Merge pull request #8737 from yang-g/creds_sanitize

Redact sensitive data from api traces

src/core/lib/security/credentials/jwt/jwt_credentials.c

@@ -144,17 +144,44 @@ grpc_service_account_jwt_access_credentials_create_from_auth_json_key(
   return &c->base;
 }
 
+static char *redact_private_key(const char *json_key) {
+  char *json_copy = gpr_strdup(json_key);
+  grpc_json *json = grpc_json_parse_string(json_copy);
+  if (!json) {
+    gpr_free(json_copy);
+    return gpr_strdup("<Json failed to parse.>");
+  }
+  const char *redacted = "<redacted>";
+  grpc_json *current = json->child;
+  while (current) {
+    if (current->type == GRPC_JSON_STRING &&
+        strcmp(current->key, "private_key") == 0) {
+      current->value = (char *)redacted;
+      break;
+    }
+    current = current->next;
+  }
+  char *clean_json = grpc_json_dump_to_string(json, 2);
+  gpr_free(json_copy);
+  grpc_json_destroy(json);
+  return clean_json;
+}
+
 grpc_call_credentials *grpc_service_account_jwt_access_credentials_create(
     const char *json_key, gpr_timespec token_lifetime, void *reserved) {
-  GRPC_API_TRACE(
+  if (grpc_api_trace) {
+    char *clean_json = redact_private_key(json_key);
+    gpr_log(GPR_INFO,
             "grpc_service_account_jwt_access_credentials_create("
             "json_key=%s, "
             "token_lifetime="
             "gpr_timespec { tv_sec: %" PRId64
             ", tv_nsec: %d, clock_type: %d }, "
             "reserved=%p)",
-      5, (json_key, token_lifetime.tv_sec, token_lifetime.tv_nsec,
-          (int)token_lifetime.clock_type, reserved));
+            clean_json, token_lifetime.tv_sec, token_lifetime.tv_nsec,
+            (int)token_lifetime.clock_type, reserved);
+    gpr_free(clean_json);
+  }
   GPR_ASSERT(reserved == NULL);
   return grpc_service_account_jwt_access_credentials_create_from_auth_json_key(
       grpc_auth_json_key_create_from_string(json_key), token_lifetime);

src/core/lib/security/credentials/oauth2/oauth2_credentials.c

@@ -392,15 +392,32 @@ grpc_refresh_token_credentials_create_from_auth_refresh_token(
   return &c->base.base;
 }
 
+static char *create_loggable_refresh_token(grpc_auth_refresh_token *token) {
+  if (strcmp(token->type, GRPC_AUTH_JSON_TYPE_INVALID) == 0) {
+    return gpr_strdup("<Invalid json token>");
+  }
+  char *loggable_token = NULL;
+  gpr_asprintf(&loggable_token,
+               "{\n type: %s\n client_id: %s\n client_secret: "
+               "<redacted>\n refresh_token: <redacted>\n}",
+               token->type, token->client_id);
+  return loggable_token;
+}
+
 grpc_call_credentials *grpc_google_refresh_token_credentials_create(
     const char *json_refresh_token, void *reserved) {
-  GRPC_API_TRACE(
+  grpc_auth_refresh_token token =
+      grpc_auth_refresh_token_create_from_string(json_refresh_token);
+  if (grpc_api_trace) {
+    char *loggable_token = create_loggable_refresh_token(&token);
+    gpr_log(GPR_INFO,
             "grpc_refresh_token_credentials_create(json_refresh_token=%s, "
             "reserved=%p)",
-      2, (json_refresh_token, reserved));
+            loggable_token, reserved);
+    gpr_free(loggable_token);
+  }
   GPR_ASSERT(reserved == NULL);
-  return grpc_refresh_token_credentials_create_from_auth_refresh_token(
-      grpc_auth_refresh_token_create_from_string(json_refresh_token));
+  return grpc_refresh_token_credentials_create_from_auth_refresh_token(token);
 }
 
 //
@@ -430,9 +447,9 @@ grpc_call_credentials *grpc_access_token_credentials_create(
       gpr_malloc(sizeof(grpc_access_token_credentials));
   char *token_md_value;
   GRPC_API_TRACE(
-      "grpc_access_token_credentials_create(access_token=%s, "
+      "grpc_access_token_credentials_create(access_token=<redacted>, "
       "reserved=%p)",
-      2, (access_token, reserved));
+      1, (reserved));
   GPR_ASSERT(reserved == NULL);
   memset(c, 0, sizeof(grpc_access_token_credentials));
   c->base.type = GRPC_CALL_CREDENTIALS_TYPE_OAUTH2;