From d6de328ecdfe8b5c4e0c0e4ab07d93ab4499b2a4 Mon Sep 17 00:00:00 2001 From: mskanth972 Date: Thu, 30 May 2024 11:54:45 -0400 Subject: [PATCH] Sanitize CSI RPC request logs --- pkg/driver/controller.go | 9 +++--- pkg/driver/identity.go | 3 +- pkg/driver/node.go | 11 ++++---- pkg/util/util.go | 18 ++++++++++++ pkg/util/util_test.go | 59 ++++++++++++++++++++++++++++++++++++++++ 5 files changed, 90 insertions(+), 10 deletions(-) create mode 100644 pkg/util/util_test.go diff --git a/pkg/driver/controller.go b/pkg/driver/controller.go index 7d4e4c6e0..be4630e63 100644 --- a/pkg/driver/controller.go +++ b/pkg/driver/controller.go @@ -30,6 +30,7 @@ import ( "github.com/container-storage-interface/spec/lib/go/csi" "github.com/kubernetes-sigs/aws-efs-csi-driver/pkg/cloud" + "github.com/kubernetes-sigs/aws-efs-csi-driver/pkg/util" "google.golang.org/grpc/codes" "google.golang.org/grpc/status" "k8s.io/klog/v2" @@ -78,7 +79,7 @@ var ( ) func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest) (*csi.CreateVolumeResponse, error) { - klog.V(4).Infof("CreateVolume: called with args %+v", *req) + klog.V(4).Infof("CreateVolume: called with args %+v", util.SanitizeRequest(*req)) var reuseAccessPoint bool var err error @@ -370,7 +371,7 @@ func (d *Driver) DeleteVolume(ctx context.Context, req *csi.DeleteVolumeRequest) return nil, err } - klog.V(4).Infof("DeleteVolume: called with args %+v", *req) + klog.V(4).Infof("DeleteVolume: called with args %+v", util.SanitizeRequest(*req)) volId := req.GetVolumeId() if volId == "" { return nil, status.Error(codes.InvalidArgument, "Volume ID not provided") @@ -467,7 +468,7 @@ func (d *Driver) ControllerUnpublishVolume(ctx context.Context, req *csi.Control } func (d *Driver) ValidateVolumeCapabilities(ctx context.Context, req *csi.ValidateVolumeCapabilitiesRequest) (*csi.ValidateVolumeCapabilitiesResponse, error) { - klog.V(4).Infof("ValidateVolumeCapabilities: called with args %+v", *req) + klog.V(4).Infof("ValidateVolumeCapabilities: called with args %+v", util.SanitizeRequest(*req)) volId := req.GetVolumeId() if volId == "" { return nil, status.Error(codes.InvalidArgument, "Volume ID not provided") @@ -501,7 +502,7 @@ func (d *Driver) GetCapacity(ctx context.Context, req *csi.GetCapacityRequest) ( } func (d *Driver) ControllerGetCapabilities(ctx context.Context, req *csi.ControllerGetCapabilitiesRequest) (*csi.ControllerGetCapabilitiesResponse, error) { - klog.V(4).Infof("ControllerGetCapabilities: called with args %+v", *req) + klog.V(4).Infof("ControllerGetCapabilities: called with args %+v", util.SanitizeRequest(*req)) var caps []*csi.ControllerServiceCapability for _, cap := range controllerCaps { c := &csi.ControllerServiceCapability{ diff --git a/pkg/driver/identity.go b/pkg/driver/identity.go index fd3d43f26..bb1854550 100644 --- a/pkg/driver/identity.go +++ b/pkg/driver/identity.go @@ -22,6 +22,7 @@ import ( "k8s.io/klog/v2" "github.com/container-storage-interface/spec/lib/go/csi" + "github.com/kubernetes-sigs/aws-efs-csi-driver/pkg/util" ) func (d *Driver) GetPluginInfo(ctx context.Context, req *csi.GetPluginInfoRequest) (*csi.GetPluginInfoResponse, error) { @@ -34,7 +35,7 @@ func (d *Driver) GetPluginInfo(ctx context.Context, req *csi.GetPluginInfoReques } func (d *Driver) GetPluginCapabilities(ctx context.Context, req *csi.GetPluginCapabilitiesRequest) (*csi.GetPluginCapabilitiesResponse, error) { - klog.V(5).Infof("GetPluginCapabilities: called with args %+v", *req) + klog.V(5).Infof("GetPluginCapabilities: called with args %+v", util.SanitizeRequest(*req)) resp := &csi.GetPluginCapabilitiesResponse{ Capabilities: []*csi.PluginCapability{ { diff --git a/pkg/driver/node.go b/pkg/driver/node.go index ab42ce4ca..d080d0d47 100644 --- a/pkg/driver/node.go +++ b/pkg/driver/node.go @@ -28,6 +28,7 @@ import ( "github.com/container-storage-interface/spec/lib/go/csi" "github.com/kubernetes-sigs/aws-efs-csi-driver/pkg/cloud" + "github.com/kubernetes-sigs/aws-efs-csi-driver/pkg/util" "google.golang.org/grpc/codes" "google.golang.org/grpc/status" corev1 "k8s.io/api/core/v1" @@ -54,7 +55,7 @@ func (d *Driver) NodeUnstageVolume(ctx context.Context, req *csi.NodeUnstageVolu } func (d *Driver) NodePublishVolume(ctx context.Context, req *csi.NodePublishVolumeRequest) (*csi.NodePublishVolumeResponse, error) { - klog.V(4).Infof("NodePublishVolume: called with args %+v", req) + klog.V(4).Infof("NodePublishVolume: called with args %+v", util.SanitizeRequest(*req)) mountOptions := []string{} target := req.GetTargetPath() @@ -216,7 +217,7 @@ func (d *Driver) NodePublishVolume(ctx context.Context, req *csi.NodePublishVolu } func (d *Driver) NodeUnpublishVolume(ctx context.Context, req *csi.NodeUnpublishVolumeRequest) (*csi.NodeUnpublishVolumeResponse, error) { - klog.V(4).Infof("NodeUnpublishVolume: called with args %+v", req) + klog.V(4).Infof("NodeUnpublishVolume: called with args %+v", util.SanitizeRequest(*req)) target := req.GetTargetPath() if len(target) == 0 { @@ -266,7 +267,7 @@ func (d *Driver) NodeUnpublishVolume(ctx context.Context, req *csi.NodeUnpublish } func (d *Driver) NodeGetVolumeStats(ctx context.Context, req *csi.NodeGetVolumeStatsRequest) (*csi.NodeGetVolumeStatsResponse, error) { - klog.V(4).Infof("NodeGetVolumeStats: called with args %+v", req) + klog.V(4).Infof("NodeGetVolumeStats: called with args %+v", util.SanitizeRequest(*req)) volId := req.GetVolumeId() if volId == "" { @@ -303,7 +304,7 @@ func (d *Driver) NodeExpandVolume(ctx context.Context, req *csi.NodeExpandVolume } func (d *Driver) NodeGetCapabilities(ctx context.Context, req *csi.NodeGetCapabilitiesRequest) (*csi.NodeGetCapabilitiesResponse, error) { - klog.V(4).Infof("NodeGetCapabilities: called with args %+v", req) + klog.V(4).Infof("NodeGetCapabilities: called with args %+v", util.SanitizeRequest(*req)) var caps []*csi.NodeServiceCapability for _, cap := range d.nodeCaps { c := &csi.NodeServiceCapability{ @@ -319,7 +320,7 @@ func (d *Driver) NodeGetCapabilities(ctx context.Context, req *csi.NodeGetCapabi } func (d *Driver) NodeGetInfo(ctx context.Context, req *csi.NodeGetInfoRequest) (*csi.NodeGetInfoResponse, error) { - klog.V(4).Infof("NodeGetInfo: called with args %+v", req) + klog.V(4).Infof("NodeGetInfo: called with args %+v", util.SanitizeRequest(*req)) return &csi.NodeGetInfoResponse{ NodeId: d.nodeID, diff --git a/pkg/util/util.go b/pkg/util/util.go index 80218e56e..2b03aee6e 100644 --- a/pkg/util/util.go +++ b/pkg/util/util.go @@ -24,6 +24,7 @@ import ( "os" "path" "path/filepath" + "reflect" "strings" ) @@ -67,3 +68,20 @@ func GetHttpResponse(client *http.Client, endpoint string) ([]byte, error) { } return body, nil } + +// SanitizeRequest takes a request object and returns a copy of the request with +// the "Secrets" field cleared. +func SanitizeRequest(req interface{}) interface{} { + v := reflect.ValueOf(&req).Elem() + e := reflect.New(v.Elem().Type()).Elem() + + e.Set(v.Elem()) + + f := reflect.Indirect(e).FieldByName("Secrets") + + if f.IsValid() && f.CanSet() && f.Kind() == reflect.Map { + f.Set(reflect.MakeMap(f.Type())) + v.Set(e) + } + return req +} diff --git a/pkg/util/util_test.go b/pkg/util/util_test.go new file mode 100644 index 000000000..e2e4f19c4 --- /dev/null +++ b/pkg/util/util_test.go @@ -0,0 +1,59 @@ +/* +Copyright 2019 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package util + +import ( + "reflect" + "testing" +) + +type TestRequest struct { + Name string + Secrets map[string]string +} + +func TestSanitizeRequest(t *testing.T) { + tests := []struct { + name string + req interface{} + expected interface{} + }{ + { + name: "Request with Secrets", + req: &TestRequest{ + Name: "Test", + Secrets: map[string]string{ + "key1": "value1", + "key2": "value2", + }, + }, + expected: &TestRequest{ + Name: "Test", + Secrets: map[string]string{}, + }, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + result := SanitizeRequest(tt.req) + if !reflect.DeepEqual(result, tt.expected) { + t.Errorf("SanitizeRequest() = %v, expected %v", result, tt.expected) + } + }) + } +}