8 @@ (Some(metadata_value), Some(key_upload_value)) => { if metadata_value != key_upload_value { warn!( - "DeviceKeyUplaod device type ({}) mismatches request metadata platform ({}). {}", - "Prefering value from key uplaod.", + "DeviceKeyUpload device type ({}) mismatches request metadata platform ({}). {}", + "Preferring value from key uplaod.", key_upload_value.as_str_name(), metadata_value.as_str_name() ); @@ -575,7 +575,7 @@ type Error = DBItemError; fn try_from(mut attrs: AttributeMap) -> Result { - let user_id = attrs.take_attr(ATTR_USER_ID)?; + let user_id: String = attrs.take_attr(ATTR_USER_ID)?; let DeviceListKeyAttribute(timestamp) = attrs.remove(ATTR_ITEM_ID).try_into()?; @@ -589,7 +589,7 @@ if !timestamps_match { warn!( "DeviceList timestamp mismatch for (userID={}, itemID={})", - &user_id, + redact_sensitive_data(&user_id), timestamp.to_rfc3339() ); } @@ -933,7 +933,7 @@ .and_then(|list| list.device_ids.first()) else { error!( - user_id, + user_id = redact_sensitive_data(&user_id), errorType = error_types::DEVICE_LIST_DB_LOG, "Device list is empty. Cannot fetch primary device" ); @@ -1156,7 +1156,7 @@ warn!( "Tried creating initial device list for already existing user (userID={})", - &user_id, + redact_sensitive_data(&user_id), ); return Err(Error::DeviceList(DeviceListError::DeviceAlreadyExists)); } @@ -1217,7 +1217,8 @@ warn!( "Device already exists in user's device list \ (userID={}, deviceID={})", - &user_id, &new_device.device_id + redact_sensitive_data(&user_id), + redact_sensitive_data(&new_device.device_id) ); return Err(Error::DeviceList(DeviceListError::DeviceAlreadyExists)); } @@ -1265,7 +1266,8 @@ warn!( "Device doesn't exist in user's device list \ (userID={}, deviceID={})", - &user_id, device_id + redact_sensitive_data(&user_id), + redact_sensitive_data(device_id) ); return Err(Error::DeviceList(DeviceListError::DeviceNotFound)); } diff --git a/services/identity/src/grpc_services/authenticated.rs b/services/identity/src/grpc_services/authenticated.rs --- a/services/identity/src/grpc_services/authenticated.rs +++ b/services/identity/src/grpc_services/authenticated.rs @@ -5,6 +5,7 @@ use crate::device_list::validation::DeviceListValidator; use crate::device_list::SignedDeviceList; use crate::error::consume_error; +use crate::log::redact_sensitive_data; use crate::{ client_service::{handle_db_error, WorkflowInProgress}, constants::{error_types, request_metadata, tonic_status_messages}, @@ -396,7 +397,7 @@ .await .map_err(|err| { error!( - user_id, + user_id = redact_sensitive_data(&user_id), errorType = error_types::GRPC_SERVICES_LOG, "Failed fetching device list: {err}" ); @@ -405,7 +406,7 @@ let Some(device_list) = device_list else { error!( - user_id, + user_id = redact_sensitive_data(&user_id), errorType = error_types::GRPC_SERVICES_LOG, "User has no device list!" ); @@ -745,7 +746,10 @@ match task_result { Ok((user_id, Ok((device_list, devices_data)))) => { let Some(device_list_row) = device_list else { - warn!(user_id, "User has no device list, skipping!"); + warn!( + user_id = redact_sensitive_data(&user_id), + "User has no device list, skipping!" + ); continue; }; let signed_list = SignedDeviceList::try_from(device_list_row)?; @@ -765,7 +769,7 @@ } Ok((user_id, Err(err))) => { error!( - user_id, + user_id = redact_sensitive_data(&user_id), errorType = error_types::GRPC_SERVICES_LOG, "Failed fetching device list: {err}" ); @@ -940,7 +944,7 @@ .await .map_err(|err| { error!( - user_id, + user_id = redact_sensitive_data(user_id), errorType = error_types::GRPC_SERVICES_LOG, "Failed fetching device list: {err}" ); @@ -949,7 +953,7 @@ let Some(device_list) = device_list else { error!( - user_id, + user_id = redact_sensitive_data(user_id), errorType = error_types::GRPC_SERVICES_LOG, "User has no device list!" ); diff --git a/services/identity/src/log.rs b/services/identity/src/log.rs new file mode 100644 --- /dev/null +++ b/services/identity/src/log.rs @@ -0,0 +1,9 @@ +use crate::config::CONFIG; + +pub fn redact_sensitive_data(sensitive_data: &str) -> &str { + if CONFIG.redact_sensitive_data { + "REDACTED" + } else { + sensitive_data + } +} diff --git a/services/identity/src/main.rs b/services/identity/src/main.rs --- a/services/identity/src/main.rs +++ b/services/identity/src/main.rs @@ -18,6 +18,7 @@ mod http; mod id; mod keygen; +mod log; mod nonce; mod olm; mod regex;