fix remove LDAPPassword from audit logs (#9773)

the previous fix for #9707 was not correct, fix this properly passing the right filter keys to be filtered from the audit log output. Fixes #9767
2020-06-04 22:07:55 -07:00 · 2020-06-04 22:07:55 -07:00 · d93bdea433
parent 26cfd52e7e
commit d93bdea433
3 changed files with 22 additions and 27 deletions
--- a/cmd/logger/audit.go
+++ b/cmd/logger/audit.go
@ -135,7 +135,7 @@ func AddAuditTarget(t Target) {
 }

 // AuditLog - logs audit logs to all audit targets.
-func AuditLog(w http.ResponseWriter, r *http.Request, api string, reqClaims map[string]interface{}) {
+func AuditLog(w http.ResponseWriter, r *http.Request, api string, reqClaims map[string]interface{}, filterKeys ...string) {
 	// Fast exit if there is not audit target configured
 	if len(AuditTargets) == 0 {
 		return
@ -162,6 +162,12 @@ func AuditLog(w http.ResponseWriter, r *http.Request, api string, reqClaims map[
 	}

 	entry := audit.ToEntry(w, r, reqClaims, globalDeploymentID)
+	for _, filterKey := range filterKeys {
+		delete(entry.ReqClaims, filterKey)
+		delete(entry.ReqQuery, filterKey)
+		delete(entry.ReqHeader, filterKey)
+		delete(entry.RespHeader, filterKey)
+	}
 	entry.API.Name = api
 	entry.API.Bucket = bucket
 	entry.API.Object = object
--- a/cmd/sts-handlers.go
+++ b/cmd/sts-handlers.go
@ -1,5 +1,5 @@
 /*
- * MinIO Cloud Storage, (C) 2018, 2019 MinIO, Inc.
+ * MinIO Cloud Storage, (C) 2018-2020 MinIO, Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -173,7 +173,7 @@ func (sts *stsAPIHandlers) AssumeRole(w http.ResponseWriter, r *http.Request) {
 	}

 	ctx = newContext(r, w, action)
-	defer stsAuditLog(w, r, action)
+	defer logger.AuditLog(w, r, action, nil)

 	sessionPolicyStr := r.Form.Get(stsPolicy)
 	// https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
@ -258,15 +258,6 @@ func (sts *stsAPIHandlers) AssumeRole(w http.ResponseWriter, r *http.Request) {
 	writeSuccessResponseXML(w, encodeResponse(assumeRoleResponse))
 }

-func stsAuditLog(w http.ResponseWriter, r *http.Request, action string) {
-	for _, k := range []string{
-		stsLDAPPassword, // cleanup any passwords before sending to audit logs.
-	} {
-		r.URL.Query().Del(k)
-	}
-	logger.AuditLog(w, r, action, nil)
-}
-
 func (sts *stsAPIHandlers) AssumeRoleWithJWT(w http.ResponseWriter, r *http.Request) {
 	ctx := newContext(r, w, "AssumeRoleJWTCommon")

@ -290,7 +281,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithJWT(w http.ResponseWriter, r *http.Requ
 	}

 	ctx = newContext(r, w, action)
-	defer stsAuditLog(w, r, action)
+	defer logger.AuditLog(w, r, action, nil)

 	if globalOpenIDValidators == nil {
 		writeSTSErrorResponse(ctx, w, true, ErrSTSNotInitialized, errServerNotInitialized)
@ -437,6 +428,8 @@ func (sts *stsAPIHandlers) AssumeRoleWithClientGrants(w http.ResponseWriter, r *
 func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r *http.Request) {
 	ctx := newContext(r, w, "AssumeRoleWithLDAPIdentity")

+	defer logger.AuditLog(w, r, "AssumeRoleWithLDAPIdentity", nil, stsLDAPPassword)
+
 	// Parse the incoming form data.
 	if err := r.ParseForm(); err != nil {
 		writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, err)
@ -444,7 +437,16 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r *
 	}

 	if r.Form.Get(stsVersion) != stsAPIVersion {
-		writeSTSErrorResponse(ctx, w, true, ErrSTSMissingParameter, fmt.Errorf("Invalid STS API version %s, expecting %s", r.Form.Get("Version"), stsAPIVersion))
+		writeSTSErrorResponse(ctx, w, true, ErrSTSMissingParameter,
+			fmt.Errorf("Invalid STS API version %s, expecting %s", r.Form.Get("Version"), stsAPIVersion))
+		return
+	}
+
+	ldapUsername := r.Form.Get(stsLDAPUsername)
+	ldapPassword := r.Form.Get(stsLDAPPassword)
+
+	if ldapUsername == "" || ldapPassword == "" {
+		writeSTSErrorResponse(ctx, w, true, ErrSTSMissingParameter, fmt.Errorf("LDAPUsername and LDAPPassword cannot be empty"))
 		return
 	}

@ -456,17 +458,6 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r *
 		return
 	}

-	ctx = newContext(r, w, action)
-	defer stsAuditLog(w, r, action)
-
-	ldapUsername := r.Form.Get(stsLDAPUsername)
-	ldapPassword := r.Form.Get(stsLDAPPassword)
-
-	if ldapUsername == "" || ldapPassword == "" {
-		writeSTSErrorResponse(ctx, w, true, ErrSTSMissingParameter, fmt.Errorf("LDAPUsername and LDAPPassword cannot be empty"))
-		return
-	}
-
 	sessionPolicyStr := r.Form.Get(stsPolicy)
 	// https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
 	// The plain text that you use for both inline and managed session
--- a/go.sum
+++ b/go.sum
@ -108,8 +108,6 @@ github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
 github.com/go-ole/go-ole v1.2.4 h1:nNBDSCOigTSiarFpYE9J/KtEA1IOW4CNeqT9TQDqCxI=
 github.com/go-ole/go-ole v1.2.4/go.mod h1:XCwSNxSkXRo4vlyPy93sltvi/qJq0jqQhjqQNIwKuxM=
-github.com/go-sql-driver/mysql v1.4.1 h1:g24URVg0OFbNUTx9qqY1IRZ9D9z3iPyi5zKhQZpNwpA=
-github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
 github.com/go-sql-driver/mysql v1.5.0 h1:ozyZYNQW3x3HtqT1jira07DN2PArx2v7/mN66gGcHOs=
 github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=