OPTION(rgw_crypt_default_encryption_key, OPT_STR, "") // base64 encoded key for encryption of rgw objects
OPTION(rgw_crypt_s3_kms_encryption_keys, OPT_STR, "") // extra keys that may be used for aws:kms
// defined as map "key1=YmluCmJvb3N0CmJvb3N0LQ== key2=b3V0CnNyYwpUZXN0aW5nCg=="
-
+OPTION(rgw_crypt_suppress_logs, OPT_BOOL, true) // suppress logs that might print customer key
OPTION(rgw_list_bucket_min_readahead, OPT_INT, 1000) // minimum number of entries to read from rados for bucket listing
OPTION(rgw_rest_getusage_op_compat, OPT_BOOL, false) // dump description of total stats for s3 GetUsage API
rgw_xml.cc
rgw_xml_enc.cc
rgw_torrent.cc
- rgw_crypt.cc)
+ rgw_crypt.cc
+ rgw_crypt_sanitize.cc)
if (WITH_RADOSGW_FCGI_FRONTEND)
list(APPEND rgw_a_srcs rgw_fcgi.cc)
#include "rgw_common.h"
#include "civetweb/civetweb.h"
+#include "rgw_crypt_sanitize.h"
#define dout_subsys ceph_subsys_civetweb
#define dout_context g_ceph_context
int rgw_civetweb_log_callback(const struct mg_connection *conn, const char *buf) {
- dout(0) << "civetweb: " << (void *)conn << ": " << buf << dendl;
+ dout(0) << "civetweb: " << (void *)conn << ": " << rgw::crypt_sanitize::log_content(buf) << dendl;
return 0;
}
int rgw_civetweb_log_access_callback(const struct mg_connection *conn, const char *buf) {
- dout(1) << "civetweb: " << (void *)conn << ": " << buf << dendl;
+ dout(1) << "civetweb: " << (void *)conn << ": " << rgw::crypt_sanitize::log_content(buf) << dendl;
return 0;
}
#include <stdarg.h>
#include "rgw_client_io.h"
-
+#include "rgw_crypt.h"
+#include "rgw_crypt_sanitize.h"
#define dout_subsys ceph_subsys_rgw
namespace rgw {
const auto& env_map = get_env().get_map();
for (const auto& iter: env_map) {
- ldout(cct, 20) << iter.first << "=" << iter.second << dendl;
+ rgw::crypt_sanitize::env x{iter->first, iter->second};
+ ldout(cct, 20) << iter->first << "=" << (x) << dendl;
}
}
}
#include "common/strtol.h"
#include "include/str_list.h"
#include "auth/Crypto.h"
+#include "rgw_crypt_sanitize.h"
#include <sstream>
}
}
for (iter = x_meta_map.begin(); iter != x_meta_map.end(); ++iter) {
- dout(10) << "x>> " << iter->first << ":" << iter->second << dendl;
+ dout(10) << "x>> " << iter->first << ":" << rgw::crypt_sanitize::x_meta_map{iter->first, iter->second} << dendl;
}
}
#include <rgw/rgw_op.h>
#include <rgw/rgw_rest_s3.h>
#include <boost/utility/string_ref.hpp>
+
/**
* \brief Interface for block encryption methods
*
--- /dev/null
+/*
+ * rgw_crypt_sanitize.cc
+ *
+ * Created on: Mar 3, 2017
+ * Author: adam
+ */
+
+#include "rgw_common.h"
+#include "rgw_crypt_sanitize.h"
+#include "boost/algorithm/string/predicate.hpp"
+
+namespace rgw {
+namespace crypt_sanitize {
+const char* HTTP_X_AMZ_SERVER_SIDE_ENCRYPTION_CUSTOMER_KEY = "HTTP_X_AMZ_SERVER_SIDE_ENCRYPTION_CUSTOMER_KEY";
+const char* x_amz_server_side_encryption_customer_key = "x-amz-server-side-encryption-customer-key";
