internal: migrate to zap from logrus #12521

BeryJu · 2024-12-30T21:57:00Z

Details

REPLACE ME

Checklist

Local tests pass (ak test authentik/)
The code has been formatted (make lint-fix)

If an API change has been made

The API schema has been updated (make gen-build)

If changes to the frontend have been made

The code has been formatted (make web)

If applicable

The documentation has been updated
The documentation has been formatted (make website)

Signed-off-by: Jens Langhammer <[email protected]>

netlify · 2024-12-30T21:57:18Z

✅ Deploy Preview for authentik-docs canceled.

Name	Link
🔨 Latest commit	`561b0ce`
🔍 Latest deploy log	https://app.netlify.com/sites/authentik-docs/deploys/67731861afe8d50008df71bd

netlify · 2024-12-30T21:57:23Z

✅ Deploy Preview for authentik-storybook canceled.

Name	Link
🔨 Latest commit	`561b0ce`
🔍 Latest deploy log	https://app.netlify.com/sites/authentik-storybook/deploys/6773186189bcbb0008a5bc13

internal/outpost/proxyv2/application/mode_common.go

 	return u, nil
 }

 func (a *Application) ReportMisconfiguration(r *http.Request, msg string, fields map[string]interface{}) {
 	fields["message"] = msg
-	a.log.WithFields(fields).Error("Reporting configuration error")
+	a.log.Error("Reporting configuration error", zap.Any("fields", fields))


To fix the problem, we need to ensure that any sensitive information in the fields map is either encrypted, obfuscated, or omitted entirely before being logged. The best way to achieve this without changing existing functionality is to cleanse the headers before logging them. We can create a helper function to cleanse the headers and use it before logging the fields map.

Create a helper function cleanseHeaders to remove or obfuscate sensitive information from the headers.

Use this helper function to cleanse the fields map before logging it in the ReportMisconfiguration function.

internal/outpost/proxyv2/application/mode_forward.go

@@ -24,7 +26,7 @@
 }

 func (a *Application) forwardHandleTraefik(rw http.ResponseWriter, r *http.Request) {
-	a.log.WithField("header", r.Header).Trace("tracing headers for debug")
+	a.log.Debug("tracing headers for debug", zap.Any("header", r.Header), config.Trace())


To fix the problem, we should avoid logging sensitive information contained in HTTP headers. Instead of logging the entire header, we can log only non-sensitive parts or obfuscate sensitive values. We can create a function to cleanse the headers by removing or masking sensitive information before logging.

Create a function cleanseHeaders to remove or mask sensitive information from the headers.

Replace the logging call on line 29 to use the cleansed headers.

internal/outpost/proxyv2/application/mode_forward.go

@@ -67,7 +69,7 @@
 }

 func (a *Application) forwardHandleCaddy(rw http.ResponseWriter, r *http.Request) {
-	a.log.WithField("header", r.Header).Trace("tracing headers for debug")
+	a.log.Debug("tracing headers for debug", zap.Any("header", r.Header), config.Trace())


To fix the problem, we need to ensure that sensitive information in HTTP headers is not logged in clear text. The best way to achieve this is to cleanse the headers before logging them, removing or obfuscating any sensitive information. We can create a helper function to cleanse the headers and use this function before logging.

Create a helper function cleanseHeaders to remove or obfuscate sensitive information from the headers.

Replace the logging statement on line 72 to use the cleansed headers.

internal/outpost/proxyv2/application/mode_forward.go

@@ -110,7 +112,7 @@
 }

 func (a *Application) forwardHandleNginx(rw http.ResponseWriter, r *http.Request) {
-	a.log.WithField("header", r.Header).Trace("tracing headers for debug")
+	a.log.Debug("tracing headers for debug", zap.Any("header", r.Header), config.Trace())


To fix the problem, we should avoid logging sensitive information contained in HTTP headers. Instead of logging the entire header, we can log only non-sensitive parts or obfuscate sensitive values. We can create a function to cleanse the headers by removing or masking sensitive information before logging.

Create a function cleanseHeaders to remove or mask sensitive information from headers.

Replace the logging of headers with the cleansed version of the headers.

