From aa75c6199c209d9967e3eff976039494f58ff6bc Mon Sep 17 00:00:00 2001 From: Brett Smith Date: Fri, 11 Apr 2014 10:14:12 -0400 Subject: [PATCH] api: Don't include API tokens in logs. Refs #2375. See Tom's comments. I also renamed UNLOGGED_ATTRIBUTES to UNLOGGED_CHANGES to help clarify that it's not used by logged_attributes. --- .../app/models/api_client_authorization.rb | 11 +++++--- services/api/app/models/arvados_model.rb | 6 ++++- services/api/app/models/log.rb | 2 +- services/api/test/unit/log_test.rb | 26 +++++++++++++++++++ 4 files changed, 40 insertions(+), 5 deletions(-) diff --git a/services/api/app/models/api_client_authorization.rb b/services/api/app/models/api_client_authorization.rb index 38a90d5c13..3b73f408c3 100644 --- a/services/api/app/models/api_client_authorization.rb +++ b/services/api/app/models/api_client_authorization.rb @@ -20,8 +20,7 @@ class ApiClientAuthorization < ArvadosModel t.add :scopes end - UNLOGGED_ATTRIBUTES = ['last_used_at', 'last_used_by_ip_address', - 'updated_at'] + UNLOGGED_CHANGES = ['last_used_at', 'last_used_by_ip_address', 'updated_at'] def assign_random_api_token self.api_token ||= rand(2**256).to_s(36) @@ -63,6 +62,12 @@ class ApiClientAuthorization < ArvadosModel end def modified_at=(x) end + def logged_attributes + attrs = attributes.dup + attrs.delete('api_token') + attrs + end + protected def permission_to_create @@ -76,6 +81,6 @@ class ApiClientAuthorization < ArvadosModel end def log_update - super unless (changed - UNLOGGED_ATTRIBUTES).empty? + super unless (changed - UNLOGGED_CHANGES).empty? end end diff --git a/services/api/app/models/arvados_model.rb b/services/api/app/models/arvados_model.rb index a87e2d55f6..921d2b17c5 100644 --- a/services/api/app/models/arvados_model.rb +++ b/services/api/app/models/arvados_model.rb @@ -87,6 +87,10 @@ class ArvadosModel < ActiveRecord::Base user.uuid) end + def logged_attributes + attributes + end + protected def ensure_permission_to_create @@ -216,7 +220,7 @@ class ArvadosModel < ActiveRecord::Base def log_start_state @old_etag = etag - @old_attributes = attributes + @old_attributes = logged_attributes end def log_change(event_type) diff --git a/services/api/app/models/log.rb b/services/api/app/models/log.rb index e9fe352675..af0b533c75 100644 --- a/services/api/app/models/log.rb +++ b/services/api/app/models/log.rb @@ -29,7 +29,7 @@ class Log < ArvadosModel end def update_to(thing) - fill_properties('new', thing.andand.etag, thing.andand.attributes) + fill_properties('new', thing.andand.etag, thing.andand.logged_attributes) case event_type when "create" self.event_at = thing.created_at diff --git a/services/api/test/unit/log_test.rb b/services/api/test/unit/log_test.rb index 6f793afe7c..2898033578 100644 --- a/services/api/test/unit/log_test.rb +++ b/services/api/test/unit/log_test.rb @@ -55,6 +55,17 @@ class LogTest < ActiveSupport::TestCase yield props if block_given? end + def assert_auth_logged_with_clean_properties(auth, event_type) + assert_logged(auth, event_type) do |props| + ['old_attributes', 'new_attributes'].map { |k| props[k] }.compact + .each do |attributes| + refute_includes(attributes, 'api_token', + "auth log properties include sensitive API token") + end + yield props if block_given? + end + end + def set_user_from_auth(auth_name) client_auth = api_client_authorizations(auth_name) Thread.current[:api_client_authorization] = client_auth @@ -96,6 +107,7 @@ class LogTest < ActiveSupport::TestCase auth = api_client_authorizations(:spectator) orig_etag = auth.etag orig_attrs = auth.attributes + orig_attrs.delete 'api_token' auth.destroy assert_logged(auth, :destroy) do |props| assert_equal(orig_etag, props['old_etag'], "destroyed auth etag mismatch") @@ -199,4 +211,18 @@ class LogTest < ActiveSupport::TestCase auth.save! assert_logged(auth, :update) end + + test "token isn't included in ApiClientAuthorization logs" do + set_user_from_auth :admin_trustedclient + auth = ApiClientAuthorization.new + auth.user = users(:spectator) + auth.api_client = api_clients(:untrusted) + auth.save! + assert_auth_logged_with_clean_properties(auth, :create) + auth.expires_at = Time.now + auth.save! + assert_auth_logged_with_clean_properties(auth, :update) + auth.destroy + assert_auth_logged_with_clean_properties(auth, :destroy) + end end -- 2.30.2