From 396f6d57d51c7367e26a71ac35b95ae927cc0e3b Mon Sep 17 00:00:00 2001 From: Andreas Nilsson Date: Thu, 7 Jul 2016 13:40:33 -0400 Subject: SERVER-24521 Log redaction 'redact' functions --- src/mongo/logger/SConscript | 7 ++ src/mongo/logger/component_message_log_domain.cpp | 4 + src/mongo/logger/component_message_log_domain.h | 13 +++ src/mongo/logger/redaction.cpp | 85 ++++++++++++++ src/mongo/logger/redaction.h | 77 +++++++++++++ src/mongo/logger/redaction_test.cpp | 130 ++++++++++++++++++++++ 6 files changed, 316 insertions(+) create mode 100644 src/mongo/logger/redaction.cpp create mode 100644 src/mongo/logger/redaction.h create mode 100644 src/mongo/logger/redaction_test.cpp (limited to 'src/mongo/logger') diff --git a/src/mongo/logger/SConscript b/src/mongo/logger/SConscript index 4554deb8dee..e9bd048f1d6 100644 --- a/src/mongo/logger/SConscript +++ b/src/mongo/logger/SConscript @@ -26,3 +26,10 @@ env.CppUnitTest('rotatable_file_writer_test', env.CppUnitTest(target='parse_log_component_settings_test', source='parse_log_component_settings_test.cpp', LIBDEPS=['$BUILD_DIR/mongo/base', 'parse_log_component_settings']) + +env.CppUnitTest(target='redaction_test', + source='redaction_test.cpp', + LIBDEPS=[ + '$BUILD_DIR/mongo/base', + ] +) diff --git a/src/mongo/logger/component_message_log_domain.cpp b/src/mongo/logger/component_message_log_domain.cpp index 9d1b41e9472..9f2964ad38e 100644 --- a/src/mongo/logger/component_message_log_domain.cpp +++ b/src/mongo/logger/component_message_log_domain.cpp @@ -79,5 +79,9 @@ void ComponentMessageLogDomain::clearMinimumLoggedSeverity(LogComponent componen _settings.clearMinimumLoggedSeverity(component); } +void ComponentMessageLogDomain::setShouldRedactLogs(bool shouldRedact) { + _shouldRedact.store(shouldRedact); +} + } // namespace logger } // namespace mongo diff --git a/src/mongo/logger/component_message_log_domain.h b/src/mongo/logger/component_message_log_domain.h index 49e55e4c160..15f9301e695 100644 --- a/src/mongo/logger/component_message_log_domain.h +++ b/src/mongo/logger/component_message_log_domain.h @@ -79,8 +79,21 @@ public: */ void clearMinimumLoggedSeverity(LogComponent component); + /** + * Returns true if system logs should be redacted. + */ + bool shouldRedactLogs() { + return _shouldRedact.loadRelaxed(); + } + + /** + * Set the 'redact' mode of the server. + */ + void setShouldRedactLogs(bool shouldRedact); + private: LogComponentSettings _settings; + AtomicBool _shouldRedact{false}; }; } // namespace logger diff --git a/src/mongo/logger/redaction.cpp b/src/mongo/logger/redaction.cpp new file mode 100644 index 00000000000..c66d50fdb83 --- /dev/null +++ b/src/mongo/logger/redaction.cpp @@ -0,0 +1,85 @@ +/* Copyright 2016 MongoDB Inc. + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License, version 3, + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see . + * + * As a special exception, the copyright holders give permission to link the + * code of portions of this program with the OpenSSL library under certain + * conditions as described in each individual source file and distribute + * linked combinations including the program with the OpenSSL library. You + * must comply with the GNU Affero General Public License in all respects + * for all of the code used other than as permitted herein. If you modify + * file(s) with this exception, you may extend this exception to your + * version of the file(s), but you are not obligated to do so. If you do not + * wish to do so, delete this exception statement from your version. If you + * delete this exception statement from all source files in the program, + * then also delete it in the license file. + */ + +#define MONGO_LOG_DEFAULT_COMPONENT ::mongo::logger::LogComponent::kDefault + +#include "mongo/platform/basic.h" + +#include "mongo/logger/redaction.h" + +#include "mongo/base/status.h" +#include "mongo/bson/bsonobj.h" +#include "mongo/bson/mutable/document.h" +#include "mongo/util/assert_util.h" +#include "mongo/util/log.h" + +namespace mongo { + +std::string