From f3d61c51fc88193bfd2f9ea4cf9e43c5f7df2b60 Mon Sep 17 00:00:00 2001 From: Aditya Manthramurthy Date: Wed, 1 May 2024 14:31:13 -0700 Subject: [PATCH] fix: Filter out cust. AssumeRole `Token` for audit (#19646) The `Token` parameter is a sensitive value that should not be output in the Audit log for STS AssumeRoleWithCustomToken API. Bonus: Add a simple tool that echoes audit logs to the console. --- cmd/sts-handlers.go | 4 +- docs/auditlog/auditlog-echo.go | 62 +++++++++++++++++++++++++++++ docs/auditlog/auditlog-echo.md | 17 ++++++++ docs/iam/identity-manager-plugin.go | 2 +- 4 files changed, 83 insertions(+), 2 deletions(-) create mode 100644 docs/auditlog/auditlog-echo.go create mode 100644 docs/auditlog/auditlog-echo.md diff --git a/cmd/sts-handlers.go b/cmd/sts-handlers.go index 701159346..5468eec23 100644 --- a/cmd/sts-handlers.go +++ b/cmd/sts-handlers.go @@ -929,7 +929,9 @@ func (sts *stsAPIHandlers) AssumeRoleWithCustomToken(w http.ResponseWriter, r *h ctx := newContext(r, w, "AssumeRoleWithCustomToken") claims := make(map[string]interface{}) - defer logger.AuditLog(ctx, w, r, claims) + + auditLogFilterKeys := []string{stsToken} + defer logger.AuditLog(ctx, w, r, claims, auditLogFilterKeys...) if !globalIAMSys.Initialized() { writeSTSErrorResponse(ctx, w, ErrSTSIAMNotInitialized, errIAMNotInitialized) diff --git a/docs/auditlog/auditlog-echo.go b/docs/auditlog/auditlog-echo.go new file mode 100644 index 000000000..1fb894891 --- /dev/null +++ b/docs/auditlog/auditlog-echo.go @@ -0,0 +1,62 @@ +//go:build ignore +// +build ignore + +// Copyright (c) 2015-2024 MinIO, Inc. +// +// This file is part of MinIO Object Storage stack +// +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU Affero General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. +// +// This program is distributed in the hope that it will be useful +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU Affero General Public License for more details. +// +// You should have received a copy of the GNU Affero General Public License +// along with this program. If not, see . + +package main + +import ( + "bytes" + "encoding/json" + "flag" + "fmt" + "io" + "log" + "net/http" +) + +var port int + +func init() { + flag.IntVar(&port, "port", 8080, "Port to listen on") +} + +func mainHandler(w http.ResponseWriter, r *http.Request) { + body, err := io.ReadAll(r.Body) + defer r.Body.Close() + if err != nil { + log.Printf("Error reading request body: %v", err) + w.WriteHeader(http.StatusBadRequest) + return + } + + log.Printf(">>> %s %s\n", r.Method, r.URL.Path) + var out bytes.Buffer + json.Indent(&out, body, "", " ") + log.Printf("%s\n", out.String()) + + w.WriteHeader(http.StatusOK) +} + +func main() { + flag.Parse() + http.HandleFunc("/", mainHandler) + + log.Printf("Listening on :%d\n", port) + log.Fatal(http.ListenAndServe(fmt.Sprintf(":%d", port), nil)) +} diff --git a/docs/auditlog/auditlog-echo.md b/docs/auditlog/auditlog-echo.md new file mode 100644 index 000000000..4d0ab3267 --- /dev/null +++ b/docs/auditlog/auditlog-echo.md @@ -0,0 +1,17 @@ +# `auditlog-echo`: A tool to view MinIO Audit logs on the console + +1. Run the tool with: + +``` +go run docs/auditlog/auditlog-echo.go +``` + +The listen port has a default value (8080), but can be set with the `-port` flag. + +2. Configure audit logging in MinIO with for example: + +``` +mc admin config set myminio audit_webhook enable=on endpoint=http://localhost:8080 +``` + +3. Make any requests to MinIO and see audit logs printed to the tool's console. diff --git a/docs/iam/identity-manager-plugin.go b/docs/iam/identity-manager-plugin.go index cd8d33bc8..05d472617 100644 --- a/docs/iam/identity-manager-plugin.go +++ b/docs/iam/identity-manager-plugin.go @@ -81,6 +81,6 @@ func mainHandler(w http.ResponseWriter, r *http.Request) { func main() { http.HandleFunc("/", mainHandler) - log.Print("Listing on :8081") + log.Print("Listening on :8081") log.Fatal(http.ListenAndServe(":8081", nil)) }