backend-*-api: add RedactionsService

[Rugvip]

Hey, I just made a Pull Request!

I realized that customizing the root logger is kinda tricky right now since it also wires up the secret redactions from config. That and the follow-up for https://github.com/backstage/backstage/pull/24478 made me think that it might be worth introducing a redactions service. It both lets plugins add sensitive data to redactions and also lets them do their own redactions for sensitive content. In particular, I'm thinking that both Scaffolder and TechDocs build logs that we stream to the client could use this.

Kept it very simple for now, but there's one problem that might be worth introducing some extra solution for, which is that an ever-growing redactions filter might have a performance impact. A long-running deployment might simply pile up a lot of secrets over time to the point where the RegExp compilation and execution becomes a problem. There's also the potential issue of ReDos attacks if user input is ever forwarded to the redactions by a plugin.

One potential solution is to be able to add a redaction with a TTL, although there's a risk that it only solves the long-running service problem and not the malicious user input. Another option could be the creation of some form of redaction context where secrets can be added only for that particular context, the idea being that this is particularly useful to handle scaffolder user input. That might be a bit overkill for a service though, and it's possible that we should instead implement local filtering in the scaffolder in addition to using the service.

:heavy_check_mark: Checklist

• [x] A changeset describing the change and affected packages. (more info)
• [x] Added or updated documentation
• [x] Tests for new functionality and regression tests for bug fixes
• [ ] Screenshots attached (for UI changes)
• [x] All your commits have a Signed-off-by line in the message. (more info)

[backstage-goalie[bot]]

Changed Packages

Package Name	Package Path	Changeset Bump	Current Version
@backstage/backend-app-api	packages/backend-app-api	patch	v0.7.6-next.3
@backstage/backend-defaults	packages/backend-defaults	patch	v0.3.0-next.3
@backstage/backend-plugin-api	packages/backend-plugin-api	patch	v0.6.19-next.3
@backstage/backend-test-utils	packages/backend-test-utils	patch	v0.4.0-next.3

[github-actions[bot]]

This PR has been automatically marked as stale because it has not had recent activity from the author. It will be closed if no further activity occurs. If the PR was closed and you want it re-opened, let us know and we'll re-open the PR so that you can continue the contribution!