redact(const BSONObj& objectToRedact) { + if (!logger::globalLogDomain()->shouldRedactLogs()) { + return objectToRedact.toString(false); + } + + return objectToRedact.toString(true); +} + +std::string redact(const std::string& stringToRedact) { + if (!logger::globalLogDomain()->shouldRedactLogs()) { + return stringToRedact; + } + + // Return the default mask. + return kRedactionDefaultMask; +} + +std::string redact(const Status& statusToRedact) { + if (!logger::globalLogDomain()->shouldRedactLogs()) { + return statusToRedact.toString(); + } + + // Construct a status representation without the reason() + StringBuilder sb; + sb << statusToRedact.codeString(); + if (!statusToRedact.isOK()) + sb << ": " << kRedactionDefaultMask; + if (statusToRedact.location() != 0) + sb << " @ " << statusToRedact.location(); + return sb.str(); +} + +std::string redact(const DBException& exceptionToRedact) { + if (!logger::globalLogDomain()->shouldRedactLogs()) { + return exceptionToRedact.toString(); + } + + // Construct an exception representation with the what() + std::stringstream ss; + ss << exceptionToRedact.getCode() << " " << kRedactionDefaultMask; + return ss.str(); +} + +} // namespace mongo diff --git a/src/mongo/logger/redaction.h b/src/mongo/logger/redaction.h new file mode 100644 index 00000000000..b5706b2bed6 --- /dev/null +++ b/src/mongo/logger/redaction.h @@ -0,0 +1,77 @@ +/* Copyright 2016 MongoDB Inc. + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License, version 3, + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see . + * + * As a special exception, the copyright holders give permission to link the + * code of portions of this program with the OpenSSL library under certain + * conditions as described in each individual source file and distribute + * linked combinations including the program with the OpenSSL library. You + * must comply with the GNU Affero General Public License in all respects + * for all of the code used other than as permitted herein. If you modify + * file(s) with this exception, you may extend this exception to your + * version of the file(s), but you are not obligated to do so. If you do not + * wish to do so, delete this exception statement from your version. If you + * delete this exception statement from all source files in the program, + * then also delete it in the license file. + */ + +#pragma once + +#include + +/** + * The 'redact' methods defined below should be used to redact possibly sensitive + * information when operating the server in 'redact' mode. + * + * The performance impact of calling redact when not in 'redact' mode should be neglectible. + * + * The 'redact' methods are designed to be used as part of our log streams + * log(), LOG(), warning(), error(), severe() similar to the example below. + * + * log() << "My sensitive query is: " << query; + * log() << "My sensitive query is: " << redact(query); + */ + +namespace mongo { + +class BSONObj; +class Status; +class DBException; + +const std::string kRedactionDefaultMask = "###"; + +/** + * In 'redact' mode replace all values with '###' and keep keys intact. + * In normal mode return objectToRedact.toString(). + */ +std::string redact(const BSONObj& objectToRedact); + +/** + * In 'redact mode return '###'. + * In normal mode return stringToRedact. + */ +std::string redact(const std::string& stringToRedact); + +/** + * In 'redact' mode keep status code and replace reason with '###'. + * In normal mode return statusToRedact.toString(). + */ +std::string redact(const Status& statusToRedact); + +/** + * In 'redact' mode keep exception type and replace causedBy with '###'. + * In normal mode return exceptionToRedact.toString(). + */ +std::string redact(const DBException& exceptionToRedact); + +} // namespace mongo diff --git a/src/mongo/logger/redaction_test.cpp b/src/mongo/logger/redaction_test.cpp new file mode 100644 index 00000000000..46c140eefb8 --- /dev/null +++ b/src/mongo/logger/redaction_test.cpp @@ -0,0 +1,130 @@ +/** + * Copyright (C) 2015 MongoDB Inc. + */ + +#define MONGO_LOG_DEFAULT_COMPONENT ::mongo::logger::LogComponent::kDefault + +#include "mongo/logger/redaction.h" +#include "mongo/db/jsobj.h" +#include "mongo/unittest/unittest.h" +#include "mongo/util/log.h" + +namespace mongo { +namespace { + +const std::string kRedactionDefaultMask = "###"; +const std::string kMsg = "Not initialized"; +using BSONStringPair = std::pair; + +TEST(RedactStringTest, NoRedact) { + logger::globalLogDomain()->setShouldRedactLogs(false); + + std::string toRedact[] = {"", "abc", "*&$@!