api: add 'redacted' option for protobuf messages, and redact SSL certs (#9315)

Implement MessageUtil::redact() to redact proto fields with the udpa.annotations.sensitive option set. Apply this to SSL certs in the admin config_dump. Risk Level: low Testing: unit tests Signed-off-by: Dan Rosen <mergeconflict@google.com> Mirrored from https://github.com/envoyproxy/envoy @ 7bd0c07fa397ab9b5b34c5a79a4a886129828b16
5 years ago · 516ea79d04
parent 046ebe5f95
commit 516ea79d04
2 changed files with 11 additions and 6 deletions
--- a/envoy/api/v2/auth/cert.proto
+++ b/envoy/api/v2/auth/cert.proto
@ -11,6 +11,8 @@ import "google/protobuf/duration.proto";
 import "google/protobuf/struct.proto";
 import "google/protobuf/wrappers.proto";

+import "udpa/annotations/sensitive.proto";
+
 import "udpa/annotations/migrate.proto";
 import "validate/validate.proto";

@ -128,7 +130,7 @@ message TlsCertificate {
  core.DataSource certificate_chain = 1;

  // The TLS private key.
-  core.DataSource private_key = 2;
+  core.DataSource private_key = 2 [(udpa.annotations.sensitive) = true];

  // BoringSSL private key method provider. This is an alternative to :ref:`private_key
  // <envoy_api_field_auth.TlsCertificate.private_key>` field. This can't be
@ -141,7 +143,7 @@ message TlsCertificate {

  // The password to decrypt the TLS private key. If this field is not set, it is assumed that the
  // TLS private key is not password encrypted.
-  core.DataSource password = 3;
+  core.DataSource password = 3 [(udpa.annotations.sensitive) = true];

  // [#not-implemented-hide:]
  core.DataSource ocsp_staple = 4;
@ -174,7 +176,8 @@ message TlsSessionTicketKeys {
  //   * Keep the session ticket keys at least as secure as your TLS certificate private keys
  //   * Rotate session ticket keys at least daily, and preferably hourly
  //   * Always generate keys using a cryptographically-secure random data source
-  repeated core.DataSource keys = 1 [(validate.rules).repeated = {min_items: 1}];
+  repeated core.DataSource keys = 1
+      [(validate.rules).repeated = {min_items: 1}, (udpa.annotations.sensitive) = true];
 }

 // [#next-free-field: 10]
--- a/envoy/extensions/transport_sockets/tls/v3alpha/cert.proto
+++ b/envoy/extensions/transport_sockets/tls/v3alpha/cert.proto
@ -11,6 +11,7 @@ import "google/protobuf/duration.proto";
 import "google/protobuf/struct.proto";
 import "google/protobuf/wrappers.proto";

+import "udpa/annotations/sensitive.proto";
 import "udpa/annotations/versioning.proto";

 import "validate/validate.proto";
@ -136,7 +137,7 @@ message TlsCertificate {
  config.core.v3alpha.DataSource certificate_chain = 1;

  // The TLS private key.
-  config.core.v3alpha.DataSource private_key = 2;
+  config.core.v3alpha.DataSource private_key = 2 [(udpa.annotations.sensitive) = true];

  // BoringSSL private key method provider. This is an alternative to :ref:`private_key
  // <envoy_api_field_extensions.transport_sockets.tls.v3alpha.TlsCertificate.private_key>` field.
@ -150,7 +151,7 @@ message TlsCertificate {

  // The password to decrypt the TLS private key. If this field is not set, it is assumed that the
  // TLS private key is not password encrypted.
-  config.core.v3alpha.DataSource password = 3;
+  config.core.v3alpha.DataSource password = 3 [(udpa.annotations.sensitive) = true];

  // [#not-implemented-hide:]
  config.core.v3alpha.DataSource ocsp_staple = 4;
@ -187,7 +188,8 @@ message TlsSessionTicketKeys {
  //   * Keep the session ticket keys at least as secure as your TLS certificate private keys
  //   * Rotate session ticket keys at least daily, and preferably hourly
  //   * Always generate keys using a cryptographically-secure random data source
-  repeated config.core.v3alpha.DataSource keys = 1 [(validate.rules).repeated = {min_items: 1}];
+  repeated config.core.v3alpha.DataSource keys = 1
+      [(validate.rules).repeated = {min_items: 1}, (udpa.annotations.sensitive) = true];
 }

 // [#next-free-field: 10]