search

awslabs / aws-sdk-swift

Apache License 2.0
359 stars 71 forks source link

S3Client : [Logging] exponses partial credentials data & no way to hide it completely (request / response) #1556

Open harshadmehmood opened 3 weeks ago

harshadmehmood commented 3 weeks ago

Describe the bug

When Trying to login using provided method & download file using 'getObject', S3Client Logging shows logs which includes Authorization with Credential

Expected Behavior

No Authorization related data should be visible in logs

Current Behavior

Partial Authorization data visible in logs and no way to hide

Reproduction Steps

1- init

`do { let credentials = AWSClientRuntime.AWSCredentialIdentity(accessKey: "myAccessKey", secret: "mySecret") let cResolver = try AWSClientRuntime.StaticAWSCredentialIdentityResolver(credentials) let config = try await S3Client.S3ClientConfiguration(awsCredentialIdentityResolver: cResolver, region: "myregion")

        client = S3Client(config: config)
    } catch {
        print("ERROR: ", dump(error, name: "Initializing S3 client"))
        exit(1)
    }`

2- download data

let input = GetObjectInput( bucket: bucket, key: key ) do { let output = try await client.getObject(input: input) print("output.contentLength - \(output.contentLength)") print("output.contentRange - \(output.contentRange)") if let body = output.body, let data = try await body.readData() { try data.write(to: fileUrl) return "success writing data at path" } } catch { print("aws error :\(error)") }

3- Logs which includes auth data

2024-06-10T11:24:22+0500 info S3Client : [Logging] Request: GET https:443 Path: /myDir/myfile.xyz User-Agent: aws-sdk-swift/1.0 ua/2.0 api/s3#1.0 os/macos#14.4.1 lang/swift#5.10 cfg/retry-mode#legacy, x-amz-content-sha256: sha, Authorization: ...SHA... Credential=ACTUALACCESSKEY/......./ACTUALREGION/../...., SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=...signature..., X-Amz-Date: 20240610T062422Z, Host: hostinfo Optional([ClientRuntime.SDKURLQueryItem(name: "x-id", value: Optional("GetObject"))]) 2024-06-10T11:24:22+0500 info URLSessionHTTPClient : [Logging] start URLRequest(https://path for file) called 2024-06-10T11:24:23+0500 info S3Client : [Logging] Request: GET https:443 Path: somefile User-Agent: aws-sdk-swift/1.0 ua/2.0 api/s3#1.0 os/macos#14.4.1 lang/swift#5.10 cfg/retry-mode#legacy, x-amz-content-sha256: sha, Authorization: sha Credential=ACTUALACCESSKEY/......./ACTUALREGION/../...., SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=...signature..., X-Amz-Date: 20240610T062423Z, Host: bgforzoomnskype.s3.us-east-2.amazonaws.com Optional([ClientRuntime.SDKURLQueryItem(name: "x-id", value: Optional("GetObject"))]) 2024-06-10T11:24:23+0500 info URLSessionHTTPClient : [Logging] start URLRequest(https://path for file) called 2024-06-10T11:24:23+0500 info URLSessionHTTPClient : [Logging] Either TLSOptions not set or missing values! Using default trust store. 2024-06-10T11:24:24+0500 info URLSessionHTTPClient : [Logging] urlSession(:dataTask:didReceive response:) called 2024-06-10T11:24:24+0500 info S3Client : [Logging] User requested checksum validation, but the response headers did not contain any valid checksums 2024-06-10T11:24:24+0500 info URLSessionHTTPClient : [Logging] urlSession(:dataTask:didReceive data:) called (7516 bytes) 2024-06-10T11:24:24+0500 info URLSessionHTTPClient : [Logging] urlSession(:task:didCompleteWithError:) called. Success output.contentLength - Optional(7516) output.contentRange - nil Decryption error: authenticationFailure 2024-06-10T11:24:24+0500 info URLSessionHTTPClient : [Logging] Either TLSOptions not set or missing values! Using default trust store. 2024-06-10T11:24:24+0500 info URLSessionHTTPClient : [Logging] urlSession(:dataTask:didReceive response:) called 2024-06-10T11:24:24+0500 info S3Client : [Logging] User requested checksum validation, but the response headers did not contain any valid checksums 2024-06-10T11:24:24+0500 info URLSessionHTTPClient : [Logging] urlSession(:dataTask:didReceive data:) called (7516 bytes) 2024-06-10T11:24:24+0500 info URLSessionHTTPClient : [Logging] urlSession(:task:didCompleteWithError:) called. Success output.contentLength - Optional(7516) output.contentRange - nil Decryption error: authenticationFailure

Possible Solution

in 'S3Client.S3ClientConfiguration' there is a parm named 'clientLogMode' it could be user to handle this

Additional Information/Context

No response

AWS SWIFT SDK version used

0.44.0

Compiler and Version used

xcode :Version 15.4 (15F31d), swift: version 5

Operating System and version

MacOS Sonoma 14.4.1 (23E224)

dayaffe commented 3 weeks ago

Hello! Thank you for creating this issue! We are looking into this and get back to you once we have more information.

dayaffe commented 3 weeks ago

@harshadmehmood You should currently be able to change the log mode where you pass in your own config. Please try passing in a clientLogMode to your S3Client.Config using the following code and see if that works for you:

import ClientRuntime
...
let clientConfig = try await S3Client.Config(clientLogMode: ClientRuntime.ClientLogMode.response)
let client = S3Client(config: clientConfig)

The default log mode is .request which contains Authorization information but .response does not

harshadmehmood commented 3 weeks ago

@dayaffe thanks for reply, i already tested it on my client side, but again some info that should not be rendered in logs on, please have a look,

2024-06-11T09:38:07+0500 info URLSessionHTTPClient : [Logging] start URLRequest(https://FULL_PATH_TO_MY_FILE?x-id=GetObject) called 2024-06-11T09:38:08+0500 info URLSessionHTTPClient : [Logging] Either TLSOptions not set or missing values! Using default trust store. 2024-06-11T09:38:08+0500 info URLSessionHTTPClient : [Logging] urlSession(_:dataTask:didReceive response:) called 2024-06-11T09:38:08+0500 info S3Client : [Logging] Response: Status Code: http_status_200 Date: Tue, 11 Jun 2024 04:38:09 GMT, x-amz-server-side-encryption: AES256, Accept-Ranges: bytes, Etag: "some 32 bit data", Content-Length: 7516, Content-Type: application/json, Server: AmazonS3, Last-Modified: Fri, 07 Jun 2024 09:52:44 GMT, x-amz-id-2: ANOTHER_ONE, x-amz-request-id: REQ_ID 2024-06-11T09:38:08+0500 info S3Client : [Logging] User requested checksum validation, but the response headers did not contain any valid checksums output.contentLength - Optional(7516) output.contentRange - nil 2024-06-11T09:38:08+0500 info URLSessionHTTPClient : [Logging] urlSession(_:dataTask:didReceive data:) called (7516 bytes) 2024-06-11T09:38:08+0500 info URLSessionHTTPClient : [Logging] urlSession(_:task:didCompleteWithError:) called. Success Decryption error: authenticationFailure

sichanyoo commented 2 weeks ago

Work is being tracked in https://github.com/awslabs/aws-sdk-swift/issues/1557.

harshadmehmood commented 1 day ago

hello @sichanyoo just wanna now if that issue resolved in updated build, thanks