Ensure the changes are made in the forwardHandleNginx and forwardHandleEnvoy functions.

internal/outpost/proxyv2/application/mode_forward.go

 			return
 		}
 	}
 	http.Error(rw, "unauthorized request", http.StatusUnauthorized)
 }

 func (a *Application) forwardHandleEnvoy(rw http.ResponseWriter, r *http.Request) {
-	a.log.WithField("header", r.Header).Trace("tracing headers for debug")
+	a.log.Debug("tracing headers for debug", zap.Any("header", r.Header), config.Trace())


To fix the problem, we should avoid logging the entire HTTP headers directly. Instead, we can log only non-sensitive parts of the headers or obfuscate sensitive information before logging. We can create a function to cleanse the headers by removing or masking sensitive information before logging them.

Create a function cleanseHeaders to remove or mask sensitive information from the headers.

Replace the direct logging of r.Header with the cleansed version of the headers.

internal/outpost/proxyv2/handlers.go

 			for k := range ps.apps {
 				ps.apps[k].ServeHTTP(rw, r)
 				return
 			}
 		}

-		ps.log.WithField("headers", r.Header).Trace("tracing headers for no hostname match")
-		ps.log.WithField("host", host).Warning("no app for hostname")
+		ps.log.Debug("tracing headers for no hostname match", zap.Any("headers", r.Header), config.Trace())


To fix the problem, we should avoid logging the entire HTTP headers in clear text. Instead, we can log only non-sensitive parts of the headers or obfuscate sensitive information before logging. In this case, we will remove the logging of headers entirely to ensure no sensitive information is exposed.

Remove the logging of HTTP headers on line 109.

Ensure that the functionality of the application remains unchanged.

internal/outpost/proxyv2/handlers.go

-		ps.log.WithField("headers", r.Header).Trace("tracing headers for no hostname match")
-		ps.log.WithField("host", host).Warning("no app for hostname")
+		ps.log.Debug("tracing headers for no hostname match", zap.Any("headers", r.Header), config.Trace())
+		ps.log.Warn("no app for hostname", zap.String("host", host))


To fix the problem, we should avoid logging the host value directly. Instead, we can obfuscate or sanitize the host value before logging it. One approach is to hash the host value, which ensures that the original value is not logged in clear text while still allowing us to identify unique hosts.

We will use the crypto/sha256 package to hash the host value before logging it. This change will be made in the Handle and lookupApp functions in the internal/outpost/proxyv2/handlers.go file.

internal/outpost/proxyv2/handlers.go

 		}
 		return
 	}
-	ps.log.WithField("host", host).Trace("passing to application mux")
+	ps.log.Debug("passing to application mux", zap.String("host", host), config.Trace())


To fix the problem, we should avoid logging the host value directly. Instead, we can either sanitize the host value before logging or omit it entirely from the log message. In this case, we will omit the host value from the log message to ensure no sensitive information is exposed.

Remove the zap.String("host", host) from the logging statements in internal/outpost/proxyv2/handlers.go.

Ensure that the functionality of the application remains unchanged by only modifying the logging statements.

internal/utils/web/middleware.go

+		zap.Int("status", responseLogger.Status()),
+		zap.String("user_agent", req.UserAgent()),
+	}
+	h.afterHandler(h.logger.With(fields...), req).Info(url.RequestURI())


internal/web/proxy.go

@@ -29,7 +28,7 @@
 		if req.TLS != nil {
 			req.Header.Set("X-Forwarded-Proto", "https")
 		}
-		ws.log.WithField("url", req.URL.String()).WithField("headers", req.Header).Trace("tracing request to backend")
+		ws.log.Debug("tracing request to backend", config.Trace(), zap.String("url", req.URL.String()), zap.Any("headers", req.Header))


To fix the problem, we should avoid logging the entire HTTP request headers directly. Instead, we can log only non-sensitive parts of the headers or obfuscate sensitive information before logging. In this case, we will remove the logging of the headers entirely to ensure no sensitive information is exposed.

Remove the zap.Any("headers", req.Header) from the logging statement on line 31.

Ensure that the rest of the logging statement remains unchanged to maintain existing functionality.

Signed-off-by: Jens Langhammer <[email protected]>

codecov · 2024-12-30T22:07:31Z

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 92.69%. Comparing base (8938fa5) to head (561b0ce).
Report is 1 commits behind head on main.

