Open fdrab opened 1 year ago
Looking at some logging tests here: https://github.com/StackStorm/st2/blob/007beed8325b397d540d97905af8f2edb14b925f/st2common/tests/unit/test_logging_middleware.py#L51 https://github.com/StackStorm/st2/blob/007beed8325b397d540d97905af8f2edb14b925f/st2common/tests/unit/test_logging_middleware.py#L60-L70
the api key is expected to be hidden, at least in the logs.
Yes, that sounds like a bug if the st2-api-key is visible to you.
We'd welcome PRs to fix this issue.
This is semi-correctly (I think) masked in the logs:
2022-11-16 08:11:20,487 139745041997888 INFO base [-] Dispatching Action to a runner (liveaction_db={'action': 'core.http', 'action_is_workflow': False, 'callback': {}, 'context': {'pack': 'core', 'user': 'fdrab', 'parent': {'execution_id': '63748d17adef072e5e7dac26', 'user': 'fdrab', 'pack': 'default'}, 'orquesta': {'workflow_execution_id': '63748d183955820df1d12eb1', 'task_execution_id': '63748d18837eb7ca8787d46b', 'task_name': 'task1', 'task_id': 'task1', 'task_route': 0}}, 'delay': None, 'end_timestamp': None, 'id': '63748d18837eb7ca8787d46d', 'notify': None, 'parameters': {'headers': {'st2-api-key': '********'}, 'url'
I say semi-correctly, because if (taken from your post above) st2_auth_token as well as x-auth-token should be masked in the logs, it works at 50% (perhaps there's a provision that only first value is masked, or I can't use both st2_auth_token and x-auth-token?):
2022-11-16 08:40:14,604 139991129925056 INFO base [-] Dispatching Action to a runner (liveaction_db={'action': 'core.http', 'action_is_workflow': False, 'callback': {}, 'context': {'trace_context': {}, 'user': 'fdrab', 'pack': 'core'}, 'delay': None, 'end_timestamp': None, 'id': '637493deadef072e5e7dac28', 'notify': None, 'parameters': {'headers': {'x-auth-token': 'sometoken', 'st2_auth_token': '********'}, 'url'
in the UI post-execution I can see both values in cleartext as {"x-auth-token":"sometoken","st2_auth_token":"sometoken"}
https://docs.stackstorm.com/reference/secrets_masking.html
Based on that, sounds like the secrets masking for that specific st2_auth_token
works semi-correctly in the logs, but fails in the API responses.
SUMMARY
I have 2 ST2 instances (independent of each other and in different networks) and want them to communicate with each other via API using API keys. However, when providing st2-api-key to headers of action core.http, the API key is visible in plain-text in both st2web and in CLI. This is not desirable, as I want the users to be able to use the keys, but not unintentionally share them during any screen sharing sessions. Masking is set in the config for both [api] and [log] (and any actions I've created that use the "secret" tag are masked properly) in st2.conf and I've even tried adding st2-api-key into mask_secrets_blacklist. I've tried to clone the runner, but headers are not overridable (can't just create my own http runner with headers marked as "secret"). Before going on and writing my own http as a python action, I wanted to ask whether I'm doing something wrong, as it seems obvious to me that any auth info should be obfuscated by default.
STACKSTORM VERSION
[root@st2 st2]# st2 --version st2 3.7.0, on Python 3.8.12 [root@st2 st2]#
OS, environment, install method
custom install on a RHEL8
Steps to reproduce the problem
Use core.http with st2-api-key: in st2web.
Expected Results
Expected the value of the API key to be obfuscated.
Actual Results
The API key is visible in plaintext.
Making sure to follow these steps will guarantee the quickest resolution possible.
Thanks!