Ability to dump request, response logger by SDK

IBM / keyprotect-go-client

Go SDK for interacting with the IBM Cloud KeyProtect service.

Apache License 2.0

6 stars 29 forks source link

Ability to dump request, response logger by SDK #72

Open kavya498 opened 2 years ago

kavya498 commented 2 years ago

TF Provider Ref: https://github.com/IBM-Cloud/terraform-provider-ibm/blob/master/ibm/config.go#L2635 Other SDK references- https://github.com/IBM/go-sdk-core/blob/main/v5/core/log.go#L167

We would want KP-client also to have the similar behaviour..

Thanks..

mrodden commented 2 years ago

The request and response bodies in KeyProtect mostly contain sensitive information that should never be in logs, so probably not.

The risk of accidentally exposing encryption keys by someone setting TF_LOG because they are looking at some other plugins requests is one obvious example I can think of.

The client does provide a config option to dump only certain parts of requests with the Verbose field on the client configuration.

see https://github.com/IBM/keyprotect-go-client/blob/master/kp.go#L79 and https://github.com/IBM/keyprotect-go-client/blob/master/kp.go#L49

mrodden commented 2 years ago

It appears this is busted and still disabled from a previous issue where customer keys were accidentally being logged...

Please let me know what specifically in the request / responses you would like to log.

Also, there is always the possibility of passing in your own Transport or RoundTripper object to replace the default, which could intercept traffic obviously. I would caution that we have had a lot of issues with exposed sensitive information in logs recently, and still think its best to avoid logging any body data.