+const char* dollar_x_amz_server_side_encryption_customer_key = "$x-amz-server-side-encryption-customer-key";
+const char* suppression_message = "=suppressed due to key presence=";
+}
+}
+
+namespace std {
+std::ostream& operator<<(std::ostream& out, const rgw::crypt_sanitize::env& e) {
+ if (g_ceph_context->_conf->rgw_crypt_suppress_logs) {
+ if (boost::algorithm::iequals(
+ e.name,
+ rgw::crypt_sanitize::HTTP_X_AMZ_SERVER_SIDE_ENCRYPTION_CUSTOMER_KEY))
+ {
+ out << rgw::crypt_sanitize::suppression_message;
+ return out;
+ }
+ if (boost::algorithm::iequals(e.name, "QUERY_STRING") &&
+ boost::algorithm::ifind_first(
+ e.value,
+ rgw::crypt_sanitize::x_amz_server_side_encryption_customer_key))
+ {
+ out << rgw::crypt_sanitize::suppression_message;
+ return out;
+ }
+ }
+ out << e.value;
+ return out;
+}
+
+std::ostream& operator<<(std::ostream& out, const rgw::crypt_sanitize::x_meta_map& x) {
+ if (g_ceph_context->_conf->rgw_crypt_suppress_logs &&
+ boost::algorithm::iequals(x.name, rgw::crypt_sanitize::x_amz_server_side_encryption_customer_key))
+ {
+ out << rgw::crypt_sanitize::suppression_message;
+ return out;
+ }
+ out << x.value;
+ return out;
+}
+
+std::ostream& operator<<(std::ostream& out, const rgw::crypt_sanitize::s3_policy& x) {
+ if (g_ceph_context->_conf->rgw_crypt_suppress_logs &&
+ boost::algorithm::iequals(x.name, rgw::crypt_sanitize::dollar_x_amz_server_side_encryption_customer_key))
+ {
+ out << rgw::crypt_sanitize::suppression_message;
+ return out;
+ }
+ out << x.value;
+ return out;
+}
+
+std::ostream& operator<<(std::ostream& out, const rgw::crypt_sanitize::auth& x) {
+ if (g_ceph_context->_conf->rgw_crypt_suppress_logs &&
+ x.s->info.env->get(rgw::crypt_sanitize::HTTP_X_AMZ_SERVER_SIDE_ENCRYPTION_CUSTOMER_KEY, nullptr) != nullptr)
+ {
+ out << rgw::crypt_sanitize::suppression_message;
+ return out;
+ }
+ out << x.value;
+ return out;
+}
+
+std::ostream& operator<<(std::ostream& out, const rgw::crypt_sanitize::log_content& x) {
+ if (g_ceph_context->_conf->rgw_crypt_suppress_logs &&
+ strstr(x.buf, rgw::crypt_sanitize::x_amz_server_side_encryption_customer_key) != nullptr) {
+ out << rgw::crypt_sanitize::suppression_message;
+ return out;
+ }
+ out << x.buf;
+ return out;
+}
+
+
+
+}
--- /dev/null
+// -*- mode:C; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
+// vim: ts=8 sw=2 smarttab
+
+#ifndef RGW_RGW_CRYPT_SANITIZE_H_
+#define RGW_RGW_CRYPT_SANITIZE_H_
+
+#include "rgw_common.h"
+
+namespace rgw {
+namespace crypt_sanitize {
+
+
+struct env {
+ boost::string_ref name;
+ boost::string_ref value;
+
+ env(boost::string_ref name, boost::string_ref value)
+ : name(name), value(value) {}
+};
+
+struct x_meta_map {
+ boost::string_ref name;
+ boost::string_ref value;
+ x_meta_map(boost::string_ref name, boost::string_ref value)
+ : name(name), value(value) {}
+};
+
+struct s3_policy {
+ boost::string_ref name;
+ boost::string_ref value;
+ s3_policy(boost::string_ref name, boost::string_ref value)
+ : name(name), value(value) {}