✅ All tests successful. No failed tests found.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #12521      +/-   ##
==========================================
- Coverage   92.75%   92.69%   -0.06%     
==========================================
  Files         770      770              
  Lines       38873    38873              
==========================================
- Hits        36057    36035      -22     
- Misses       2816     2838      +22

Flag	Coverage Δ
e2e	`48.60% <ø> (-0.10%)`	⬇️
integration	`24.58% <ø> (ø)`
unit	`90.38% <ø> (+<0.01%)`	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

github-actions · 2024-12-30T22:49:53Z

authentik PR Installation instructions

Instructions for docker-compose

Add the following block to your .env file:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-561b0ceca6be620bc0965da01c366f0eceac90d6
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

For arm64, use these values:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-561b0ceca6be620bc0965da01c366f0eceac90d6-arm64
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

Afterwards, run the upgrade commands from the latest release notes.

Instructions for Kubernetes

Add the following block to your values.yml file:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
global:
    image:
        repository: ghcr.io/goauthentik/dev-server
        tag: gh-561b0ceca6be620bc0965da01c366f0eceac90d6

For arm64, use these values:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
global:
    image:
        repository: ghcr.io/goauthentik/dev-server
        tag: gh-561b0ceca6be620bc0965da01c366f0eceac90d6-arm64

Afterwards, run the upgrade commands from the latest release notes.

BeryJu added 4 commits December 30, 2024 21:36

migrate to zap instead of logrus

a9195ba

Signed-off-by: Jens Langhammer <[email protected]>

more

b32f1bf

Signed-off-by: Jens Langhammer <[email protected]>

final

4f0e554

Signed-off-by: Jens Langhammer <[email protected]>

final and make trace work

ad6af5b

Signed-off-by: Jens Langhammer <[email protected]>

BeryJu requested review from a team as code owners December 30, 2024 21:57

github-advanced-security bot found potential problems Dec 30, 2024

View reviewed changes

fix missing trace flags

561b0ce

Signed-off-by: Jens Langhammer <[email protected]>

@@ -2,2 +2,3 @@
             import (
@@ -118,2 +119,5 @@
             	fields["message"] = msg
+            	if headers, ok := fields["headers"].(http.Header); ok {
+            		fields["headers"] = cleanseHeaders(headers)
+            	}
             	a.log.Error("Reporting configuration error", zap.Any("fields", fields))

@@ -2,2 +2,3 @@
             import (
@@ -28,3 +29,4 @@
             func (a *Application) forwardHandleTraefik(rw http.ResponseWriter, r *http.Request) {
-            	a.log.Debug("tracing headers for debug", zap.Any("header", r.Header), config.Trace())
+            	cleansedHeaders := cleanseHeaders(r.Header)
+            	a.log.Debug("tracing headers for debug", zap.Any("header", cleansedHeaders), config.Trace())
             	// First check if we've got everything we need

@@ -12,2 +12,3 @@
             const (
@@ -71,3 +72,3 @@
             func (a *Application) forwardHandleCaddy(rw http.ResponseWriter, r *http.Request) {
-            	a.log.Debug("tracing headers for debug", zap.Any("header", r.Header), config.Trace())
+            	a.log.Debug("tracing headers for debug", zap.Any("header", cleanseHeaders(r.Header)), config.Trace())
             	// First check if we've got everything we need

@@ -9,2 +9,4 @@
             	"goauthentik.io/internal/config"
+            	"strings"
+            	"net/http"
             	"goauthentik.io/internal/outpost/proxyv2/constants"
@@ -114,3 +116,3 @@
             func (a *Application) forwardHandleNginx(rw http.ResponseWriter, r *http.Request) {
-            	a.log.Debug("tracing headers for debug", zap.Any("header", r.Header), config.Trace())
+            	a.log.Debug("tracing headers for debug", zap.Any("header", cleanseHeaders(r.Header)), config.Trace())
             	fwd, err := a.getNginxForwardUrl(r)
@@ -157,4 +159,15 @@
+            func cleanseHeaders(headers http.Header) http.Header {
+            	cleansed := headers.Clone()
+            	for key := range cleansed {
+            		if strings.Contains(strings.ToLower(key), "authorization") || strings.Contains(strings.ToLower(key), "cookie") {
+            			cleansed.Set(key, "REDACTED")
+            		}
+            	}
+            	return cleansed
+            }
             func (a *Application) forwardHandleEnvoy(rw http.ResponseWriter, r *http.Request) {
-            	a.log.Debug("tracing headers for debug", zap.Any("header", r.Header), config.Trace())
+            	a.log.Debug("tracing headers for debug", zap.Any("header", cleanseHeaders(r.Header)), config.Trace())
             	r.URL.Path = strings.TrimPrefix(r.URL.Path, envoyPrefix)