_\\\\\\\"*&$@!_\"*&$@!_\"*&$@!_"}; + for (auto s : toRedact) { + ASSERT_EQ(redact(s), s); + } +} + +TEST(RedactStringTest, BasicStrings) { + logger::globalLogDomain()->setShouldRedactLogs(true); + + std::string toRedact[] = {"", "abc", "*&$@!_\\\\\\\"*&$@!_\"*&$@!_\"*&$@!_"}; + for (auto s : toRedact) { + ASSERT_EQ(redact(s), kRedactionDefaultMask); + } +} + +TEST(RedactStatusTest, NoRedact) { + logger::globalLogDomain()->setShouldRedactLogs(false); + Status status(ErrorCodes::InternalError, kMsg); + ASSERT_EQ(redact(status), status.toString()); +} + +TEST(RedactStatusTest, BasicStatus) { + logger::globalLogDomain()->setShouldRedactLogs(true); + Status status(ErrorCodes::InternalError, kMsg); + ASSERT_EQ(redact(status), "InternalError: " + kRedactionDefaultMask); +} + +TEST(RedactStatusTest, StatusWithLocation) { + logger::globalLogDomain()->setShouldRedactLogs(true); + Status status(ErrorCodes::InternalError, kMsg, 777); + ASSERT_EQ(redact(status), "InternalError: " + kRedactionDefaultMask + " @ 777"); +} + +TEST(RedactStatusTest, StatusOK) { + logger::globalLogDomain()->setShouldRedactLogs(true); + ASSERT_EQ(redact(Status::OK()), "OK"); +} + +TEST(RedactExceptionTest, NoRedact) { + logger::globalLogDomain()->setShouldRedactLogs(false); + DBException ex(kMsg, ErrorCodes::InternalError); + ASSERT_EQ(redact(ex), ex.toString()); +} + +TEST(RedactExceptionTest, BasicException) { + logger::globalLogDomain()->setShouldRedactLogs(true); + DBException ex(kMsg, ErrorCodes::InternalError); + ASSERT_EQ(redact(ex), "1 ###"); +} + +TEST(RedactBSONTest, NoRedact) { + logger::globalLogDomain()->setShouldRedactLogs(false); + BSONObj obj = BSON("a" << 1); + ASSERT_EQ(redact(obj), obj.toString()); +} + +void testBSONCases(std::initializer_list testCases) { + for (auto m : testCases) { + ASSERT_EQ(redact(m.first), m.second); + } +} + +TEST(RedactBSONTest, BasicBSON) { + logger::globalLogDomain()->setShouldRedactLogs(true); + std::vector testCases; + + testBSONCases({BSONStringPair(BSONObj(), "{}"), + BSONStringPair(BSON("" << 1), "{ : \"###\" }"), + BSONStringPair(BSON("a" << 1), "{ a: \"###\" }"), + BSONStringPair(BSON("a" << 1.0), "{ a: \"###\" }"), + BSONStringPair(BSON("a" + << "a"), + "{ a: \"###\" }"), + BSONStringPair(BSON("a" << 1 << "b" + << "str"), + "{ a: \"###\", b: \"###\" }"), + BSONStringPair(BSON("a" << 1 << "a" + << "1"), + "{ a: \"###\", a: \"###\" }")}); +} +/* +TEST(RedactBSONTest, NestedBSON) { + logger::globalLogDomain()->setShouldRedactLogs(true); + std::vector testCases; + + testCases.push_back(BSONStringPair(BSON("a" << BSONObj()), "{ a: {} }")); + testCases.push_back(BSONStringPair( + BSON("a" << BSONObj(BSONObj(BSONObj(BSONObj(BSONObj(BSONObj(BSONObj(BSONObj())))))))), + "{ a: {} }")); + testCases.push_back(BSONStringPair(BSON("a" << BSON("a" << 1)), "{ a: { a: \"###\" } }")); + testCases.push_back(BSONStringPair(BSON("a" << BSON("a" << 1 << "b" << 1)), + "{ a: { a: \"###\", b: \"###\" } }")); + testBSONVector(testCases); +} + +TEST(RedactBSONTest, BSONWithArrays) { + logger::globalLogDomain()->setShouldRedactLogs(true); + std::vector testCases; + + testCases.push_back(BSONStringPair(BSON("a" << BSONArray()), "{ a: [] }")); + testCases.push_back( + BSONStringPair(BSON("a" << BSON_ARRAY("abc" << 1)), "{ a: [ \"###\", \"###\" ] }")); + testCases.push_back(BSONStringPair(BSON("a" << BSON_ARRAY(BSON("a" << 1) << BSON("b" << 1))), + "{ a: [ { a: \"###\" }, { b: \"###\" } ] }")); + + testBSONVector(testCases); +}*/ +} // namespace +} // namespace mongo -- cgit v1.2.1