Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F3173262
D12820.id42613.diff
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Size
7 KB
Referenced Files
None
Subscribers
None
D12820.id42613.diff
View Options
diff --git a/services/identity/src/client_service.rs b/services/identity/src/client_service.rs
--- a/services/identity/src/client_service.rs
+++ b/services/identity/src/client_service.rs
@@ -35,6 +35,7 @@
use crate::grpc_utils::{
DeviceKeyUploadActions, RegistrationActions, SignedNonce
};
+use crate::log::redact_sensitive_data;
use crate::nonce::generate_nonce_data;
use crate::reserved_users::{
validate_account_ownership_message_and_get_user_id,
@@ -721,7 +722,7 @@
.await
.map_err(handle_db_error)?
else {
- warn!("User {} does not have valid device list. Secondary device auth impossible.", user_id);
+ warn!("User {} does not have valid device list. Secondary device auth impossible.", redact_sensitive_data(&user_id));
return Err(tonic::Status::aborted(
tonic_status_messages::DEVICE_LIST_ERROR,
));
@@ -795,7 +796,10 @@
let device_list = device_list_response
.map_err(handle_db_error)?
.ok_or_else(|| {
- warn!("User {} does not have a valid device list.", user_id);
+ warn!(
+ "User {} does not have a valid device list.",
+ redact_sensitive_data(&user_id)
+ );
tonic::Status::aborted(tonic_status_messages::DEVICE_LIST_ERROR)
})?;
diff --git a/services/identity/src/database.rs b/services/identity/src/database.rs
--- a/services/identity/src/database.rs
+++ b/services/identity/src/database.rs
@@ -21,8 +21,8 @@
pub use crate::database::one_time_keys::OTKRow;
use crate::{
ddb_utils::EthereumIdentity, device_list::SignedDeviceList,
- grpc_services::shared::PlatformMetadata, reserved_users::UserDetail,
- siwe::SocialProof,
+ grpc_services::shared::PlatformMetadata, log::redact_sensitive_data,
+ reserved_users::UserDetail, siwe::SocialProof,
};
use crate::{
ddb_utils::{DBIdentity, OlmAccountType},
@@ -925,7 +925,7 @@
.transpose()
.map_err(|e| {
error!(
- user_id,
+ user_id = redact_sensitive_data(user_id),
errorType = error_types::GENERIC_DB_LOG,
"Database item is missing an identifier"
);
diff --git a/services/identity/src/database/device_list.rs b/services/identity/src/database/device_list.rs
--- a/services/identity/src/database/device_list.rs
+++ b/services/identity/src/database/device_list.rs
@@ -17,7 +17,6 @@
use serde::Serialize;
use tracing::{debug, error, trace, warn};
-use crate::error::consume_error;
use crate::{
client_service::FlattenedDeviceKeyUpload,
constants::{
@@ -33,6 +32,7 @@
grpc_utils::DeviceKeysInfo,
olm::is_valid_olm_key,
};
+use crate::{error::consume_error, log::redact_sensitive_data};
use super::DatabaseClient;
@@ -214,8 +214,8 @@
(Some(metadata_value), Some(key_upload_value)) => {
if metadata_value != key_upload_value {
warn!(
- "DeviceKeyUplaod device type ({}) mismatches request metadata platform ({}). {}",
- "Prefering value from key uplaod.",
+ "DeviceKeyUpload device type ({}) mismatches request metadata platform ({}). {}",
+ "Preferring value from key uplaod.",
key_upload_value.as_str_name(),
metadata_value.as_str_name()
);
@@ -575,7 +575,7 @@
type Error = DBItemError;
fn try_from(mut attrs: AttributeMap) -> Result<Self, Self::Error> {
- let user_id = attrs.take_attr(ATTR_USER_ID)?;
+ let user_id: String = attrs.take_attr(ATTR_USER_ID)?;
let DeviceListKeyAttribute(timestamp) =
attrs.remove(ATTR_ITEM_ID).try_into()?;
@@ -589,7 +589,7 @@
if !timestamps_match {
warn!(
"DeviceList timestamp mismatch for (userID={}, itemID={})",
- &user_id,
+ redact_sensitive_data(&user_id),
timestamp.to_rfc3339()
);
}
@@ -933,7 +933,7 @@
.and_then(|list| list.device_ids.first())
else {
error!(
- user_id,
+ user_id = redact_sensitive_data(&user_id),