@@ -6,2 +6,4 @@
             	"strings"
+            	"regexp"
+            	"strings"
@@ -158,3 +160,3 @@
             func (a *Application) forwardHandleEnvoy(rw http.ResponseWriter, r *http.Request) {
-            	a.log.Debug("tracing headers for debug", zap.Any("header", r.Header), config.Trace())
+            	a.log.Debug("tracing headers for debug", zap.Any("header", cleanseHeaders(r.Header)), config.Trace())
             	r.URL.Path = strings.TrimPrefix(r.URL.Path, envoyPrefix)
@@ -179 +181,2 @@
             }

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

internal: migrate to zap from logrus #12521

internal: migrate to zap from logrus #12521

BeryJu commented Dec 30, 2024

netlify bot commented Dec 30, 2024 •

edited

Loading

netlify bot commented Dec 30, 2024 •

edited

Loading

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

codecov bot commented Dec 30, 2024 •

edited

Loading

github-actions bot commented Dec 30, 2024 •

edited

Loading

@@ -2,2 +2,3 @@
             import (
@@ -20,2 +21,3 @@
             func (ps *ProxyServer) HandlePing(rw http.ResponseWriter, r *http.Request) {
@@ -49,3 +51,4 @@
             	if ok {
-            		ps.log.Debug("Found app based direct host match", config.Trace(), zap.String("host", host), zap.String("app", a.ProxyConfig().Name))
+            		hashedHost := hashString(host)
+            		ps.log.Debug("Found app based direct host match", config.Trace(), zap.String("host", hashedHost), zap.String("app", a.ProxyConfig().Name))
             		return a, host
@@ -84,3 +87,4 @@
             	}
-            	ps.log.Debug("Found app based on cookie domain", zap.String("host", host), zap.String("app", longestMatch.ProxyConfig().Name))
+            	hashedHost := hashString(host)
+            	ps.log.Debug("Found app based on cookie domain", zap.String("host", hashedHost), zap.String("app", longestMatch.ProxyConfig().Name))
             	return longestMatch, host
@@ -101,3 +105,4 @@
             		if len(ps.apps) == 1 {
-            			ps.log.Debug("passing to single app mux", config.Trace(), zap.String("host", host))
+            			hashedHost := hashString(host)
+            			ps.log.Debug("passing to single app mux", config.Trace(), zap.String("host", hashedHost))
             			for k := range ps.apps {
@@ -108,4 +113,5 @@
+            		hashedHost := hashString(host)
             		ps.log.Debug("tracing headers for no hostname match", zap.Any("headers", r.Header), config.Trace())
-            		ps.log.Warn("no app for hostname", zap.String("host", host))
+            		ps.log.Warn("no app for hostname", zap.String("host", hashedHost))
@@ -129,3 +135,4 @@
             	}
-            	ps.log.Debug("passing to application mux", zap.String("host", host), config.Trace())
+            	hashedHost := hashString(host)
+            	ps.log.Debug("passing to application mux", zap.String("host", hashedHost), config.Trace())
             	a.ServeHTTP(rw, r)

@@ -30,3 +30,3 @@
             		}
-            		ws.log.Debug("tracing request to backend", config.Trace(), zap.String("url", req.URL.String()), zap.Any("headers", req.Header))
+            		ws.log.Debug("tracing request to backend", config.Trace(), zap.String("url", req.URL.String()))
             	}

internal: migrate to zap from logrus #12521

Are you sure you want to change the base?

internal: migrate to zap from logrus #12521

Conversation

BeryJu commented Dec 30, 2024

Details

Checklist

netlify bot commented Dec 30, 2024 • edited Loading

✅ Deploy Preview for authentik-docs canceled.

netlify bot commented Dec 30, 2024 • edited Loading

✅ Deploy Preview for authentik-storybook canceled.

codecov bot commented Dec 30, 2024 • edited Loading

Codecov Report

github-actions bot commented Dec 30, 2024 • edited Loading

netlify bot commented Dec 30, 2024 •

edited

Loading

netlify bot commented Dec 30, 2024 •

edited

Loading

codecov bot commented Dec 30, 2024 •

edited

Loading

github-actions bot commented Dec 30, 2024 •

edited

Loading