+};
+
+struct auth {
+ const req_state* const s;
+ boost::string_ref value;
+ auth(const req_state* const s, boost::string_ref value)
+ : s(s), value(value) {}
+};
+
+struct log_content {
+ const char* buf;
+ log_content(const char* buf)
+ : buf(buf) {}
+};
+
+}
+}
+
+namespace std {
+std::ostream& operator<<(std::ostream& out, const rgw::crypt_sanitize::env& e);
+std::ostream& operator<<(std::ostream& out, const rgw::crypt_sanitize::x_meta_map& x);
+std::ostream& operator<<(std::ostream& out, const rgw::crypt_sanitize::s3_policy& x);
+std::ostream& operator<<(std::ostream& out, const rgw::crypt_sanitize::auth& x);
+std::ostream& operator<<(std::ostream& out, const rgw::crypt_sanitize::log_content& x);
+}
+#endif /* RGW_RGW_CRYPT_SANITIZE_H_ */
#include <string>
#include <map>
#include "include/assert.h"
+#include "rgw_crypt_sanitize.h"
#define dout_context g_ceph_context
#define dout_subsys ceph_subsys_rgw
#include "common/ceph_json.h"
#include "rgw_policy_s3.h"
#include "rgw_common.h"
-
+#include "rgw_crypt_sanitize.h"
#define dout_context g_ceph_context
#define dout_subsys ceph_subsys_rgw
string first, second;
env->get_value(v1, first, checked_vars);
env->get_value(v2, second, checked_vars);
-
- dout(1) << "policy condition check " << v1 << " [" << first << "] " << v2 << " [" << second << "]" << dendl;
+ dout(1) << "policy condition check " << v1 << " ["
+ << rgw::crypt_sanitize::s3_policy{v1, first}
+ << "] " << v2 << " ["
+ << rgw::crypt_sanitize::s3_policy{v2, second}
+ << "]" << dendl;
bool ret = check(first, second, err_msg);
if (!ret) {
err_msg.append(": ");
#include "common/armor.h"
#include "common/strtol.h"
#include "include/str_list.h"
+#include "rgw_crypt_sanitize.h"
#define dout_context g_ceph_context
#define dout_subsys ceph_subsys_rgw
if (cct->_conf->subsys.should_gather(ceph_subsys_rgw, 20)) {
map<string, string>::iterator i;
for (i = m.begin(); i != m.end(); ++i) {
- ldout(cct, 20) << "> " << i->first << " -> " << i->second << dendl;
+ ldout(cct, 20) << "> " << i->first << " -> " << rgw::crypt_sanitize::x_meta_map{i->first, i->second} << dendl;
}
}
#include "rgw_token.h"
#include "rgw_rest_role.h"
#include "rgw_crypt.h"
+#include "rgw_crypt_sanitize.h"
#include "include/assert.h"
if (! rgw_create_s3_canonical_header(s->info, &header_time, string_to_sign,
qsr)) {
ldout(cct, 10) << "failed to create the canonized auth header\n"
- << string_to_sign << dendl;
+ << rgw::crypt_sanitize::auth{s,string_to_sign} << dendl;
throw -EPERM;
}
- ldout(cct, 10) << "string_to_sign:\n" << string_to_sign << dendl;
+ ldout(cct, 10) << "string_to_sign:\n"
+ << rgw::crypt_sanitize::auth{s,string_to_sign} << dendl;
if (! is_time_skew_ok(header_time, qsr)) {
throw -ERR_REQUEST_TIME_SKEWED;
}
}*/
-
const auto iter = user_info.access_keys.find(access_key_id);
if (iter == std::end(user_info.access_keys)) {
ldout(cct, 0) << "ERROR: access key not encoded in user info" << dendl;
projects / ceph.git / commitdiff