st2-api-key not obfuscated when using core.http?

[fdrab]

SUMMARY

I have 2 ST2 instances (independent of each other and in different networks) and want them to communicate with each other via API using API keys. However, when providing st2-api-key to headers of action core.http, the API key is visible in plain-text in both st2web and in CLI. This is not desirable, as I want the users to be able to use the keys, but not unintentionally share them during any screen sharing sessions. Masking is set in the config for both [api] and [log] (and any actions I've created that use the "secret" tag are masked properly) in st2.conf and I've even tried adding st2-api-key into mask_secrets_blacklist. I've tried to clone the runner, but headers are not overridable (can't just create my own http runner with headers marked as "secret"). Before going on and writing my own http as a python action, I wanted to ask whether I'm doing something wrong, as it seems obvious to me that any auth info should be obfuscated by default.

STACKSTORM VERSION

[root@st2 st2]# st2 --version st2 3.7.0, on Python 3.8.12 [root@st2 st2]#

OS, environment, install method

custom install on a RHEL8

Steps to reproduce the problem

Use core.http with st2-api-key: in st2web.

Expected Results

Expected the value of the API key to be obfuscated.

Actual Results

The API key is visible in plaintext.

Making sure to follow these steps will guarantee the quickest resolution possible.

Thanks!

[arm4b]

Looking at some logging tests here: https://github.com/StackStorm/st2/blob/007beed8325b397d540d97905af8f2edb14b925f/st2common/tests/unit/test_logging_middleware.py#L51 https://github.com/StackStorm/st2/blob/007beed8325b397d540d97905af8f2edb14b925f/st2common/tests/unit/test_logging_middleware.py#L60-L70

the api key is expected to be hidden, at least in the logs.

Yes, that sounds like a bug if the st2-api-key is visible to you.

We'd welcome PRs to fix this issue.

[fdrab]

This is semi-correctly (I think) masked in the logs: 2022-11-16 08:11:20,487 139745041997888 INFO base [-] Dispatching Action to a runner (liveaction_db={'action': 'core.http', 'action_is_workflow': False, 'callback': {}, 'context': {'pack': 'core', 'user': 'fdrab', 'parent': {'execution_id': '63748d17adef072e5e7dac26', 'user': 'fdrab', 'pack': 'default'}, 'orquesta': {'workflow_execution_id': '63748d183955820df1d12eb1', 'task_execution_id': '63748d18837eb7ca8787d46b', 'task_name': 'task1', 'task_id': 'task1', 'task_route': 0}}, 'delay': None, 'end_timestamp': None, 'id': '63748d18837eb7ca8787d46d', 'notify': None, 'parameters': {'headers': {'st2-api-key': '********'}, 'url'

I say semi-correctly, because if (taken from your post above) st2_auth_token as well as x-auth-token should be masked in the logs, it works at 50% (perhaps there's a provision that only first value is masked, or I can't use both st2_auth_token and x-auth-token?): 2022-11-16 08:40:14,604 139991129925056 INFO base [-] Dispatching Action to a runner (liveaction_db={'action': 'core.http', 'action_is_workflow': False, 'callback': {}, 'context': {'trace_context': {}, 'user': 'fdrab', 'pack': 'core'}, 'delay': None, 'end_timestamp': None, 'id': '637493deadef072e5e7dac28', 'notify': None, 'parameters': {'headers': {'x-auth-token': 'sometoken', 'st2_auth_token': '********'}, 'url'

in the UI post-execution I can see both values in cleartext as {"x-auth-token":"sometoken","st2_auth_token":"sometoken"}

[arm4b]

https://docs.stackstorm.com/reference/secrets_masking.html Based on that, sounds like the secrets masking for that specific st2_auth_token works semi-correctly in the logs, but fails in the API responses.