errorType = error_types::DEVICE_LIST_DB_LOG,
"Device list is empty. Cannot fetch primary device"
);
@@ -1156,7 +1156,7 @@
warn!(
"Tried creating initial device list for already existing user
(userID={})",
- &user_id,
+ redact_sensitive_data(&user_id),
);
return Err(Error::DeviceList(DeviceListError::DeviceAlreadyExists));
}
@@ -1217,7 +1217,8 @@
warn!(
"Device already exists in user's device list \
(userID={}, deviceID={})",
- &user_id, &new_device.device_id
+ redact_sensitive_data(&user_id),
+ redact_sensitive_data(&new_device.device_id)
);
return Err(Error::DeviceList(DeviceListError::DeviceAlreadyExists));
}
@@ -1265,7 +1266,8 @@
warn!(
"Device doesn't exist in user's device list \
(userID={}, deviceID={})",
- &user_id, device_id
+ redact_sensitive_data(&user_id),
+ redact_sensitive_data(device_id)
);
return Err(Error::DeviceList(DeviceListError::DeviceNotFound));
}
diff --git a/services/identity/src/grpc_services/authenticated.rs b/services/identity/src/grpc_services/authenticated.rs
--- a/services/identity/src/grpc_services/authenticated.rs
+++ b/services/identity/src/grpc_services/authenticated.rs
@@ -5,6 +5,7 @@
use crate::device_list::validation::DeviceListValidator;
use crate::device_list::SignedDeviceList;
use crate::error::consume_error;
+use crate::log::redact_sensitive_data;
use crate::{
client_service::{handle_db_error, WorkflowInProgress},
constants::{error_types, request_metadata, tonic_status_messages},
@@ -396,7 +397,7 @@
.await
.map_err(|err| {
error!(
- user_id,
+ user_id = redact_sensitive_data(&user_id),
errorType = error_types::GRPC_SERVICES_LOG,
"Failed fetching device list: {err}"
);
@@ -405,7 +406,7 @@
let Some(device_list) = device_list else {
error!(
- user_id,
+ user_id = redact_sensitive_data(&user_id),
errorType = error_types::GRPC_SERVICES_LOG,
"User has no device list!"
);
@@ -745,7 +746,10 @@
match task_result {
Ok((user_id, Ok((device_list, devices_data)))) => {
let Some(device_list_row) = device_list else {
- warn!(user_id, "User has no device list, skipping!");
+ warn!(
+ user_id = redact_sensitive_data(&user_id),
+ "User has no device list, skipping!"
+ );
continue;
};
let signed_list = SignedDeviceList::try_from(device_list_row)?;
@@ -765,7 +769,7 @@
}
Ok((user_id, Err(err))) => {
error!(
- user_id,
+ user_id = redact_sensitive_data(&user_id),
errorType = error_types::GRPC_SERVICES_LOG,
"Failed fetching device list: {err}"
);
@@ -940,7 +944,7 @@
.await
.map_err(|err| {
error!(
- user_id,
+ user_id = redact_sensitive_data(user_id),
errorType = error_types::GRPC_SERVICES_LOG,
"Failed fetching device list: {err}"
);
@@ -949,7 +953,7 @@
let Some(device_list) = device_list else {
error!(
- user_id,
+ user_id = redact_sensitive_data(user_id),
errorType = error_types::GRPC_SERVICES_LOG,
"User has no device list!"
);
diff --git a/services/identity/src/log.rs b/services/identity/src/log.rs
new file mode 100644
--- /dev/null
+++ b/services/identity/src/log.rs
@@ -0,0 +1,9 @@
+use crate::config::CONFIG;
+
+pub fn redact_sensitive_data(sensitive_data: &str) -> &str {
+ if CONFIG.redact_sensitive_data {
+ "REDACTED"
+ } else {
+ sensitive_data
+ }
+}
diff --git a/services/identity/src/main.rs b/services/identity/src/main.rs
--- a/services/identity/src/main.rs
+++ b/services/identity/src/main.rs
@@ -18,6 +18,7 @@
mod http;
mod id;
mod keygen;
+mod log;
mod nonce;
mod olm;
mod regex;
File Metadata
Details
Attached
Mime Type
text/plain
Expires
Fri, Nov 8, 2:58 PM (18 h, 28 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2443729
Default Alt Text
D12820.id42613.diff (7 KB)
Attached To
Mode
D12820: [identity] use redact_sensitive_data config to redact sensitive data in logs
Attached
Detach File
Event Timeline
Log In to Comment